Secure Web Authentication With Mobile Phones

1
Secure Web Authentication With Mobile Phones

• Min Wu, Simson Garfinkel, Robert Miller
• MIT Computer Science and Artificial Intelligence
  Lab

2
Problem to Be Solved

• People increasingly reply on public computers to
  do business over the Internet
• But passwords can be captured by the computer and
  later reused by a hostile party
• 2002 key logger at 14 NYC Kinkos captured 450
  usernames and passwords
• 2003 key logger on more than 100 campus
  computers in Boston College
• 2003 6,300 stolen from a bank account after it
  was accessed at a public terminal

3
Our Approach
4
Our Approach
5
Authentication Protocol
I am Alice
6
Authentication Protocol
Your current authentication session is FAITH
Session FAITH is waiting for approval
7
Authentication Protocol
FAITH
Approve session FAITH
8
Authentication Protocol
Username Password
9
Authentication Protocol (Dealing with Fraud)
FAITH
Lock my account until further notice
Session PSYCH is waiting for approval
10
Two Mobile Phone Interfaces for Authentication

• Check and Approve

• Choose and Approve

11
User Study

• How does our approach compare, in terms of
  security and usability, to other existing mobile
  phone authentication solutions?
• One-time password sent to mobile phone (RSA
  Mobile, Fujitsu)

12
Four Login Techniques

• One-time password approach
• Type Random Code 1234-5678
• Type Random Phrase swears trainee
• Proxy-side spelling checker (Ispell)
• Our approach
• Check and Approve
• Choose and Approve

13
Method

• Controlled experiment in the lab
• Logged in to Amazon.com using an account set up
  by us with a personal computer and a mobile phone
  provided by us
• 6 logins in a block for each technique, for a
  total of 24 logins, with the order of the four
  login techniques randomized

14
Simulated Attacks

• Will a user blindly approve sessions without
  looking at the session name?
• Users were told that they were going to be
  spoofed by our simulated attacks

15
Unknown Attack
PSYCH is waiting for approval
16
Duplicated Attack
FAITH
PSYCH
17
Blocking Attack
PSYCH is waiting for approval
? ? ?
18
Ease of Use
Single factor ANOVA with P 0.01
19
Error Rates

• Login by Check and Approve was easily spoofed
• Duplicated attack 4 successful out of 11 attacks
• Blocking attack 2 out of 9
• Unknown attack 1 out of 33

20
Error Rates

• Login by Check and Approve was easily spoofed
• Duplicated attack 4 successful out of 11 attacks
• There must be a bug in the proxy since the
  session name displayed in the computer does not
  match the one in the mobile phone.
• Blocking attack 2 out of 9
• The network connection must be really slow since
  the session name has not been displayed.
• Unknown attack 1 out of 33

21
Error Rates

• Choose and Approve has zero error rate

22
Future Work

• Field study
• Not only password but also any confidential
  information should avoid touching the hostile host

23
Conclusion

• By asking the user to choose and approve a
  correct session name from her mobile phone, we
  provide a mobile phone authentication solution
  that is both secure and easy to use
• Flexible solution to web authentication
• Good backup to password login