User Authentication

Passwords, Biometrics and Alternatives

Computer Security | Lecture Three

 Lecture Outline
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

2
 Objectives
▪ This Lecture focuses on ▪ Biometric Authentication
User authentication ▪ It also Covers
▪ i.e. Humans being ▪ Password Managers
authenticated by a computer ▪ Graphical Passwords
system. ▪ CAPTCHAs
▪ The main topics of focus are
▪ Passwords
▪ Hardware-based Tokens
3
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

4
 Introduction

▪ Computer users regularly enter a Username and Password

to access a Local Device or Remote Account.
▪ Authentication is the process of using supporting evidence
to Substantiate an asserted identity.
▪ It involves a simple One-to-One test;
▪ In some instances, for an asserted username and fingerprint pair, a
single test determines whether the pair matches a corresponding stored
template

5
 Introduction
▪ Confirming an asserted identity may be an end-goal, mere
Authentication
▪ It can also be a sub-goal towards the end-goal of
Authorization
▪ To determine if privilege or access should be to granted to the
requesting entity.
▪ E.g. for the account currently in use, users may be asked to enter a
password to authorize installation or upgrading of operating system or
application software

6
 Introduction
▪ In contrast, Identification (or Recognition) establishes an identity
from available information without an explicit identity having
been asserted—such as
▪ Picking out known Criminals in a Crowd
▪ Each face in the crowd is checked against a list of database faces for a
potential match
▪ Finding who matches a given Fingerprint
▪ A given fingerprint is tested against a database of fingerprints.
▪ Identification involves one-to-many test
▪ Problem complexity grows with the number of potential candidates.

7
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

8
 Password Authentication

▪ Passwords provide basic User Authentication.

▪ Each user authorized to use a system is assigned an Account
identified by a character string Username (or numeric userid).
▪ To gain access (“log in”) to their account, the user enters
the Username and a Password.
▪ This pair is transmitted to the System.
▪ The system has stored sufficient information to test whether the
password matches the one expected for that userid.
9
 Password Authentication

▪ A correct password does not ensure that whoever entered it

is the authorized user.
▪ Unrealistic: No one else could ever possibly know, obtain, or
guess the password
▪ A correct match indicates knowledge of a fixed character string—or
possibly a “lucky guess”.
▪ However, Passwords remain useful as a (Weak) means of
Authentication.
10
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

11
 Storing Hashes
▪ To verify entered userid- all Passwords.
password pairs, the system ▪ Instead, each row of F stores a
stores sufficient information in pair (userid, hi), where hi
= H(pi) is a password hash;
a password file F with one
▪ H is a publicly known one-way
row for each userid. Hash function.
▪ Storing cleartext passwords pi ▪ The system computes hi from
in F would risk directly the user pi to test for a match.
exposing all pi if F were stolen;
▪ This is still subject to Pre-
▪ System administrators and Computed Dictionary Attack
others would also directly have

12
 Defeating Password Authentication

▪ Password Authentication can be defeated by several

technical approaches, each targeted or trawled attack
▪ Targeted = aimed at pre-identified users (often 1)
▪ Trawling = break into any account by trying many or all accounts

13
 Five Approaches

▪ Online Password Guessing

▪ Guesses are sent to the legitimate server in real-time using a series
of password guesses.
▪ Attacker receives immediate feedback if he password is correct or not
▪ Often subject to Rate-limit (Number of attempts within a timeframe)
▪ Examples of online guessing include:
▪ Brute-force attacks using tools like Hydra or Burp Suite
▪ Credential stuffing attacks using lists of previously compromised
passwords

14
15
 Five Approaches

2. Offline Password Guessing

▪ No per-guess online interaction is needed
▪ Involves pre-computing a list of potential passwords compared to a
stolen password hash or dump.
▪ Example:
▪ Rainbow table attacks using pre-computed hash tables
▪ Password cracking using tools like John the Ripper or Aircrack-ng

16
 Five Approaches
3. Password Capture Attacks
▪ An attacker intercepts or directly observes passwords by:
▪ Observing sticky-notes
▪ Shoulder-surfing or video-recording of entry,
▪ Hardware or software keyloggers or other client-side malware,
▪ Server-side interception
▪ Proxy or middle-person attacks
▪ Phishing and other social engineering
▪ Pharming
▪ These attacks are direct attacks on Password Authentication
17
 Five Approaches

4. Password Interface Bypass

▪ Bypass attacks aim to defeat authentication mechanisms by
avoiding their interfaces entirely
▪ Gain unauthorized access by exploiting software vulnerabilities or
design flaws
5. Defeating Recovery Mechanisms

18
 Example
Enumerating Password Authentication Attacks

19
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

20
 Password Composition Policies
▪ To ease the burden of ▪ LUDS Characters
remembering passwords, ▪ Lowercase
▪ Uppercase
some users choose words
▪ Digits
from common-language ▪ Special characters
dictionaries ▪ Such Passwords are said to be
▪ Subject to Guessing Attacks “stronger” against some
▪ Many Platforms impose Guessing attack
password composition policies ▪ This “complexity” does not
with rules increase protection against
▪ Minimum Lengths Capture Attacks

21
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

22
 Disadvantages of Passwords

▪ Security Disadvantages
▪ Online and Offline Guessing Attacks
▪ Password Capture Attacks
▪ Usability Disadvantages
▪ Usability challenges multiply as the numbers of passwords that
users must manage grows from just a few to tens or hundreds.

23
 Usability Disadvantages of Password
▪ Users Must ▪ Choose password that is easy
▪ Not to write their passwords to remember but difficult to
down (“just memorize them”) guess
▪ Meaningless for users who do
▪ Follow complex composition not understanding password-
policies — LUDS guessing attacks
▪ + other arbitrary rules like ▪ Change passwords every 30–90
▪ Excluding commas, spaces days
and semi-colons while others
insist on special characters ▪ If password expiration policies
▪ Not to reuse passwords across are in use.
accounts;

24
 Advantages of Passwords
1. Simple, easy to learn, and already 5. Are easy to change or recover if lost
understood by all current computer ▪ Electronic recovery is typically
users; immediate with no physical travel or
2. Free (requiring no extra hardware at delay in shipment
the client or system/server); 6. Have well-understood failure modes
3. Require no extra physical device to ▪ Forgetful users can write down
carry passwords

4. Allow relatively quick login, and 7. Are easily delegated e.g., to a spouse
password managers may help further or friend, or secretary
▪ For small keyboard mobile devices, apps ▪ Has security drawback
commonly store passwords

25
 Password’s De facto Dominance
▪ Passwords remain the Dominant means of Internet user
Authentication.
▪ No alternative till date
▪ Recall the Discuss: Why are they not used in place of Card Transactions
on ATMs and POS?
▪ It seem the advantages outweigh the disadvantages
▪ Historical position as a default authentication method provides strong
inertia.
▪ To displace passwords, a new technology must be not just marginally
but substantially better

26
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

27
 Password-Guessing Strategies & Defences

▪ Password-Guessing attacks fall into two categories

▪ Online Password Guessing and Rate-limiting
▪ Offline Password Guessing

28
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

29
 Online Password Guessing

▪ Online Guessing Attack can be mounted against any

publicly reachable password-protected server.
▪ The Attacker is assumed to know one or more valid userids;
▪ Guessed Userid-password pairs, are submitted sequentially to the
legitimate server,
▪ If Attempt is correct or not, and Access is either granted or denied.

30
 Defensive Tactic against Online Guessing

1. Rate-limit or Throttle guesses 2. Denylisting

across fixed time windows— ▪ This involves composing lists of the
▪ This enforcing a Maximum number most-popular password
of incorrect login attempts per ▪ Observed from available password
account. distributions publicly available or
within an organization
▪ This may also lock out Legitimate
Users ▪ Perform proactive password
checking to disallow any password
▪ Another way is to Increase delays that appears on the denylist
▪ At the point of PW selection

31
32
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

33
 Offline Password Guessing

▪ In offline guessing attacks, It is assumed that an attacker

has somehow acquired the system Password Hash file.
▪ Consequently, the number of offline guesses that can be made over
a fixed time period is limited only by the Computational Resources
that an attacker can harness;
▪ In contrast to Online Guessing, even without rate-limiting, the number of
guesses is limited by the online server’s computing and bandwidth
capacity

34
 Defensive Tactics Against Offline Guessing

▪ Iterated Hashing (aka Password Stretching)

▪ After hashing a password once with hash function H, rather than storing
H(pi), the result is itself hashed again d times, finally storing the d-fold
hash, denoted by Hd(pi)
▪ A value d = 1000 slows attacks by a factor of 1000
▪ Password Salting
▪ Salt passwords before hashing
▪ For userid ui , on registration of each password pi , rather than storing hi
= H(pi), the system selects, e.g., for t ≥ 64, a random t-bit value si as
salt, and stores (ui , si , H(pi ,si)) with pi si concatenated before hashing.

35
 Defensive Tactics Against Offline Guessing

▪ Pepper (Secret salt) designed to run as fast as possible

▪ A Secret Salt (called Pepper) is like ▪ Modest custom processors can
exceed billions of MD5 hashes per
a regular salt, but not stored.
second
▪ Pepper can be combined with
▪ Specialized hash functions called
Regular Salt as H(pi ,si ,ri), and with
key derivation functions (KDFs) are
iterated hashing
used to derive encryption keys from
▪ Specialized Password-hashing passwords
functions ▪ Ex. Bcrypt and scrypt
▪ In the 1990s, general crypto hash
functions like MD5 and SHA-1 were

36
37
 Example
Password management: NIST SP 800-63B
▪ U.S. Government password guidelines expiration, but mandating password
were substantially revised in 2017. change upon evidence of compromise;
▪ They include: ▪ Mandating secure password storage
methods
▪ Mandating use of password Denylists to
▪ Salt of at least 32 bits, hashing, suitable
rule out common, highly predictable, or hash iteration counts,
previously compromised passwords; ▪ e.g., cost-equivalent to 10,000 iterations
▪ Mandating Rate-limiting to throttle for PBKDF2
online guessing; ▪ Recommending a further secret key
▪ Recommending against composition hash (MAC);
rules, e.g., required combinations of ▪ Mandating that the key be stored
lowercase, uppercase, digits and special separately (e.g., in a hardware security
characters; module/HSM).

▪ Recommending against password

38
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

39
 Account Recovery
▪ Password-based authentication inevitably leads to Forgotten
Passwords
▪ Not all users write them down in a safe place for retrieval
▪ Some means of Password Recovery is essential.
▪ Site (account) authentication passwords are rarely literally
“recovered”
▪ Best practice avoids storing Cleartext Passwords at servers.
▪ Rather, what is typically recovered is access to password-protected
accounts, by some password reset method

40
 Account Recovery Methods

▪ Recovery Passwords and Recovery links

▪ Recovery from Loss of Primary Email Passwords
▪ Question-based Recovery

41
 Recovery Passwords and Recovery Links
▪ A common reset method is to immediately create a new
send to users through a password
Recovery Email address set up ▪ In this method, registering the
during registration new password does not
▪ A Temporary Password or require authorization by
▪ A Web page link that serves as entering an existing password
an Authenticator ▪ This is typically required for
▪ On following the link or changing passwords
entering the temporary code ▪ The temporary access plays
that role
▪ The user is prompted to

42
 Loss of Primary Email Password

▪ A complication arises if the forgotten password is for a primary

email account itself.
▪ Solutions includes
▪ Register a Secondary Email address and proceed as previously
described
▪ Pre-register an independent device or channel
▪ Most commonly by a Phone Number (mobile, or wireline with text-to-voice
conversion) to which a one-time recovery code is sent by text message.
▪ Note: a compromised primary email account may be used to compromise
all other accounts that use that email address for password recovery

43
 Question-based Recovery

▪ The use of Secret Questions (aka challenge question) is

another account-recovery method for forgotten passwords
▪ Secret questions are secrets cued by User-selectable Questions
provided during account registration
▪ A user may provide answers to a selected subset of Questions at
account creation.
▪ On later forgetting a password, correctly answering questions allows the
user to re-establish a new account password.

44
 Drawbacks of Question-based Recovery
▪ Recovery may be long removed in time from when answers are set;
▪ Answers may be non-unique or change over time
▪ e.g., favorite movie etc
▪ Users may Register false answers and forget
▪ Answers are weak and makes statistical guessing attacks easy
▪ Answers are stored as plaintexts not hashed
▪ Any use should be accompanied by additional authenticators,
▪ e.g., a link sent to an email account on record, or a one-time password texted to
a registered mobile phone

45
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

46
 One-Time Password Generators and
Hardware Tokens
▪ A major security issue with lists of OTP’s between the parties
ordinary passwords is their Static ▪ For e-account access, some banks
Nature. give customers paper lists of
▪ If observed and captured by a passwords to be used once each
passive attacker, simple replay of (then crossed off);
the password defeats Security ▪ The server keeps corresponding
records for verification.
▪ A step forward is One-Time
▪ Another method is to use One-way
Passwords (OTPs) Hash Functions to generate
▪ OTP are valid for one use only. sequences of one-time passwords
▪ A challenge is how to pre-share from a Seed

47
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

48
 Methods for OTP Generations

▪ OTPs Received via Text on Mobile

▪ OTPs from Lamport Hash chains
▪ Passcode Generators
▪ Hardware Tokens

49
 OTPs Received via Text on Mobile

▪ Mobile phones may be used as an independent channel for

one-time codes via “text” or SMS.
▪ These OTPs are generated system-side and sent to the user’s
number on record.
▪ Beyond use for account recovery, they can serve as a (stand-alone)
password alternative; or as a “what you have” second factor.
▪ In all cases, it should be verified that the phone number is bound to a
physical phone (versus, e.g., a voice-over-IP number)

50
 SIM Swap Attack on OTP sent Via SMS

▪ Sending OTPs to a mobile phone opens a new attack

vector: by Social Engineering,
▪ An attacker, asserting a lost or stolen phone, tricks a mobile phone
provider into transferring a victim’s mobile number to a new SIM,
▪ Thereafter, SMS OTPs intended for the legitimate user (victim) go to
the attacker’s phone

51
 OTPs from Lamport Hash Chains

▪ Starting with a random secret (seed) w, user A can

authenticate to server B using a sequence of one-time
passwords as follows:
▪ H is a one-way hash function and t is an integer (e.g., t = 100).
▪ Let a hash chain of order t be the sequence: w, H(w), H(H(w)), H3
(w), ..., Ht (w).
▪ Ht means t nested iterations
▪ h1 = H99(w), h2 = H98(w), ..., h98 = H(H(w)), h99 = H(w), h100 = w

52
53
 Passcode Generators

▪ A commercial form of OTP’s involves inexpensive,

calculator-like passcode generators
▪ Similar functionality is now available using Smartphone Apps
▪ The device holds a user-specific secret, and computes a passcode
output with properties similar to OTPs
▪ The OTP is typically used as a “Second Factor” alongside a Static
Password

54
 Hardware Tokens
▪ Passcode generators and mobile phones used for user authentication
are instances of “What you have” authentication methods.
▪ This class of methods includes hardware tokens such as
▪ USB keys
▪ Chip-cards (smart cards),
▪ Physical objects intended to securely store secrets and generate digital tokens
(strings) from them in challenge-response authentication protocols
▪ Authenticators
▪ A generic descriptor for a hardware- or software-based means that produces
secret-based strings for authentication

55
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

56
 User Authentication
▪ What You Know things ▪ What You Are includes physical
remembered mentally, biometrics,
▪ E.g., passwords, PINs, passphrases. ▪ e.g., fingerprints;
▪ What You Have uses a computer ▪ Related methods involve Behavioral
or hardware token physically Biometrics or distinguishing
behavioral patterns.
possessed (ideally, difficult to
replicate), ▪ Where You Are requires a means
▪ Often holding a Cryptographic to determine user’s location
Secret; or a device having hard-to-
mimic physical properties.

57
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

58
 Multiple Factors Authentication
▪ These are user authentication ▪ Different categories are more likely
alternatives to passwords. to increase Security
▪ a single attack (compromise)
▪ Can either Replace or be used
should not defeat both Methods
Augment password.
▪ Two methods used in parallel both
▪ Multi-Factor Authentication is
must Succeed for user defined similarly.
authentication ▪ Additional factors impose cognitive
▪ Two-Factor Authentication (2FA) or convivence cost on the User
▪ Two-Stage authentication
▪ Requires that the methods be from
two different Categories ▪ If authentication is user-to-device
and then device-to-web

59
60
 Example | Selecting Authentication Factors

▪ As a typical default, Static passcode generator

Passwords offer an ▪ ATM commonly require
inexpensive first factor from ▪ PIN + Chip-card (ATM Card)
“What you know”. ▪ Something you know +
something you have.
▪ Common two-factor
▪ If a person writes their PIN
schemes are: on the card itself, the two
factors are no longer
▪ Password + Biometric
independent, and a single
▪ Password + OTP from theft allows defeat

61
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

62
 Signals Vs. Factors
▪ Some systems use ▪ Broader class of
“invisible” or “silent” authentication signals
includes also implicit means
authentication checks
▪ IP-Address Checks of devices
behind the scenes previously associated with
▪ These do not require explicit successful logins;
user involvement. ▪ Browser Cookies stored on
▪ Earlier discussed devices after previously
successful authentication
authentication factors requires
explicit user actions ▪ Device Fingerprinting

63
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

64
 Biometric Authentication
▪ Biometric Authentication physiology) are part of a “what
methods leverage certain you do” category.
unique human characteristics ▪ Geolocation and Phone-call-
patterns: Behavioral
across large populations. characteristics independent of
▪ Physical Biometrics (based on human physiology, can be used
static physiological in non-biometric behavioral
characteristics) authentication
▪ Provide the “what you are” ▪ Biometric Modality: set of
category of authentication; biometric features used for
▪ Behavioral Biometrics (based authentication
on behavioral features related to
65
 Biometric Authentication
▪ Recall: Passwords have well- ▪ Scalability
known Usability and Security ▪ Does not increase with the number
disadvantages. of accounts
▪ Hardware tokens: cost, forgotten,
▪ Biometrics have powerful
lost or stolen, and inconvenient.
advantages, varying somewhat
▪ Biometric-based Authentication based on the biometric used.
has strong usability motivation: ▪ Disadvantage: inappropriate for
▪ Nothing to Carry remote authentication.
▪ No Cognitive burden (Memory) ▪ Biometrics can be used for
▪ Ease of Use Authentication and Identification
▪ (a fingerprint Vs typing password on
Mobile

66
67
 Issues with Biometrics
Failure to Enroll and Failure to Capture
▪ Failure to Enroll (FTE)
▪ Refers to how often users are unsuccessful in registering a template.
▪ For example, a non-negligible fraction of people have fingerprints that
commercial devices have trouble reading.
▪ The FTE-rate is a percentage of users, or percentage of enrollment
attempts.
▪ Failure to capture (FTC)
▪ aka Failure To Acquire
▪ Refers to how often a system is unable to acquire a sample of adequate
quality to proceed.

68
 Evaluating Biometrics Using Standard
Criteria
▪ Universality: do all users have the samples obtained and measured?
characteristic? ▪ Accuracy: FTE-rate, FTC-rate
▪ Distinguishability: do ▪ Cost: time (sampling; processing),
characteristics differ sufficiently storage, hardware/software costs.
across pairs of users to make ▪ User acceptance: do users
benign matches unlikely? willingly use the system?
▪ Invariance: are characteristics ▪ Attack-resistance: can the
stable over time (even for system avoid adversarial false
behavioral biometrics)? accepts
▪ Ease-of-sampling: how easily are

69
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

70
 Password Managers
▪ Password Managers store and ▪ It provides access to the others
Retrieve passwords ▪ A Password Manager may be
▪ To cope with overwhelming ▪ An operating system utility
numbers of passwords over ▪ E.g. macOS Keychain uses the
OS login password as master
multiple accounts password
▪ Including those that auto-fill ▪ Stand-alone Client application
web site username-password
pairs ▪ A browser built-in feature or
Plug-in/add-on
▪ Instead of remembering many
▪ A Cloud-based service
passwords, a user remembers
one Master Password.

71
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

72
 Graphical Passwords
▪ Graphical Passwords depends ▪ Human memory is better for
in some way on Pictures or pictures
Patterns ▪ Impose a lighter memory
burden than text passwords;
▪ Aim to ease the burden of too
many password ▪ Security might also be
increased as users to choose
▪ A Graphical Password Like harder-to guess password
regular passwords, is encoded ▪ Improves input usability on
to a string that the system can touchscreen devices
verify
73
 Classes of Graphical Password Schemes
Pure, Cued & Recognition Schemes

▪ Pure Recall
▪ User reconstructs a pattern starting from a blank sheet.
▪ E.g. Android touchscreen devices commonly use a swipe pattern over a
nine-dot background;
▪ This replaces use of a login PIN or password.
▪ Cued Recall
▪ User is aided by a Graphical Cue.
▪ E.g. the user is presented with a picture and asked to choose five click-
points as their password.
▪ User must later re-enter those points to gain account access.

74
 Classes of Graphical Password Schemes
Pure, Cued & Recognition Schemes

▪ Recognition Schemes
▪ The users must recognize a previously seen image (or set of images).
▪ E.g., a user is presented with four panels sequentially, each with nine faces:
eight distractors and one face familiar to the user (a set of familiars is
selected during registration).
▪ The user must click on a familiar face in each of the four panels.
▪ Other sets of common objects can be used instead of faces, e.g., house
fronts.
▪ Cognitive Psychology research indicates that people are better at
recognizing previously encountered items (Recognition Memory) than
in tasks involving (Pure) recall

75
 Lecture Outline | Progress
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

76
 CAPTCHAs
▪ Free web services are easy by humans, but difficult for
targets for Automated Programs, computer programs
which might, ▪ This distinguish humans from
malicious programs (“robots” or
▪ Try to acquire in bulk free e-mail
bots).
accounts (e.g., to send spam email)
▪ Make bulk postings of spam or
▪ Many sites began to ask users to
malware to online discussion type in text corresponding to
boards. distorted Character Strings.
▪ A Countermeasure ▪ This is an example of a CAPTCHA
or Automated Turing Test
▪ Present a task relatively easily done

77
 CAPTCHA
▪ CAPTCHA stands for ▪ Character Recognition (CR)
▪ Completely ▪ Audio Recognition (AUD)
▪ Automated ▪ Image Recognition (IR)
▪ Public ▪ Cognitive Challenges involving
▪ Turing test to tell puzzles/games (COG)
▪ Computers and ▪ CAPTCHA or ATT
▪ Humans inconveniences Users
▪ Apart ▪ But makes login guesses more
expensive
▪ These are often based on
78
 Example | Google reCAPTCHA
▪ In 2014, the Google reCAPTCHA project replaced CAPTCHAs with
checkboxes for users to click on, labeled “I’m not a robot”.
▪ A human or-bot decision is then made from analysis of browser-measurable
elements
▪ Keyboard and mouse actions, click locations, scrolling, inter-event timings
▪ If such first-level checks are inconclusive, a CR or IR CAPTCHA is then sent.
▪ In 2017 even such checkboxes were removed;
▪ The apparent trend is to replace actions triggered by requesting clicking of a
checkbox by pre-existing measurable human actions or other recognition means
not requiring new explicit user actions

79
 Lecture Outline | Summary
▪ Introduction ▪ Accounting Recovery Mechanisms
▪ Password Authentication ▪ OTP Generators and Hardware Token
▪ Storing Hashes ▪ Methods for OTP Generations
▪ Defeating Password Authentication ▪ User Authentication
▪ Password Composition Polices ▪ Multiple Factors Authentication
▪ Password Advantages and ▪ Signal Vs Factors
Disadvantages ▪ Biometric Authentication
▪ Password-Guessing Strategies and ▪ Password Managers
Defenses
▪ Graphical Passwords
▪ Online Password Guessing
▪ CAPTCHA
▪ Offline Password Guessing

80
 To Study

▪ Disadvantages of Biometrics Authentication

▪ Why Biometrics Authentication is not feasible or advisable
for Remote Authentication
▪ Examples of Password Managers
▪ Risk associated with Password Managers

81