The quest to replace passwords

Evangelos MarkatosBased on a paper by

Joseph Bonneau, Cormac Herley,Paul C. van Oorschot, and Frank Stajanod

What is the problem

• Passwords have been around for too long– Original developed for time-sharing systems– 10-100 users – no Internet

• We need to replace them• Why?– Easy to break (most usual password: 12345678)– Difficult to remember

• esp. if you have several of them

– Easy to lose • Phishing

What to do?

• Replace passwords• With what? – Biometrics (fingerprints)

• Iris scanners, fingerprint scanners

– Graphics passwords • If you can not say it, DRAW it

– Cognitive passwords– Point-and-click passwords – One Time Passwords

• Electronic OTPs, paper copies, etc.

A survey

• This paper is a survey – Surveys all password categories – Explains • Advantages • Disadvantages • Compares them

– Three dimensions: • Usability• Deployability • Security

Usability

• Do you need to remember something?• Scalable?– What if you have 10’s – 100’s of accounts?

• Do you need to carry aything? • Easy to learn?• Efficient to use?• What happens if it is lost?

Deployability

• What is the cost per user?• Is it compatible – with current servers?– With current browsers?

• Is it mature?• Is it propriatory?

Security

• What if the attacker is looking over your shoulder?

• Is it resilient to random guessing?– Throttled – un-throttled

• Resilient to internal observation?– Keyboard loggers?

• Resilient to leaks?• Resilient to phishing?

Encrypted Password Managers: Mozilla

• What is it? • Firefox offers to remember all your passwords– One time overhead to set it up – Never type a password again!

• Firefox remembers it

– What if I have two devices? • Firefox can sync everything in the cloud

– What if I access the web from an Internet Café?• Do I want to sync all my passwords with the Café’s browser? •

Single sign on!

• Use one password to log in everywhere• Single sign on• Great idea!• Is it easier than passwords?– Yes

• Easier Deployment as well!• Is it safer than passwords?– Not really… – See next paper as well

Graphical passwords

• People are better at remembering images– Rather than words!

• Draw your password!• Well, actually – Draw lines, or – Choice points in an image

• Sounds simple…• What if you have lots of passwords?– Lots of drawings….

Cognitive authentication

• Do not sent your password to the server• What?• Just prove to the server that you know it• Why?– No phisher will be able to find it!– No man-in-the middle will be able to intercept it

Cognitive authentication II

• How do you prove that you know the password? • Say that the password is 10,33,52,74• The server sends you a vector v[0:100]• You reply with the contents of

– v[10], v[33], v[52], v[74]• Each time you want to log in you get a different vector• Each time you reply with different numbers

– Always you send the v[10], v[33], v[52], v[74]• Example:

– If v[i] == I, you send 10, 33, 52, 74– If v[i] == i+1, you send 11, 34, 53, 75

Cognitive authentication III

• Resistant to monitoring– No password is being sent– Each time a different “proof” of password

knowledge is being sent • Resistant to guessing? – Not really

Paper Token

• Write (one-time) passwords on a piece of paper – The server asks for the password – And something written on the paper – (something you have and something you know)

• Difficult to deploy – Need to send the papers to users

• What if you have many accounts? • What if someone steals/copies the paper?

Hardware tokens

• OTPs– One-time passwords

• Little devices – Press a button – Get an OTP

• The server asks for – The regular password – The OTP– (something you know and something you have)

• In 2011 all RSA seeds were stolen– All OTPs had to be replaced

Biometrics

• Fingerprint scanners • Iris scanners • Great!• Fingerprint scanners – Can be spoofed – Fingerprints can be lifted from glass surfaces

• Costly ($$$) – Fingerprint readers have a cost

Mobile phone based

• Use two devices to authenticate – the computer (as usual) – The mobile phone

• Flow chart:– User selects site on mobile phone– Mobile phone talks to the web browser on the computer – Mobile phone authenticates with the bank– The browser authenticates with the bank

• The attacker – Needs both the passwords and the mobile phone

Mobile phone based II

• Security – Although if there is malware both on the phone

and the computer …• Deployability • Usability – Can be used for a subset of sites • E.g. banks

What if the computer is compromised?

• What if you use a public terminal?– Would you give it your password? – Could keyboard loggers steal it?

• Solution: – SSO + paper OTP + proxy

• There is a proxy between the client and the server – The proxy has all passwords – The proxy gives the user a set of OTPs – The OTPs are in a piece of paper that the user has

What if the computer is compromised? II

• Flowchart– The user asks the proxy to authenticate her to a

web server – The proxy asks for the OTP– The proxy authenticates the user to the web

server • + it works• - deployment ….

Conclusion

• No method is perfect• No method is clearly better than passwords – Along all three dimensions

• Several methods complement/strengthen passwords

• Passwords may be around for a few more years…