Chapter 7: Case Study

Question 1

What are the problems with passwords?

Answer 1

Security problems: physhing, social engineering, spyware

Poor usability: memorize, type, complex policies

Question 2

Why are passwords still dominant if they have so many problems?

Answer 2

• laziness

- Failure of research on convincingly better alternatives

Question 3

Are biometrics an alternative?

Answer 3

• Who you are provides you the key

- But low accuracy and new attacks (using the fingerprint of a sleeping person)

Question 4

What are the alternatives to passwords?

Answer 4

Something you…

Are: Easy to use but lower security (fingerprint, face)

Know: Password / Questions

Have: low usability but higher security (USB key, Smart Card)

Question 5

Improvements to passwords (federated AuthN) Single Sign On

Answer 5

+ better usability for user
+ Complexity and cost reduction (Economies of scale) for Service provider and identity provider

User authenticate only once and gain access to many services

But: we still need to manage multiple passwords/credentials

Question 6

Improvements to passwords: Password Managers

Answer 6

A software app that aids users in creating, storing & organizing passwords

Components:

• local database
• browser plugins
• cloud server storage
• master key

Question 7

What are the functions of a password manager?

Answer 7

• Generate secure passwords
• Password strength meter
• Password storage
• Automatic fill-in

Question 8

What is the best alternative to passwords?

Answer 8

• It depends on the context

Scenario 1:
Location: Home
application: low risk
Beacons: familiar device
-> all authentication mechanisms are ok

Scenario 2:
Location: Public place
Application: Sensitive
–> use a combination of secure mechanisms

Question 9

What is the definition of adaptive authentication?

Answer 9

• intelligent system selects best mechanism dynamically, depending on the context

Question 10

Does adaptive authentication complement PM / Federated AuthN or is it an alternative?

Answer 10

• It complements the federation standards
  1. Mile use adaptive authN
  2. Mile Federation Standards

Question 11

Explain the adaptive authentication concept PICO

Answer 11

Goal: No passwords
Proposal: HW token (Pico)
- addresses all types of PIN/password
- Scales to thousands of passwords
- Allow continuous authentication

Question 12

How is PICO designed?

Answer 12

• 2 buttons (pairing and login)
• display / camera (implemented via smartphone)
• Database with all user credentials

Question 13

What are the states of PICO?

Answer 13

• Imprintable
• Unlocked
• Locked

Question 14

Explain the concept of progressive authentication

Answer 14

Scope: User to apps
Authenticators: Multifactor (face, voice, proximity, placement, PIN)
Context: Battery

Question 15

Explain the CASA concept

Answer 15

• Context-Aware Scalable Authentication
• Choose authentication mechanism {PIN, Password} based on contextual factors: Location {Home, Work, Other}
• > User spent most of the time at home/work (safe places)
• > 60% of logins occur in safe places

Question 16

Explain the CYOA (Choose your own authentication) concept

Answer 16

Scope: User to web app
Authenticators: password, persuasive cued passwords, object pass tiles, persuasive cued clickpoints
Context: Security & usability

Question 17

Explain the CORMORANT concept

Answer 17

Scope: User to device
Authenticators: face, gait
Context: proximity to other user devices

Question 18

Explain the commercial Product Google Smartlock

Answer 18

• Unlock Smartphone in presence of other user devices (smart watch)
• Passwords are remembered for websites and apps
• Laptop is unlocked in presence of users unlocked smartphone

Question 19

What are the common challenges with adaptive authentication?

Answer 19

key problems -> ad-hoc designs

• Hard to extend / re-configure
• Difficult to reproduce, to compare
• Once deployed become static, costly for companies to change

Question 20

How to design more comprehensive, versatile & flexible Adaptive Authentication systems?

Answer 20

• Follow Adaptive Systems modelling principles (autonomous driving)
• Generic reference architecture & implementation

Question 21

How to make adaptive authentication more flexible ?

Answer 21

Develop a flexible and easy to reconfigure system for: authenticators, contexts, and selection algorithms that selects the authenticators

• Use standard protocol for the sensors and effectors
• Use Standard Interface for authenticators and context

Question 22

Which research questions are still open in the area of adaptive authentication?

Answer 22

• incorporate new authenticators
• Integrate Integrate with applications
• incorporate context and selection algorithms in the planner (reports usability & security)