Session:「Passwords and Authentication」

Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication

論文URL: http://dl.acm.org/citation.cfm?doid=3025453.3025461

論文アブストラクト: PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous and affordable, we foresee a new form of threat to user privacy on mobile devices. Thermal cameras allow performing thermal attacks, where heat traces, resulting from authentication, can be used to reconstruct passwords. In this work we investigate in details the viability of exploiting thermal imaging to infer PINs and patterns on mobile devices. We present a study (N=18) where we evaluated how properties of PINs and patterns influence their thermal attacks resistance. We found that thermal attacks are indeed viable on mobile devices; overlapping patterns significantly decrease successful thermal attack rate from 100% to 16.67%, while PINs remain vulnerable (>72% success rate) even with duplicate digits. We conclude by recommendations for users and designers of authentication schemes on how to resist thermal attacks.

日本語のまとめ:

サーマルカメラを利用して, スマホの認証後に残る熱から暗証番号とパターンロックを読み取る自動的な手法を提案, 調査した. 暗証番号は認証の30秒後でも78%を推測できたが, パターンロックはパターンによって精度が変化した.

Thumprint: Socially-Inclusive Local Group Authentication Through Shared Secret Knocks

論文URL: http://dl.acm.org/citation.cfm?doid=3025453.3025991

論文アブストラクト: Small, local groups who share protected resources (e.g., families, work teams, student organizations) have unmet authentication needs. For these groups, existing authentication strategies either create unnecessary social divisions (e.g., biometrics), do not identify individuals (e.g., shared passwords), do not equitably distribute security responsibility (e.g., individual passwords), or make it difficult to share or revoke access (e.g., physical keys). To explore an alternative, we designed Thumprint: inclusive group authentication with a shared secret knock. All group members share one secret knock, but individual expressions of the secret are discernible. We evaluated the usability and security of our concept through two user studies with 30 participants. Our results suggest that (1) individuals who enter the same shared thumprint are distinguishable from one another, (2) that people can enter thumprints consistently over time, and (3) that thumprints are resilient to casual adversaries.

日本語のまとめ:

グループ内で秘密を共有しつつ, 同一の秘密を入力しても個人を特定できる認証手法の開発を目指した. グループでノックのパターンを共有し, その特徴から個人を識別する. 実現可能性とセキュリティの調査より実用的だとわかった.

Design and Evaluation of a Data-Driven Password Meter

論文URL: http://dl.acm.org/citation.cfm?doid=3025453.3026050

論文アブストラクト: Despite their ubiquity, many password meters provide inaccurate strength estimates. Furthermore, they do not explain to users what is wrong with their password or how to improve it. We describe the development and evaluation of a data-driven password meter that provides accurate strength measurement and actionable, detailed feedback to users. This meter combines neural networks and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about the user's password. We describe the meter's iterative development and final design. We detail the security and usability impact of the meter's design dimensions, examined through a 4,509-participant online study. Under the more common password-composition policy we tested, we found that the data-driven meter with detailed feedback led users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator.

日本語のまとめ:

ニューラルネットワーク等でスコア化するパスワードメーターを開発した. ユーザに対するフィードバックの違いでセキュリティとユーザビリティが変化するか調査し, バーに加えて詳細なフィードバックが良いと示した.

Can Unicorns Help Users Compare Crypto Key Fingerprints?

論文URL: http://dl.acm.org/citation.cfm?doid=3025453.3025733

論文アブストラクト: Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.

日本語のまとめ:

暗号鍵のfingerprintの種類や比較の仕方や表示方法を変化させて, そのユーザビリティとセキュリティを調査した. 結果として16進数のfingerprintを単純に比較するのが一番有用であったことを示した.