Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile...
Transcript of Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile...
![Page 1: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/1.jpg)
![Page 2: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/2.jpg)
Use the ForceEvalua�ng Force-Sensi�ve
Authen�ca�on for Mobile DevicesKatharina Krombholz, Thomas Hupperich, Thorsten Holz
SBA Research Ruhr-Universitat Bochum
Presented by: Wilfried Mayer, SBA Research
![Page 3: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/3.jpg)
What’s the Force?
2
![Page 4: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/4.jpg)
What’s the content?
Lab Study
Security Evalua�on
Field Study
3
![Page 5: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/5.jpg)
Lab Study - Design
•
• 50 par�cipants / 3 methods / 3 a�empts• Self-defined PIN / Random order of methods• Authen�ca�on speed & Error rate• Addi�onal ques�onnaire
4
![Page 6: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/6.jpg)
Lab Study - Results
5
![Page 7: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/7.jpg)
Lab Study - Perceived Usability & Security
6
![Page 8: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/8.jpg)
Lab Study - Force
7
![Page 9: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/9.jpg)
“I like the addi�onal dimension. It isinvisible and therefore makes my PIN more
secure.” (P5)
8
![Page 10: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/10.jpg)
Security Evalua�on - Theore�cal Entropy
method combina�ons entropy
104 13.28 bit
106 19.93 bit
204[−104] 17.28 bit9
![Page 11: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/11.jpg)
Security Evalua�on - Prac�cal Entropy
theore�cal 13.28 bit
prac�cal 11.42 bit1
1Bonneau et al. 10
![Page 12: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/12.jpg)
Security Evalua�on - Force pa�erns
11
![Page 13: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/13.jpg)
Security Evalua�on - Prac�cal Entropy
11.42 bit
D / S 3.41 bit
12
![Page 14: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/14.jpg)
Security Evalua�on - Shoulder SurfingExperiment
Direct observa�on• Trustworthy experimenter watches while lab• 50 PINs, 21 sequences guessed, 0 force-pa�erns
Filmed pa�erns• Two volunteers watch recorded videos of PINs• 50 PINs, 39 sequences guessed, 0 force-pa�erns
13
![Page 15: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/15.jpg)
“I think it might take a while to fully getused to it, as this concept is new to me.”
(P23)
14
![Page 16: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/16.jpg)
Field Study - Design
•
• 10 par�cipants / Min. 300 a�empts / 2 weeks• Restric�ons in iOS - Single daily reminder• Designed like iOS lock screen• Addi�onal debriefing interview
15
![Page 17: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/17.jpg)
Field Study - Results (Time)
16
![Page 18: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/18.jpg)
Field Study - Results (Error Rate)
17
![Page 19: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/19.jpg)
• Task overhead◦ Ini�ally higher◦ Decreases with training
• Improves security◦ Entropy◦ Perceived security◦ Shoulder surfing
18
![Page 20: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/20.jpg)
May the Force be with you
19
![Page 22: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/22.jpg)
Par�cipant characteris�cs
21
![Page 23: Use the Force - USENIX · Use the Force - Evaluating Force-Sensitive Authentication for Mobile Devices Author Katharina Krombholz, Thomas Hupperich, Thorsten Holz SBA Research Ruhr-Universität](https://reader035.fdocuments.net/reader035/viewer/2022062917/5ed70c3262136e72fb7bbc5f/html5/thumbnails/23.jpg)
Par�cipant characteris�cs
22