Post on 31-Mar-2015
Secure Web Authentication With Mobile Phones
Min Wu, Simson Garfinkel, Robert Miller
MIT Computer Science and Artificial Intelligence Lab
Problem to Be Solved
• People increasingly reply on public computers to do business over the Internet
• But passwords can be captured by the computer and later reused by a hostile party– 2002: key logger at 14 NYC Kinko’s captured 450
usernames and passwords – 2003: key logger on more than 100 campus
computers in Boston College– 2003: £6,300 stolen from a bank account after it
was accessed at a public terminal
Our Approach
User
Internet Kiosk(possible hostile)
Security Proxy(trusted)
Remote Service
PASSWORD
Our Approach
User
Internet Kiosk(possible hostile)
Mobile Phone(trusted)
Security Proxy(trusted)
Secure Cookie Jar
Remote Service
PASSWORD
Authentication Protocol
User
Internet Kiosk(possible hostile)
Mobile Phone(trusted)
Security Proxy(trusted)
“I am Alice”
Authentication Protocol
User
Internet Kiosk(possible hostile)
Mobile Phone(trusted)
Security Proxy(trusted)
Your current authentication session is “FAITH”
Session “FAITH” is waiting for approval
Authentication Protocol
User
Internet Kiosk(possible hostile)
Mobile Phone(trusted)
Security Proxy(trusted)
Approve session “FAITH”
“FAITH”
Authentication Protocol
User
Internet Kiosk(possible hostile)
Mobile Phone(trusted)
Security Proxy(trusted)
Remote Service
UsernamePassword
Authentication Protocol (Dealing with Fraud)
User
Internet Kiosk(possible hostile)
Mobile Phone(trusted)
Security Proxy(trusted)
Lock my account until further notice
“FAITH”
Session “PSYCH” is waiting for approval
Two Mobile Phone Interfaces for Authentication
Check and Approve Choose and Approve
menu
Session: FAITH
1 [Approve it]2 [Cancel it]3 [Lock Account]
Submit Cancel
menu
Choose the same session name as shown in the browser1 [None of them]2 [COURTESY]3 [INHERITS]4 [FAITH]5 [OBJECT]
Submit Cancel
User Study
• How does our approach compare, in terms of security and usability, to other existing mobile phone authentication solutions?– One-time password sent to mobile phone
(RSA Mobile, Fujitsu)
Four Login Techniques
• One-time password approach – Type Random Code: “1234-5678”– Type Random Phrase: “swears trainee”
• Proxy-side spelling checker (Ispell)
• Our approach– Check and Approve– Choose and Approve
Method
• Controlled experiment in the lab– Logged in to Amazon.com using an
account set up by us with a personal computer and a mobile phone provided by us
– 6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomized
Simulated Attacks
• Will a user blindly approve sessions without looking at the session name?
• Users were told that they were going to be spoofed by our simulated attacks
Unknown Attack
“PSYCH” is waiting for approval
Duplicated Attack
“PSYCH” “FAITH”
Blocking Attack
“PSYCH” is waiting for approval
? ? ?
Ease of Use
(Very hard to use) 1
2
3
4
(Very easy to use) 5
Ease
of
Use 3.55 3.55
4.45
4.20
Type RandomCode
Type RandomPhrase
Check and Approve
Choose and Approve
Login Techniques
Single factor ANOVA with P = 0.01
Error Rates
• Login by Check and Approve was easily spoofed– Duplicated attack: 4 successful out of 11
attacks
– Blocking attack: 2 out of 9
– Unknown attack: 1 out of 33
Error Rates
• Login by Check and Approve was easily spoofed– Duplicated attack: 4 successful out of 11
attacks• “There must be a bug in the proxy since the session
name displayed in the computer does not match the one in the mobile phone.”
– Blocking attack: 2 out of 9• “The network connection must be really slow since the
session name has not been displayed.”
– Unknown attack: 1 out of 33
Error Rates
• Choose and Approve has zero error rate
Future Work
• Field study
• Not only password but also any confidential information should avoid touching the hostile host
Conclusion
• By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use
• Flexible solution to web authentication– Good backup to password login