Identity management : strengthening one-time password authentication through usability

Usability in HCI (Human-Computer Interaction) is normally understood as the simplicity and clarity with which the interaction with a computer program or a web site is designed. Identity management systems need to provide adequate usability and should have a simple and intuitive interface. The system should not only be designed to satisfy service provider requirements but it has to consider user requirements, otherwise it will lead to inconvenience and poor usability for users when managing their identities. With poor usability and a poor user interface with regard to security, it is highly likely that the system will have poor security. The rapid growth in the number of online services leads to an increasing number of different digital identities each user needs to manage. As a result, many people feel overloaded with credentials, which in turn negatively impacts their ability to manage them securely. Passwords are perhaps the most common type of credential used today. To avoid the tedious task of remembering difficult passwords, users often behave less securely by using low entropy and weak passwords. Weak passwords and bad password habits represent security threats to online services. Some solutions have been developed to eliminate the need for users to create and manage passwords. A typical solution is based on generating one-time passwords, i.e. passwords for single session or transaction usage. Unfortunately, most of these solutions do not satisfy scalability and/or usability requirements, or they are simply insecure. In this thesis, the security and usability aspects of contemporary methods for authentication based on one-time passwords (OTP) are examined and analyzed. In addition, more scalable solutions that provide a good user experience while at the same time preserving strong security are proposed.

[1]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[2]  Shiuh-Pyng Shieh,et al.  Designing Authentication Protocols for Third Generation Mobile Communication Systems , 2005, J. Inf. Sci. Eng..

[3]  Bruce Schneier,et al.  Secrets and Lies , 2004 .

[4]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[5]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[6]  Wolfgang Wörndl,et al.  Community support and identity management , 2001, ECSCW.

[7]  Fred I Cooperstock General Relativistic Dynamics: Extending Einstein's Legacy Throughout the Universe , 2009 .

[8]  Shantanu Pai,et al.  Human Factors Considerations for Passwords and Other User Identification TechniquesPart 2: Field Study, Results and Analysis , 2006 .

[9]  K. Cameron,et al.  The Laws of Identity , 2005 .

[10]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[11]  Jordi Herrera-Joancomartí,et al.  A personal authentication scheme using mobile technology , 2003, Proceedings ITCC 2003. International Conference on Information Technology: Coding and Computing.

[12]  Leendert van Doorn,et al.  A Practical Guide to Trusted Computing , 2007 .

[13]  Abe Singer,et al.  Choose the red pill and the blue pill: a position paper , 2008, NSPW '08.

[14]  Elaine Lawrence,et al.  Bluetooth as an enabling technology in mobile transactions , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[15]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[16]  Hamid Jahankhani,et al.  A Survey of User Authentication Based on Mouse Dynamics , 2008 .

[17]  Xavier Boyen,et al.  Hidden credential retrieval from a reusable password , 2009, ASIACCS '09.

[18]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[19]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[20]  J. D. Tygar,et al.  Usability of Security: A Case Study, , 1998 .

[21]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[22]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[23]  Spencer C. Lee An Introduction to Identity Management , 2003 .

[24]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[25]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[26]  Audun Jøsang,et al.  Usability and Privacy in Identity Management Architectures , 2007, ACSW.

[27]  Matt Bishop,et al.  Attack class: address spoofing , 1997 .

[28]  John Sören Pettersson,et al.  Making PRIME usable , 2005, SOUPS '05.

[29]  Dogan Kesdogan,et al.  Privacy enhancing identity management: protection against re-identification and profiling , 2005, DIM '05.

[30]  Malcolm Crompton,et al.  Web Seals: A Review of Online Privacy Programs , 2006 .

[31]  Audun Jøsang,et al.  Web Security: The Emperor's New Armour , 2001, ECIS.

[32]  Hal Berghel Phishing mongers and posers , 2006, CACM.

[33]  Martina Angela Sasse,et al.  Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery , 2003 .

[34]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[35]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[36]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[37]  Kilsoo Chun,et al.  A New Anti-phishing Method in OpenID , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[38]  Diana K. Smetters,et al.  In search of usable security: five lessons from the field , 2004, IEEE Security & Privacy Magazine.

[39]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[40]  Audun Jøsang,et al.  Trust Requirements in Identity Management , 2005, ACSW.

[41]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[42]  Paul C. van Oorschot,et al.  Security and usability: the gap in real-world online banking , 2008, NSPW '07.

[43]  Alma Whitten,et al.  Making Security Usable , 2004 .

[44]  J. G. Adair,et al.  The Hawthorne effect: A reconsideration of the methodological artifact. , 1984 .

[45]  Owen Rees,et al.  Identity Management: a Key e-Business Enabler , 2002 .

[46]  Jim Basney,et al.  CredEx: user-centric credential management for grid and Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[47]  William M. Daley,et al.  Security Requirements for Cryptographic Modules , 1999 .

[48]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[49]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[50]  Mark Looi Enhanced authentication services for Internet systems using mobile networks , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[51]  C. Latze,et al.  Stronger authentication in e-commerce: how to protect even naïve user against phishing, pharming, and MITM attacks , 2007 .

[52]  Alan R. Hevner,et al.  Design Research in Information Systems: Theory and Practice , 2010 .

[53]  Scott B. Cantor,et al.  Shibboleth architecture draft v05 , 2002 .

[54]  L. Bygrave Privacy Protection in a Global Context- A Comparative Overview. , 2004 .

[55]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[56]  Armin B. Cremers,et al.  The fairy tale of''what you see is what you sign , 2001 .

[57]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[58]  Morten Hertzum,et al.  Usable Security and E-Banking: ease of use vis-a-vis security , 2004, Australas. J. Inf. Syst..

[59]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[60]  H. Jiang Reliability, costs and delay performance of sending short message service in wireless systems , 1998, ICUPC '98. IEEE 1998 International Conference on Universal Personal Communications. Conference Proceedings (Cat. No.98TH8384).

[61]  Audun Jøsang,et al.  Security Usability Principles for Vulnerability Analysis and Risk Assessment , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[62]  Hans Brandl Trusted Computing : The TCG Trusted Platform Module Specification , 2005 .

[63]  Gail-Joon Ahn,et al.  Managing privacy preferences for federated identity management , 2005, DIM '05.

[64]  David H. Holtzman,et al.  Privacy Lost: How Technology Is Endangering Your Privacy , 2006 .

[65]  Thomas Daemen and Ira Rubinstein The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity , 2006 .

[66]  B. Schneirdeman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction , 1998 .

[67]  Kathrin M. Möslein,et al.  Identities Management for E-Commerce and Collaboration Applications , 2005, Int. J. Electron. Commer..

[68]  Brian W. Cashell The Economic Impact of Cyber-Attacks , 2004 .

[69]  G. Bolton Reliability , 2003, Medical Humanities.

[70]  Deborah S. Carstens,et al.  Development of a Model for Determining the Impact of Password Authentication Practices on Information Security , 2000 .

[71]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[72]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[73]  W. Griffith The physics of everyday phenomena: a conceptual introduction to physics / W. Thomas Griffith, Juliet W. Brosing , 1992 .

[74]  Siani Pearson Trusted Agents that Enhance User Privacy by Self-Profiling , 2002 .

[75]  Aaron Weiss Trusted computing , 2006, NTWK.

[76]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[77]  Markus Jakobsson,et al.  Warkitting: The Drive-by Subversion of Wireless Home Routers , 2006, J. Digit. Forensic Pract..

[78]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[79]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[80]  Abhi Shelat,et al.  Privacy and identity management for everyone , 2005, DIM '05.

[81]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[82]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[83]  Arnd Weber,et al.  See What You Sign: Secure Implementations of Digital Signatures , 1998, IS&N.

[84]  Chris J. Mitchell,et al.  Dynamic content attacks on digital signatures , 2005, Inf. Manag. Comput. Security.

[85]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[86]  Joos Vandewalle,et al.  On the time-memory tradeoff between exhaustive key search and table precomputation , 1998 .

[87]  Audun Jøsang,et al.  What You See is Not Always What You Sign , 2002 .

[88]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[89]  R. Jacobs What to research , 2009 .

[90]  Kenji Takahashi,et al.  Federated identity management for protecting users from ID theft , 2005, DIM '05.

[91]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[92]  Gershon Kedem,et al.  Brute Force Attack on UNIX Passwords with SIMD Computer , 1999, USENIX Security Symposium.

[93]  Bruce L. Riddle,et al.  Passwords in use in a university timesharing environment , 1989, Comput. Secur..

[94]  Ivan Flechais,et al.  Usable Security: What Is It? How Do We Get It? , 2005 .

[95]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[96]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[97]  Paul Dourish,et al.  An approach to usable security based on event monitoring and visualization , 2002, NSPW '02.

[98]  Karl Scheibelhofer,et al.  Signing XML Documents and the Concept of "What You See Is What You Sign , 2001 .

[99]  Robert W. Shirey,et al.  Internet Security Glossary, Version 2 , 2007, RFC.

[100]  R. Asokan,et al.  Digital signatures and electronic documents: a cautionary tale , 2002, Communications and Multimedia Security.

[101]  A. Jøsang,et al.  User Centric Identity Management , 2005 .