Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop
- Slides: 23
Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management
Authentication Design Goals Consider Security and Usability
Security Requirements n n n n n Randomly assigned Unique to the application Robust against known attacks Simple Reliable – no fallback needed Not sharable casually or easily Lacks social vulnerabilities Useable anywhere Two-way Auth. N Passfaces Corporation ■ 175 Admiral Cochrane Drive Usability Security ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Usability Requirements n n n n Graphical User Interface Intuitive to use No user rules Independent of user’s aptitude, training or attentiveness No on-going training EASY to use Portable Fun! Passfaces Corporation ■ 175 Admiral Cochrane Drive Security Usability ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Successful Auth. N is Both or Neither Design Leverages: Secret n Interface n Protocol n Passfaces Corporation Usability ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 Security ■ 1. 800. 682. 0604
Passfaces Meets the Challenge Secure and Usable
The Secret Based on Cognitive Science
The Brain Deals with Faces Differently than Any Other Image Face recognition is a dedicated process which is different from general object recognition. Source: Face Recognition: A Literature Survey. National Institute of Standards and Technology Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
In the Beginning… Thinking Outside of the Box Approach…. “Let’s Authenticate the Person” n n n Passfaces Corporation ■ Science has proven that we are genetically predisposed with a unique talent. We all have the innate ability to easily recognize human faces. There was a time that recognizing another's face could mean LIFE or DEATH. Today that need is not so great, but the ability is still there. There is a special place in the brain dedicated to facial recognition and facial recognition only. 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Recall vs. Recognize You must RECALL a password You simply RECOGNIZE a face Remember High School …. What kind of test did your prefer? Multiple Choice Fill in the Blank 123 gfwy Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Our approach Familiarize the user with a randomly-selected set of faces and check if they can recognize them when they see them again It’s as easy as recognizing an old friend Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Authentication Session The secret is n n n n Random Easy to recognize but Difficult to describe/share No “cribsheets” needed Always Available Intuitive - Independent of user age, language or education Not socially vulnerable Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
The Interface Reinforce the Design Objectives
How Passfaces Works Library of Faces User Interface Users Are Assigned a Set of 5* Passfaces * Typical implementation – 3 to 7 possible as standard Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
How Passfaces Works 5 Passfaces are Associated with 40 associated decoys n Passfaces are presented in five 3 by 3 matrices each having 1 Passface and 8 decoys n Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
New Users are Familiarized with their Passfaces n Users enroll with a 2 to 4 minute familiarization process n Using instant feedback, encouragement, and simple dialogs, users are trained until they can easily recognize their Passfaces n The process is optimized and presented like an easy game Let’s Practice Action Click On Your Passface It’s Moving (There is only One on this Page) Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Familiarization Puts Cookies in the Brain Like a mindprint or brain cookie But, unlike fingerprints, Passfaces require no special hardware And, unlike browser cookies, Passfaces authenticate the actual user Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Authentication Session The interface… Graphical n Self-prompting n User cannot choose or reuse n NO burden of recall n n 3 X 3 grid Ergonomic n Maps to keypad, phone, pinpad n More entropy than a user chosen secret n Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
The Protocol Maximize Defenses – Maximize Usability
Configuration Data Grid set is random per user Grids need not be secret but must be correct n AUTHENTICATION IS NOT POSSIBLE WITHOUT PRESENTATION OF CORRECT GRIDS n n John Doe sparky 123 Mutual Authentication is implicituser attentiveness unnecessary n Phishing today is stopped n Phishing tomorrow is hard work n Blacklisting is possible n Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Grid Presentation Multiple Grids n Random display within grid n Familiar order of grids for user comfort n Library Use n n Thousands of random sets available n Shoulder surfing deterrent n Anti phishing strategies n Mutual Auth. N enhanced Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
A New Class of Authentication n Passfaces represents a new, 4 th class of authentication: Cognometrics Recognition-Based Authentication Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1. 800. 682. 0604
Thank you! Questions? Patricia Lareau V P Product Management patricia. lareau@passfaces. com 805. 544. 1138