View
219
Download
2
Tags:
Embed Size (px)
Citation preview
User Authentication
Rachna DhamijaHuman Centered Computing Course
December 6, 1999
Image Recognition in
Security systems human factors?
Passwords multiple long strings
Problem
Replace text w/ images? Replace recall w/ recognition Portfolio “Random Art” & Real Images
A solution
“Vast, almost limitless memory” for pictures [Haber]
Recognition Fraction of a sec to remember & recognize [Intraub, Pavio
& Codes] 2560 photos for few seconds 90 % recognition rate
[Standing, Conezio & Haber] 10,000 photos 2 days, 66% recognized [Standing]
Recall recall semantics or sketch “pictures are not only recognized better but are also
recalled better than words” [Standing]
Visual Memory
Target population = general computer users novice/expert users few passwords/multiple passwords
10 (+20) people interviewed about behavior 10 – 40+ instances vs. 1-7 actual passwords names, phone numbers, fav movies, ~6 char tools: majority wrote them down, 2 PIM minimum effort, never change them ability to share is a feature people hate passwords but prefer them to alternatives
Task Analysis
10 20 30 40 50 60 70 80 90 1001 1.0E+01 2.0E+01 3.0E+01 4.0E+01 5.0E+01 6.0E+01 7.0E+01 8.0E+01 9.0E+01 1.0E+022 4.5E+01 1.9E+02 4.4E+02 7.8E+02 1.2E+03 1.8E+03 2.4E+03 3.2E+03 4.0E+03 5.0E+033 1.2E+02 1.1E+03 4.1E+03 9.9E+03 2.0E+04 3.4E+04 5.5E+04 8.2E+04 1.2E+05 1.6E+054 2.1E+02 4.8E+03 2.7E+04 9.1E+04 2.3E+05 4.9E+05 9.2E+05 1.6E+06 2.6E+06 3.9E+065 2.5E+02 1.6E+04 1.4E+05 6.6E+05 2.1E+06 5.5E+06 1.2E+07 2.4E+07 4.4E+07 7.5E+076 2.1E+02 3.9E+04 5.9E+05 3.8E+06 1.6E+07 5.0E+07 1.3E+08 3.0E+08 6.2E+08 1.2E+097 1.2E+02 7.8E+04 2.0E+06 1.9E+07 1.0E+08 3.9E+08 1.2E+09 3.2E+09 7.5E+09 1.6E+108 4.5E+01 1.3E+05 5.9E+06 7.7E+07 5.4E+08 2.6E+09 9.4E+09 2.9E+10 7.8E+10 1.9E+119 1.0E+01 1.7E+05 1.4E+07 2.7E+08 2.5E+09 1.5E+10 6.5E+10 2.3E+11 7.1E+11 1.9E+12
10 1.0E+00 1.8E+05 3.0E+07 8.5E+08 1.0E+10 7.5E+10 4.0E+11 1.6E+12 5.7E+12 1.7E+13
Selection Size (# of images)
Portfolio Size
10 26 36 52 62 964 1.0E+04 4.6E+05 1.7E+06 7.3E+06 1.5E+07 8.5E+075 1.0E+05 1.2E+07 6.0E+07 3.8E+08 9.2E+08 8.2E+096 1.0E+06 3.1E+08 2.2E+09 2.0E+10 5.7E+10 7.8E+117 1.0E+07 8.0E+09 7.8E+10 1.0E+12 3.5E+12 7.5E+138 1.0E+08 2.1E+11 2.8E+12 5.3E+13 2.2E+14 7.2E+159 1.0E+09 5.4E+12 1.0E+14 2.8E+15 1.4E+16 6.9E+17
10 1.0E+10 1.4E+14 3.7E+15 1.4E+17 8.4E+17 6.6E+19
Password Length
Character Set
Security: Brute Force Attack
4 Digit PIN = 5 out of 20 images
6 char password =
10 out of 55
BUT most passwords require
< brute force!
Benefits Images easier to remember
less errors change more frequently good for infrequently used passwords?
Images esp Random Art is hard to describe
Vulnerabilities “shoulder surfing” attack “intersection” attack
Security Analysis (cont)
Task: create portfolio & login People can remember images! (4-10) Photos/art – 50/50 preference & time Wanted to view portfolio during creation Must be simple and fast (no click through screens) Horizontal layout for quick scanning
Lo-fi Prototype
Create 4 “passwords”PIN (4 digits)Password (6 char.)Art portfolio (5/100)Photo portfolio (5/100)
LoginPINPasswordArt (5/25)Photo (5/25)
Task order- 50% did Art first Image order Repeat login after 1 week!
Experiment Design
Test MeasuresTask Completion Time
(20 users, same day)
0
20
40
60
80
create login
Tasks
Tim
e (s
eco
nd
s) PIN
Pass
Art
Photo
Does not include uncompleted tasks
sev1: minorsev2: major, recoverablesev3: major, unrecoverable
No unrecoverable errors made with portfolios
Number and Severity of Errors(20 users, same day)
0
1
2
3
4
5
1 2 3
Severity
Nu
mb
er o
f E
rro
rs
PIN
Pass
Art
Photo
Comfort Level Create portfolio - @#$% Login portfolio - wow
Text vs. images Passwords/PINS faster to create/logon Photos easier to remember than PINS (short term)
Art vs. photos Photos easier to remember, schemes, more personal People chose similar photos, but not art
Interface issues Scrolling is bad, one screen, thumbnails, single-click Lack of feedback
# picked so far, which picked?? how to give feedback securely?
More Results
1 image selected
Changes to next version show # selected
hide selected images
smaller images
Potential for use where text input is hard, limited observation
(e.g., ATM, PDA) infrequent, high availability passwords
Future Directions Self created images
authenticate: recreate or recognize
Conclusions
Random Art + Text Sharing & collaboration Other human abilities?
Houston JP. Fundamentals of learning and memory. 4th ed. Florida: Harcourt Brace Jovanovich; 1991.
Ralph Norman Haber. How we remember what we see. Scientific American, 222(5):104-112, May 1970.
Lionel Standing. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, 25:207-222, 1973.
Lionel Standing, Jerry Conezio, and Ralph Norman Haber. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, 19(2):73-74, 1970.
Helene Intraub. Presentation rate and the representation of briefly glimpsed pictures in memory. Journal of Experimental Psychology: Human Learning and Memory, 6(1):1-12, 1980.
Hash Visualization: A New Technique to Improve Real-World Security, Adrian Perrig and Dawn Song, in Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce (CryTEC '99)
References