Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile...

23

Transcript of Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile...

Page 1: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität
Page 2: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Use the ForceEvalua�ng Force-Sensi�ve

Authen�ca�on for Mobile DevicesKatharina Krombholz, Thomas Hupperich, Thorsten Holz

SBA Research Ruhr-Universitat Bochum

Presented by: Wilfried Mayer, SBA Research

Page 3: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

What’s the Force?

2

Page 4: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

What’s the content?

Lab Study

Security Evalua�on

Field Study

3

Page 5: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Lab Study - Design

• 50 par�cipants / 3 methods / 3 a�empts• Self-defined PIN / Random order of methods• Authen�ca�on speed & Error rate• Addi�onal ques�onnaire

4

Page 6: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Lab Study - Results

5

Page 7: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Lab Study - Perceived Usability & Security

6

Page 8: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Lab Study - Force

7

Page 9: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

“I like the addi�onal dimension. It isinvisible and therefore makes my PIN more

secure.” (P5)

8

Page 10: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Security Evalua�on - Theore�cal Entropy

method combina�ons entropy

104 13.28 bit

106 19.93 bit

204[−104] 17.28 bit9

Page 11: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Security Evalua�on - Prac�cal Entropy

theore�cal 13.28 bit

prac�cal 11.42 bit1

1Bonneau et al. 10

Page 12: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Security Evalua�on - Force pa�erns

11

Page 13: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Security Evalua�on - Prac�cal Entropy

11.42 bit

D / S 3.41 bit

12

Page 14: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Security Evalua�on - Shoulder SurfingExperiment

Direct observa�on• Trustworthy experimenter watches while lab• 50 PINs, 21 sequences guessed, 0 force-pa�erns

Filmed pa�erns• Two volunteers watch recorded videos of PINs• 50 PINs, 39 sequences guessed, 0 force-pa�erns

13

Page 15: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

“I think it might take a while to fully getused to it, as this concept is new to me.”

(P23)

14

Page 16: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Field Study - Design

• 10 par�cipants / Min. 300 a�empts / 2 weeks• Restric�ons in iOS - Single daily reminder• Designed like iOS lock screen• Addi�onal debriefing interview

15

Page 17: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Field Study - Results (Time)

16

Page 18: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Field Study - Results (Error Rate)

17

Page 19: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

• Task overhead◦ Ini�ally higher◦ Decreases with training

• Improves security◦ Entropy◦ Perceived security◦ Shoulder surfing

18

Page 20: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

May the Force be with you

19

Page 21: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Ques�[email protected]

20

Page 22: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Par�cipant characteris�cs

21

Page 23: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität

Par�cipant characteris�cs

22