Seamless Authentication for Ubiquitous Devices
Total Page:16
File Type:pdf, Size:1020Kb
Dartmouth College Dartmouth Digital Commons Dartmouth College Ph.D Dissertations Theses and Dissertations 5-1-2016 Seamless Authentication for Ubiquitous Devices Shrirang Mare Dartmouth College Follow this and additional works at: https://digitalcommons.dartmouth.edu/dissertations Part of the Computer Sciences Commons Recommended Citation Mare, Shrirang, "Seamless Authentication for Ubiquitous Devices" (2016). Dartmouth College Ph.D Dissertations. 48. https://digitalcommons.dartmouth.edu/dissertations/48 This Thesis (Ph.D.) is brought to you for free and open access by the Theses and Dissertations at Dartmouth Digital Commons. It has been accepted for inclusion in Dartmouth College Ph.D Dissertations by an authorized administrator of Dartmouth Digital Commons. For more information, please contact [email protected]. Seamless Authentication For Ubiquitous Devices Shrirang Mare Technical Report TR2016-793 Dartmouth Computer Science Copyright c 2016, Shrirang Mare All rights reserved Abstract User authentication is an integral part of our lives; we authenticate ourselves to personal computers and a variety of other things several times a day. Authentication is burdensome. When we wish to access to a computer or a resource, it is an additional task that we need to perform – an interruption in our workflow. In this dissertation, we study people’s authentication behavior and attempt to make authentication to desktops and smartphones less burdensome for users. First, we present the findings of a user study we conducted to understand people’s authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants’ lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it. Second, we propose a new approach to authentication, called bilateral authentication, ii that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user’s wristband and the user’s phone) share their knowledge (e.g., about user’s interaction with the phone) to verify the user’s identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method’s usability and security from the system and the user’s perspective. Based on the evaluation, our authentication method shows promise for reducing users’ authentication burden for desktops and smartphones. iii Acknowledgments I would like to thank everyone who helped me get to this point. First and foremost, I am greatly indebted to my advisor David Kotz for helping me every step of the way, from encouraging me to purse a Ph.D. to keeping me focused and pushing me to finally finish the dissertation. He imparted countless research and life skills along the way, in addition to reinforcing the value of hard work and helping me learn to write English all over again. I was very fortunate to have him as my advisor. I was also fortunate to work with Mary Baker, Andrés Molina-Markham, Jacob Sorber, Minho Shin, and Cory Cornelius, who taught me many things and have shaped my thinking in many ways. I am grateful to Ron Peterson, who has been an invaluable source of technical expertise. I thank my committee, Sean Smith, Lorenzo Torresani, and Carl Landwehr, for their patience and feedback. I also thank Jason Reeves and Sikandar Mashayak for providing helpful feedback on the early drafts of the dissertation. I am grateful to my close friend Aarathi Parsad for always being there to provide encouragement when I needed one and to celebrate little victories. I thank my labmates, Tim Pierson, Travis Peters, and Tianlong Yun for providing a fun and supportive environment. I thank all of my friends in Dartmouth for helping me adjust to life in a new country. In particular, Yash Patankar, Rima Murthy, Ashok Holla, Ranganath Kondapally, Umang Bhaskar, Priya Natarajan, Paritosh Kavathekar, and Chrisil Arackaparambil. I am grateful to iv my host family, Terry and Betsy Cantlin, for providing me a home away from home. My research depended on a large suite of open source software. I am indebted to the entire open source community, in particular the developers of TEX/LATEX, Python, IPython, Numpy, Scipy, Matplotlib, Pandas, and Scikit-learn projects. Above all I am grateful for the unwavering support and constant encouragement from my family. My father Bhanudas taught me the value of hard work and the importance of education, my mother Anusaya always kept me grounded by reminding me the important things in life, my siblings Pandurang and Vaishali paved way for higher education and encouraged me to pursue engineering, and my wife Radha cared for me and supported me through the final year of my Ph.D. I love you all. This research results from a research program at the Institute for Security, Technology, and Society at Dartmouth College, supported by the National Science Foundation under Grant Award Number CNS-1329686 and by the Department of Health and Human Services under award number 90TR0003-01. v Contents Abstract ii Acknowledgments iv Contents vi List of Figures xii List of Tables xiv List of Abbreviations xv 1 Introduction1 1.1 Vision.....................................3 1.2 Approach...................................4 1.3 Challenges...................................5 1.4 Contributions.................................6 1.5 Outline....................................7 2 Background9 2.1 Definitions................................... 12 vi 2.2 Assumptions................................. 13 2.3 Adversary model............................... 15 2.4 Design goals.................................. 16 2.5 Evaluation metrics.............................. 17 3 Related Work 21 3.1 History.................................... 21 3.2 Passwords................................... 22 3.3 Hardware tokens............................... 23 3.4 Biometrics................................... 23 3.4.1 Physical................................ 23 3.4.2 Behavioral.............................. 24 4 People’s Authentication Behavior 25 4.1 Introduction.................................. 26 4.2 Related work................................. 28 4.3 Study goals.................................. 31 4.4 Methodology................................. 32 4.4.1 Authentication event......................... 32 4.4.2 Wearable digital diary........................ 34 4.4.3 Study procedure........................... 39 4.5 User study participants............................ 41 4.6 Study Limitations............................... 42 4.7 Findings.................................... 43 4.7.1 Digital vs. physical authentication.................. 44 4.7.2 Authentication targets and authenticators.............. 45 4.7.3 Authentication failures........................ 47 4.7.4 Passwords............................... 50 vii 4.7.5 Authentication behavior across age and gender........... 54 4.7.6 Guessing authentication events.................... 56 4.7.7 Authentication patterns........................ 56 4.7.8 Opinion about authentication..................... 59 4.7.9 Best and worst authenticators.................... 60 4.7.10 Things participants carry....................... 62 4.7.11 Privacy................................ 66 4.8 Discussion................................... 67 4.8.1 What would we do differently?.................... 67 4.8.2 What went well?........................... 68 4.9 Summary................................... 69 5 Bilateral Verification 70 5.1 A different approach to user verification................... 71 5.2 Security of bilateral verification approach.................. 73 5.3 Benefits and limitations............................ 73 5.4 Related work................................. 75 6 Desktop Authentication 76 6.1 Overview................................... 79 6.2 Initial authentication............................. 81 6.2.1 Intuition................................ 82 6.2.2 Protocol................................ 84 6.2.3 Identifying candidate wristbands................... 87 6.2.4 Correlation step............................ 89 6.2.5 Authentication feedback....................... 92 6.3 Evaluation of Initial authentication...................... 93 6.3.1 Feasibility user study......................... 93 viii 6.3.2 Quickness............................... 95 6.3.3 Recognizing intentionality...................... 95 6.3.4 Usability............................... 96 6.3.5 Security................................ 100 6.3.6 Users’ perception of CSAW..................... 103 6.4 Continuous authentication.........................