User Security for e-Post Applications

Dr Chandana Gamage

University of Moratuwa

2

What is the process of securing a web

application?

3

4

What is the most common method of end user

security?

5

Password!

(user name and password combination)

6

What is the weakest method for end user

security?

7

Password!!

8

Why do we keep using the weakest form of security as the most widely used

form of security?

9

Many reasons …

Historical reasonsEase of use reasons

Ease of deployment reasons

10

What are the alternatives for strengthening the

security of end users?

11

Change from the paradigm of

“something you know”to a

“something you have”or

“something you are”

12

What is practical for end users of web applications?

13

Something you have?

A physical token

Mag strip cardSmart card with chip

14

A physical token based end user security scheme

could be impractical

At present, need specialized hardware

This could change in the future

15

Something you are?

A biometric

Fingerprint scanIris scan

Retina scan

16

A biometric based end user security scheme could be impractical

At present, need specialized hardware

This could change in the future

17

What are the other alternatives?

18

Direct Two FactorSecurity Schemes

19

Combine

“Something you know”with

“Something you have”

ATM card with PIN

20

Combine

“Something you know”with

“Something you are”

Thumb print with Employee ID

21

The practical problems making direct two factor

security schemes impractical still persists...

22

Are there any more alternatives?

23

Indirect Two FactorSecurity Schemes

24

The key idea is to use

Two Channelsof

Communication

25

The First Channel

Web Application

Accessed through the computing device and Internet

26

The Second Channel

Indirect Communication

Email, SMS, Post

27

How does it work?

28

e-Post user enters theUser ID

Receives arandomly generated number

in a SMS

29

Prerequisites

Register the mobile phone number with e-Post Service

Can be done at the time of registering for service

30

e-Post user enters theUser ID

Enters random number

From a list of numbers received

through Post

31

Prerequisites

Receive the list of numbers periodically

Users registered for services receive through post

32

Important Lesson #1

No secret password that a user needs to remember

33

Important Lesson #2

No special hardware or software required

34

Important Lesson #3

Must be usableAnytime

Anywhere

35

Important Lesson #4

No single solution fits all users!

36

Important Lesson #5

Must be intuitive to use

No learning curveNo training

37

Important Lesson #6

Must be difficult for users to make mistakes

38

Important Lesson #7

Must be secure against hacking

No stored secrets to steal!

39

Important Lesson #8

Must be secure against phishing

No easy way to trick the user!

40

Important Lesson #9

Must be fast

No complicated processingat the user (front end) orat the service (back end)

41

Important Lesson #10

Important Lesson #11

Important Lesson #12

...

42

Thank You

chandag@cse.mrt.ac.lk