1

User Authentication III

 Introduction.
 Master passwords and password masters.
 Single-Sign-on.
 Two-factor authentication.
 Token based authentication in brief.
 Biometrics in brief.
 Two-channel authentication.
 CAPTCHA.

2
 We have seen that passwords have problems.
 In particular the need to securely remember and renew
passwords, makes good choices of passwords beyond some
and difficult for many.
 When we consider that there are many websites which require
passwords the problem is multiplied.
 Using the same passwords in multiple places is generally a bad idea.
Why?
 There are other mechanisms for authentication.
 We are going to mention some.
 We will first look at using passwords but in such a way as to
alleviate the memory problem.
3
 One password to rule them all!...

 Rather than remember dozens of passwords, and thus choice

very simple weak passwords, or duplicate passwords, we can
use a master password.
 The idea is you make the master password a good one, apply
the appropriate rules like changing every so often, and never
remember any of the others at all.
 Don’t forget this one though!

4
5
Hidden random passwords
6
More : https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins 7
Certainly you can install apps on mobile devices.
8
 Single-sign on (SSO) is similarly designed to reduce the
volume of authentication information, in other words the
number of passwords, that needs to be remembered.
 What is the idea?
 Sign in once!
 Access lots of resources across a range of locations.

9
 How does it work? (Very roughly)
 Users are registered with multiple entities which share information.
 Centralised authentication generates behind the scene tokens for
passing authentication at other locations without explicit subsequent
input by the user.
 A couple of major issues …
 The single-sign on has to be very well protected.
 Scalability to work across multiple domains, multiple platforms and
with multiple types of application authentication is tricky.
 There is single sign-on for some of the UOW systems now …
but not all.
 If you log in to a Google service such as Gmail, you are
automatically authenticated to YouTube, AdSense, Google
Analytics, and other Google apps.
10
 This is Microsoft’s single-sign on system.
http://login.live.com/
 It is associated with, but not limited to, the Windows Live branding for
the Microsoft services and software products.
 Those are mostly web applications.

 The predecessors to Windows Live ID were Microsoft Passport,

Microsoft Wallet …
 The plan was to have it being the single single-sign-on service for all web
commerce.
 This wasn’t well received.

 Kerberos, which is covered in CSCI368, can be used as a single-sign on

system.
11
 Rather than use one factor, such as a password, we can use
multiple factors.
 Generally the different types of authentication have different
advantages and disadvantages that can be advantageously
combined, or combined to the detriment of security.
 We will firstly look a special case, “two-factor authentication”
which is a name reserved for a special type of pairing, not
simply any two factors.

12
 Rather than rely on a single password, two-factor
authentication systems use a password or PIN and a device
(card or calculator) which is able to provide one-time type
passwords.
 For example, consider you want to connect to your bank:
 You might enter the PIN into your device and it gives you a one-
time login code.
 Or, you enter the PIN and the displayed value on the card.

 This involves token based authentication, which we discuss

generally, but briefly, fairly soon.
13
From Wikipedia
14
Schneier has some interesting things to say about two-
factor authentication:
 It solves the problem of eavesdropping and offline password
attacks.
 It doesn’t address the current real problems:
 Trojan horses.
 Phishing.
 We will look at both of these later in the subject.
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html

15
 Read https://thedailywtf.com/articles/wishitwas-twofactor-

 What was the name of your first pet?

 What is your favourite colour?
 Where were your born?

 All sorts of problems with this kind of thing.

 Usually a weaker authentication than the password directly.
 And not two factor at all!
16
 This 2-factor authentication system is based on smartcard
technology and is successor to the old sign the imprint of
the card type mechanism or swipe the magnetic stripe.
 It is in accordance with an EMV (Europay, Mastercard, Visa)
Standard.
 There are similar systems in many countries, including Australia.
 In Australia it is now compulsory to use the PIN.
 As of August 2014, you cannot sign anymore.

17
 The card contains an embedded microchip which is read by
entry into a Chip machine, or a modified swipe-card reader.
This checks the card itself.
 Subsequently the customer enters their PIN and this is compared
against that on the card, or they sign, depending on the reader.
 Generally the supermarket/shop PIN entering is more
exposed than PIN entering at an ATM.
 This is a significant downside.

 Some attacks:
 https://www.cl.cam.ac.uk/research/security/banking/relay/
 http://www.cl.cam.ac.uk/research/security/banking/nopin/
 http://www.youtube.com/watch?v=JPAX32lgkrw
 Fools the card into thinking it is signature approved 
18
 This uses the same EMV smartcards used in the
Chip and PIN project.
 This is for remote authentication though.
 It is a specific instance of the two-factor
systems described a few slides back.
 Your card can be inserted into the calculator
like device which, when given the correct PIN,
generates an appropriate one-time password or
similar for some online authentication protocol.
 It could be used to calculate a message
authentication code value to provide integrity for the
transaction. This requires entering information twice
though.  19
 These are objects that we have for the purpose of user
authentication.
 Two widely used types are described in the textbook [SB18]:
 Memory cards.
 Smart cards.

 We will look briefly at each.

 Not that generally:
 Tokens can be lost, and possibly transferred.
 Likely inconvenient for logging into a computer.

20
 Store data.
 Cannot process data.
 Could be used for:
 Stand alone physical access, as in a swipe card for room entry.
 In association with a PIN, as in chip and pin for a bank card with a
magnetic strip.
 In either case, a special reader is needed.

21
 Store data.
 Can process data, they have an embedded microprocessor.
 Smart cards are smart tokens that look like bank cards.
 The interface for use could be:
 A keypad/display for human interaction using a PIN or similar.
 Contactless, or not, electronic interface.

22
 There are three different categories of authentication
protocols for smart tokens:
 Static: User authentication to the token, then the token
authenticates the user to the computer.
 Dynamic password generator: Generates unique passwords
periodically, and necessary synchronised with the to be logged
into system.
 Challenge-response: System gives the device a challenge and it
determines the appropriate response, likely as a function of some
private cryptographic key.

23
 Figure 3.6 in [SB18] illustrates
the typical interaction between
a smart card and a reader or
computer system.

24
 Biometrics for authentication should only ever be used as a
component of a multi-factor authentication system.
 Why?
 They are not private!
 Biometrics are generally used to make attacks by outsiders
more difficult, and probably more expensive.
 Biometrics tend to most reliable where the use is
supervised, by a guard perhaps
 Beware the Jelly Baby trick. 
 https://www.neowin.net/news/jelly-babies-dupe-fingerprint-
security/
25
 Face recognition.
 Handwriting.
 Fingerprints.
 The most widely used requiring significant technology.

 Iris codes.
 Probably the best hope for a robust biometric system, although it
still has some problems.
 Voice recognition.
 DNA.
 Signature 26
Figure 3.8 (below) in [SB18] gives a rough indication of the relative
cost and accuracy of these biometric measures.

27
 A channel is a path which information can be sent through.
 Traditional online authentication is a single channel process.
 Two-channel authentication, of a client to a server, involves the server
using a second channel, perhaps a landline or mobile phone, to send
information to the client to give targeted authentication.
 This is quite widely used by banks.

 On registration with the server the client would need to specify an

appropriate alternative channel.
 The security effectively relies on the assumption that the channels are
independent.
 If you use voice over IP and IP then both channels could be compromised together.
28
 Completely Automated Public Turing Test to Tell
Computers and Humans Apart.
 CAPTCHA exploits the human ability to correct
distortions in images, and generally perform image
recognition, far better than existing automated systems.
 It has uses in authentication and in denial of service.
 Denial of service is related to authentication and will be
discussed later.

29
Computer algorithms aren’t as good at recognising
such distorted words as we are.
31
 The idea is that only humans can easy read the content of the
distorted message.
 There are image and audio versions as well as text ones.
 So, we declare something to be human if it can read one, or
often a series of images.
 For authentication we can imbed a challenge to make the
response a function of the entity being authenticated.
 For example, the image could tell you to enter 1452522 into your key
calculator and reply with the output.
 The key calculator is “keyed” to you.

32
 CAPTCHA can be used as a means to distinguish between
live users who want to access a resource, and parties such
as spammers using bots to try to overwhelm, or spread
messages, without monitoring each connection.
 Monitoring in the sense of needing a human to do make a
specified response.
 It can be used to stop posts to blogs, or general websites,
effectively stopping resource consumption by malicious
entities.

34
  For example, before uploading a file to somewhere,
insist that you enter the words in each of the
following:

 Pretty easy for a human, not so easy for a computer.

35
 Earliest was about 1997.
 Yahoo Mail.  About 2000.
 Google Gmail.
 Hotmail.
 Windows Live Mail.
 Paypal.
 The term CAPTCHA started to be used in 2003 and it
really took off.
 But … 36
 See https://www2.computerworld.com.au/article/253015/how_captcha_got_trashed/?pp=2
 Jan 2008: Yahoo Mail. 35% success rate.
 Yahoo changed their system.

 Feb 2008: 30-35% against Microsoft’s Live Mail.

 Feb 2008: 20% against Google’s Gmail.
 And it went on getting worse for the CAPTCHA systems.
 Considerable care needs to be taken in using such systems now since
CAPTCHA crackers are now freely available.
 Weak CAPTCHA can be broken using Optical Character Recognition
(OCR).
 But it isn’t all gloom and doom … 37
 http://spamfizzle.com/CAPTCHA.aspx 38
 http://www.3dcaptcha.net/

This seems too easy to me... 39

 http://graphcomp.com/index.cgi?v=0000s2p5

 http://code.google.com/p/3dcaptcha/

40
 Have a look at https://captcha.com/
 You can download free, but restricted PHP, ASP and
ASP.NET versions.
 They have support for multiple “localizations”.

41
 http://www.captchasniper.com/
 They claim excellent success rates for breaking a lot of CAPTCHA
implementations - up to 100% in some cases.

42