nach oben

Erschienen in:

2014 | OriginalPaper | Buchkapitel

Bootstrapping Adoption of the Pico Password Replacement System

verfasst von : Frank Stajano, Graeme Jenkinson, Jeunese Payne, Max Spencer, Quentin Stafford-Fraser, Chris Warrington

Erschienen in: Security Protocols XXII

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In previous work we presented Pico, an authentication system designed to be both more usable and more secure than passwords. One unsolved problem was that Pico, in its quest to explore the whole solution space without being bound by compatibility shackles, requires changes at both the prover and the verifier, which makes it hard to convince anyone to adopt it: users won’t buy an authentication gadget that doesn’t let them log into anything and service providers won’t support a system that no users are equipped to log in with. In this paper we present three measures to break this vicious circle, starting with the “Pico Lens” browser add-on that rewrites websites on the fly so that they appear Pico-enabled. Our add-on offers the user most (though not all) of the usability and security benefits of Pico, thus fostering adoption from users even before service providers are on board. This will enable Pico to build up a user base. We also developed a server-side Wordpress plugin which can serve both as a reference example and as a useful enabler in its own right (as Wordpress is one of the leading content management platforms on the web). Finally, we developed a software version of the Pico client running on a smartphone, the Pico App, so that people can try out Pico (at the price of slightly reduced security) without having to acquire and carry another gadget. Having broken the vicious circle we’ll be in a stronger position to persuade providers to offer support for Pico in parallel with passwords.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Collaborating with the Enemy on Network Management (Transcript of Discussion)

Nächstes Kapitel Bootstrapping Adoption of the Pico Password Replacement System (Transcript of Discussion)

The project’s website, http://pico.cl.cam.ac.uk/, contains a brief introductory video, the original paper, a FAQ and other resources.

According to W3techs statistics (http://w3techs.com/technologies/overview/content_management/all/), as of February 2014, Wordpress is the most widely used Content Management System on the web, being used by 21.5 % of all websites and by 60.0 % of all websites that use a content management system.

Delegation is a process whereby a principal authorises an agent to act on its behalf by transferring a set of rights.

The session delegation protocol used by Pico is described in further detail in our other paper “I bought a new security token and all I got was this lousy phish—Relay attacks on visual code authentication schemes”, also in these proceedings.

To perform Pico authentication with a Pico-enabled website, the Pico Lens, which rewrites legacy login pages to add a QR code to them, is clearly not required; however, some Pico browser add-on is still needed for receiving session delegation tokens from the Pico device.

The Pico Lens at this stage has no idea that this is going to be a first-time pairing rather than a regular login, so it behaves exactly as in the previous case.

We call “password manager” a piece of software that records username-password pairs on behalf of the user and supplies them to verifiers as appropriate, saving the user from having to remember and retype them. A password manager may be a standalone program or it may be integrated in a web browser. Password managers may store their database locally or in the cloud, and in cleartext or in encrypted form. The latter case provides greater security but requires entering a master password.

The pairing code is currently unencrypted. If the visual code is observed during the account pairing, the attacker gains the user’s password for that website.

Bearing in mind scenarios in which one Lens serves several Pico devices, as when several family members use the shared tablet in the living room.

It would be nice if websites published their password policy in a uniform machine-readable form; and even nicer if they imposed no upper bounds on making passwords arbitrarily long and complicated. As argued by Bonneau and Preibusch [4], websites that impose such limits probably do so because they are not hashing their passwords.

A risk that is greatly reduced with Pico, which is a dedicated device not intended to run other software.

As of January 2014, Chrome holds 55.7 % market share, with Firefox a distant second at 26.9 %, according to W3schools statistics (http://www.w3schools.com/browsers/browsers_stats.asp).

See footnote 2

Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999). http://doi.acm.org/10.1145/322796.322806 CrossRef

Bonneau, J.: Guessing human-chosen secrets. Ph.D. thesis, University of Cambridge, May 2012. http://www.jbonneau.com/doc/2012-jbonneau-phd_thesis.pdf

Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pp. 553–567. IEEE Computer Society, Washington (2012). http://dx.doi.org/10.1109/SP.2012.44

Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010 (2010)

Brands, S., Chaum, D.: Distance bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994)CrossRef

Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks, SECURECOMM ’05, pp. 67–73. IEEE Computer Society, Washington (2005). http://dx.doi.org/10.1109/SECURECOMM.2005.56

ISO: Information technology–automatic identification and data capture techniques–QR Code 2005 bar code symbology specification. ISO 18004:2006, International Organization for Standardization, Geneva, Switzerland (2006)

Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)CrossRef

Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW ’08, pp. 127–133. ACM, New York (2008). http://doi.acm.org/10.1145/1595676.1595695

10.

Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ - a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001). http://dx.doi.org/10.1023/A:1011902718709 CrossRef

11.

Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)

12.

Stannard, O., Stajano, F.: Am I in good company? A privacy-protecting protocol for cooperating ubiquitous computing devices. In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2012. LNCS, vol. 7622, pp. 223–230. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/978-3-642-35694-0_24 CrossRef

13.

Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: toward a unified view. MIS Q. 27(3), 425–478 (2003). http://dl.acm.org/citation.cfm?id=2017197.2017202

14.

Wong, F.-L., Stajano, F.: Multi-channel protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 112–127. Springer, Heidelberg (2007). http://www.cl.cam.ac.uk/fms27/papers/2005-WongSta-multichannel.pdf, updated version in IEEE Pervasive Computing 6(4), 31–39 (2007)

Titel: Bootstrapping Adoption of the Pico Password Replacement System
verfasst von: Frank Stajano
Graeme Jenkinson
Jeunese Payne
Max Spencer
Quentin Stafford-Fraser
Chris Warrington
Verlag: Springer International Publishing
Buch: Security Protocols XXII
Print ISBN: 978-3-319-12399-8

Electronic ISBN: 978-3-319-12400-1

Copyright-Jahr: 2014
DOI: https://doi.org/10.1007/978-3-319-12400-1_17

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"