-
Gutmann, A., Renaud, K., Maguire, J., Mayer, P., Volkamer, M., Matsuura, K. and Müller-Quade, J. "ZeTA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology" To appear In Proceedings of the 1st IEEE European Symposium on Security and Privacy, (Saarbrücken, Germany, 2016), IEEE.
Acceptance rate: 17.6% / Abstract / PDF
-
Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage.
The contributions of this paper are:
- we propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels.
-
we outline a security analysis to assess the envisaged performance of the proposed authentication protocol.
- we report on a usability study that explores the viability of relying on human computation in this context.
- Maguire, J. and Renaud, K. "Alternative Authentication in the Wild" In Proceedings of the 5th Annual Workshop on Socio-Technical Aspects in Security and Trust, co-located with the 28th IEEE Computer Security Foundations Symposium, (Verona, Italy, 2015), IEEE, pp.32-39.
Abstract / PDF
-
Alphanumeric authentication routinely fails to regulate access to resources with the required stringency, primarily due to usability issues. Initial deployment did not reveal the problems of passwords, deep and profound flaws only emerged once passwords were deployed in the wild. The need for a replacement is widely acknowledged yet despite over a decade of research into knowledge-based alternatives, few, if any, have been adopted by industry. Alternatives are unconvincing for three primary reasons. The first is that alternatives are rarely investigated beyond the initial proposal, with only the results from a constrained lab test provided to convince adopters of their viability. The second is that alternatives are seldom tested realistically where the authenticator mediates access to something of value. The third is that the testing rarely varies the device or context beyond that initially targeted. In the modern world different devices are used across a variety of contexts. What works well in one context may easily fail in another. Consequently, the contribution of this paper is an "in the wild" evaluation of an alternative authentication mechanism that had demonstrated promise in its lab evaluation. In the field test the mechanism was deployed to actual users to regulate access to an application in a context beyond that initially proposed. The performance of the mechanism is reported and discussed. We conclude by reflecting on the value of field evaluations of alternative authentication mechanisms.
The contributions of this paper are:
-
we report on a field investigation of a previously proposed alternative authentication mechanism.
-
we highlight aspects related to the design and methodological considerations that need to be considered in carrying out a field investigation of an alternative authentication mechanism that performed well it its initial evaluations.
-
we discuss the lessons we learned and reflect on the value of probationing an alternative authentication mechanism in the wild.
- Renaud, K. and Maguire, J. "Regulating Access to Adult Content (with Privacy Preservation)" In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, (Seoul, South Korea, 2015), ACM, pp.4019-4028.
Acceptance rate: 23.0% / Abstract / PDF
-
In the physical world we have well-established mechanisms for keeping children out of adult-only areas. In the virtual world this is generally replaced by self declaration. Some service providers resort to using heavy-weight identification mechanisms, judging adulthood as a side effect thereof.
Collection of identification data arguably constitutes an unwarranted privacy invasion in this context, if carried out merely to perform adulthood estimation. This paper presents a mechanism that exploits the adult's more extensive exposure to public media, relying on the likelihood that they will be able to recall details if cued by a carefully chosen picture. We conducted an online study to gauge the viability of this scheme. With our prototype we were able to predict that the user was a child 99% of the time. Unfortunately the scheme also misclassified too many adults. We discuss our results and suggest directions for future research.
The contributions of this paper are:
-
the concept of knowledge-based regulation of access to adult content
- proven accuracy of the scheme based on two studies, using empirically validated images to perform adulthood estimation
- discussion of the implementation challenges and proposals for future work
- Renaud, K., Volkamer, M. and Maguire, J. (2014) "ACCESS: Describing and Contrasting Authentication Mechanisms" In Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust, (Crete, Greece, 2014), Springer International Publishing, pp.183-194.
Abstract
-
The password the almost universal authentication solution yet is buckling under the strain. It demonstrates insufficiency and weakness due to poor choice, reuse and ease of transfer. Graphical passwords, biometrics, and hardware tokens have been suggested as alternatives. Industry has, unfortunately, not embraced these alternatives. One possible explanation is the complexity of the choice process. To support authentication decision-markers we suggest a framework called ACCESS (Authentication ChoiCE Support System) which captures requirements, consults a knowledge base of existing authentication mechanisms and their properties, and suggests those mechanisms that match the specified requirements.
-
Renaud, K., Maguire, J., van Niekerk, J., & Kennes, D. (2014) "Contemplating Skill-based Authentication". SAIEE Research Journal, vol. 105 no. 2 pp. 48-60 .
Abstract
-
Humans develop skills as they go through their lives: some are fairly common, such as reading, but others are developed to maximise employment opportunities. These skills develop over a long period of time and are much rarer. Here we consider whether we can exploit this reality in the security arena, specifically to achieve a stronger form of authentication. Authentication has traditionally been performed based on what users know, hold or are. The first is the most popular, in the form of the password. This is often referred to as “knowledge-based” authentication. Yet, rigorously following guidelines for password creation produces forgettable gibberish and nonsense strings, not knowledge. Nonsense is hard to remember and users engage in a number of coping strategies to ameliorate this, and these tend to weaken the authenticator. It would be beneficial to find a way of reducing this memorial load, to identify a more usable mechanism. This is hard: usually reducing the memorial load also makes the secret easier to guess. The challenge is in finding a way to reduce memory load while holding the line as far as strength is concerned. Here we contemplate exploiting recognition of artefacts resulting from experts practicing their craft: “skill-based” authentication. This should reduce the memorial load and effort, but also, crucially, make it harder for a random intruder to replicate. We report on how we trialled SNIPPET, a prototype of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets from successive challenge sets. We found that our participants were all able to identify their own code snippets and that other participants were unable to guess these, even when they observed the legitimate person authenticating beforehand. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing. We conclude by returning to the three NIST-identified forms of authentication and consider how SNIPPET can be positioned within the general authentication arena.
-
Renaud, K., Mayer, P., Volkamer, M. and Maguire, J. "Are Graphical Authentication Mechanisms As Strong As Passwords?" In Proceedings of the 2013 Federated Conference on Computer Science and Information Systems, (Krako, Poland, 2013), IEEE, pp.837-844.
Abstract
-
The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Consequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users' need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angeli et al. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts.
-
Renaud, K., Kennes, D., van Niekerk, J. and Maguire, J. "SNIPPET: Genuine knowledge-based authentication" In Proceedings of the 13th Annual Conference on Information Security, (Johannesburg, South Africa, 2013), IEEE, pp.1-8.
Abstract
-
Authentication is traditionally performed based on what you know, what you hold or what you are. The first is the most popular, in the form of the password. This is often referred to as “knowledge-based” authentication. Yet, given the guidelines for password restrictions commonly given to end-users we will argue that this is a misnomer. A strong password is actually a lengthy string of gibberish or nonsense. Common password strength guidelines advise users against choosing meaningful passwords.
Humans are not very good at remembering nonsense strings so they very reasonably choose meaningful passwords which are easily guessed. This appears to constitute a stand off between the mnemonic needs of end users and the security needs of the system. If we could find a way of reducing the mnemonic load on users they might well be more likely to choose stronger authentication secrets. We could, for example, rely on pre-existing knowledge rather than requiring users to memorise a random alphanumeric string. If we were able to do this it should be easier for them to respond, and also harder for a random intruder to replicate the knowledge.
Testing knowledge directly is probably infeasible in an au- thentication setting. We will show that experts can identify what they themselves produce as they go about carrying out their own skilled activities.
We trialled a prototype mechanism which tested the mem- orability, observability and guessability of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets. We conducted a pilot study and report on our findings. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing.
-
Maguire, J. & Renaud, K. (2013) "Shrinking the Authentication Footprint" pp.2-11 in Proceedings of the 7th International Symposium on Human Aspects of Information Security & Assurance, Lisbon May 2013.
Abstract
-
Developers create paths for users to tread. Some users will stay on the beaten track; others will diverge and take risky shortcuts. If user-preferred and developer-created paths diverge too much, it is time for the developer to consider a new path. A case in point is the humble password. They fill an important developer need: a cheap and easy mechanism to control access and enforce accountability. Unfortunately, users find the constant requests for authentication a nuisance. They respond by walking down risky paths that compromise the mechanism but allow them to satisfy goals more quickly. The answer, for some researchers, has been to come up with password alternatives. This focus is misguided, since the alternatives do nothing to reduce the authentication footprint. The reality is that developers overuse authentication. The problem is not the authentication step, but rather its position in the path. Authentication is sometimes used even when there is no real need for it. This creates confusion in the user’s mind about the consequences of authentication: sometimes it authorises significant side effects and other times it is difficult to identify its raison d’etre. Here we suggest some developer patterns which minimise authentication requests, emphasising necessity rather than gratuitousness. We believe this will help to ease the current situation by moving towards genuine risk mitigation rather than harming authentication by excessive use thereof.
-
Renaud, K. & Maguire, J. (2013) "How do you solve a problem like Authentication?" in Human Factors in the Safety and Security of Critical Systems Workshop, Glasgow March 2013.
Abstract
-
The security aspect that the computer user encounters most often is the password prompt - a demand that they verify their identity by providing a shared secret. Authentication, for the deployer, regulates access and enforces accountability. Authentication, for the user, obstructs, intrudes and delays gratification. Whereas users could probably put up with this if it happens relatively infrequently, this tends not to be the case. An authentication prompt is presented a number of times during the day. Sometimes it has serious consequences, such as when it is required to authorise the purchase of a digital item, and the permits consequent credit card charge. Other times it merely identifies the user to allow the system to customise the interface. The range of consequences and the multiplicity of systems mandating shared secrets collide with human limitations and the current password bloat and general end-user exasperation.
Is it at all possible to improve authentication? As researchers, we have primarily addressed this problem in one of three ways: (1) by trying to find a password replacement, (2) by formulating rules and regulations to coerce users into choosing stronger passwords, or (3) fostering a security culture within the organisation, hoping that the social pressure will induce people to behave more securely. These endeavours have met with limited success. Alternatives have not been embraced by the developer community, rules and regulations are often ignored, subverted or deliberately flouted. Fostering a security culture has had more success, in relative terms, but still has not really addressed the “authentication problem”. The one thing these approaches have in common is their focus on the human agent: the end user.
Consider a related problem in the physical world: locks on doors. These have not changed in centuries and the doors themselves are probably weaker than they were a hundred years ago. Yet do locks really prevent intrusion? A determined intruder finds the average lock an minor deterrent, and the door itself is sometimes even made of glass, allowing the thief to subvert the lock entirely. Yet one never hears about a desperate search for a door or lock replacement. One doesn’t hear the refrain, ‘How do you solve a problem like the door lock? This even though they, too, are lost, copied and shared. Why, when it comes to virtual locks, is there such a drive to come up with the perfect locking mechanism? The password and the average door lock function similarly: neither is perfect but both provide an acceptable measure of security. Here we will argue that it might be time to suspend our unrealistic expectations that we can find a perfect lock in the virtual world when we live quite happily with imperfect security in the physical world.
-
Maguire, J. & Renaud, K. "You only live twice or the years we wasted caring about shoulder-surfing" In Proceedings of the 26th British HCI Group Annual Conference on People and Computers, (Birmingham, United Kingdom, 2012), ACM, pp.404-409.
Abstract
-
Passwords are a good idea, in theory. They have the potential to act as a fairly strong gateway. In practice though, passwords are plagued with problems. They are (1) easily shared, (2) trivial to observe and (3) maddeningly elusive when forgotten. While alternatives to passwords have been proposed, none, as yet, have been adopted widely. There seems to be a reluctance to switch from tried and tested passwords to novel alternatives, even if the most glaring flaws of passwords can be mitigated. One argument is that there is not enough investigation into the feasibility of many password alternatives. Graphical authentication mechanisms are a case in point. Therefore, in this paper, we detail the design of two prototype applications that utilise graphical authentication mechanisms. However, when forced to consider the design of such prototypes, we find that pertinent password problems eg. observation of entry, are just that: password problems. We conclude that effective, alternative authentication mechanisms should target authentication scenarios rather than the well-known problems of passwords. This is the only route to wide-spread adoption of alternatives.
-
Maguire, J. & Renaud, K. (2011) "An Alternative Avatar" Health, Wealth and Identity Theft Workshop at the 25th British HCI Group Annual Conference on People and Computers, (Newcastle, United Kingdom, 2011), ACM.
Abstract
-
Fragments of information are generated and maintained, everyday. In the aggregate, these fragments are crucial to companies like Google and Facebook. Therefore, they create free services which drive the creation of fragments and discourage the destruction of them. However, there are potentially unforeseen costs, in terms of security and energy, in managing all these fragments. We propose an image-based avatar, which fluctuates depending on the information generated by an individual online.
The contribution of this paper is:
- we propose an alternative to the username, in the form of a dynamic avatar whose appearance fluctuates depending on the information shared by the user.
-
Maguire, J. & Renaud, K. "Armchair Authentication" In Proceedings of the 23rd British HCI Group Annual Conference on People and Computers: Celebrating People and Technology, (Cambridge, United Kingdom, 2009), ACM, pp.388-397.
Acceptance rate: 25.0% / Abstract / PDF / Slide Deck
-
Alphanumeric authentication, by means of a secret, is not only a powerful mechanism, in theory, but prevails over all its competitors in practice. However, it is clearly inadequate in a world where increasing numbers of systems and services require people to authenticate in a shared space, while being actively observed. This new reality places pressure on a password mechanism never intended for use in such a context. Asterisks may obfuscate alphanumeric characters on entry but popular systems, e.g. Apple iPhone and Nintendo Wii, regularly require users to use an on-screen keyboard for character input. This may not be a real concern within the context of secluded space but inadvertly reveals a secret within shared space. Such a secret has an economic cost in terms of replacement, recall and revenue, all of which affect the financial return of the offending systems and services.
In this paper, we present and evaluate a graphical authentication mechanism, Tetrad, which appears to have the potential to address these specific concerns.
The contributions of this paper are:
- we propose a observation-resilient graphical authentication mechanism for use on a television.
- we report empirical evidence from a controlled lab-study on performance of observation-resilience and cognitive demands on the user.
- we reflect and discuss the relevance of graphical authentication mechanisms in a shared-space.
Maguire, J.,Stuart, S. & Draper, S.W. (2008) "Student generated podcasts: Learning to cascade rather than create" pp.67-77 in A.Comrie, N.J.Mayes, J.T.Mayes & K.Smyth (Editors) Learners in the Co-Creation of Knowledge: Proceedings of the LICK 2008 Symposium, Edinburgh 30 October 2008.
Abstract
There is currently an explosion of exploratory uses of podcasts in education, but only a few where the students, rather than the staff, produce the podcasts. Where it has been done, it has mainly been for students where the technology itself was also relevant to their studies (e.g. computing science or media studies courses). Here however we report on one of these on a course for ‘non-technical’ students from the faculty of Arts. These students were required to produce a single video podcast for their third-year philosophy course. The requirements to present something useful to fellow students and to master a new and fashionable technology are well designed to augment self-confidence and self-efficacy, to engage students, to equip them with a skill that may enhance their employability, and to foster deeper learning. However a basic reason for student generated content of this kind is that authoring for other students (rather than for marking by a staff member) should give impetus to deeper thought about the content. This would not only cement existing knowledge but also supplement it with new perspectives and considerations. Sceptics might argue differently, claiming it to be a gimmick to boost course numbers. However, crafting a report, essay or regurgitating facts on exam day involve different learning experiences and skills to that of giving a persuasive presentation to a large audience.
Draper, S.W. & Maguire, J. (2007) "Exploring podcasting as part of campus-based teaching" Practice and Evidence of the Scholarship of Teaching and Learning in Higher Education vol.2 no.1 pp.43-65
Abstract
The possibility of using the technologies associated with podcasting and MP3 players to augment campus based HE teaching is explored. A study demonstrating its use in five courses, and eliciting favourable learner attitude responses, is briefly reported. A range of educational applications, including and going beyond those demonstrated in the study, are suggested. The different functions entailed are identified: recording, distribution, playback. The acceptability for each stakeholder group separately is discussed: learners, teachers, IT support. The technology's characteristics are assessed with respect to essential factors for widespread adoption: cost, ease of use (i.e. personal effort and learning costs for users), and educational benefit. The underlying technologies are briefly described, partly to indicate what the fundamental advantages are based on (independently of currently available products) and partly to allow likely longevity to be assessed. Finally some underlying principles from the viewpoint of educational research are proposed and discussed.