How to Wear Your Password

Presented at Black Hat USA 2014, Aug. 6, 2014, 11:45 a.m. (25 minutes)

We introduce a new authentication paradigm that achieves both a desirable user experience and a high level of security. We describe and demo an implementation of an identity manager in the guise of a smart bracelet. This bracelet is equipped with a low-power processor, a Bluetooth LE transmitter, an accelerometer, and a clasp that is constructed so that opening and closing it breaks and closes a circuit, thereby allowing an automatic detection of when the bracelet is put on and taken off. However, for reasons of cost, design and error avoidance, the bracelet does not have any user interface, nor any biometric sensors: All user interaction is assisted by third-party devices, such as user phones and point of sale terminals. Our approach is based on the principle of physical tethering of an identity manager to a user (e.g., by closing the clasp), where the identity manager represents its user's interests after an initial user authentication phase, and until the user causes a disassociation by untethering the device (e.g., by opening the clasp). The authentication phase can be based on any type of authentication, and - to allow for the greatest possible simplicity of design - is aided by a third-party device, such as the user's cell phone. We describe the physical design, including aspects to protect against violent attacks on users. We also describe the lightweight security protocols needed for pairing, determination of user intent, and credential management, and give examples of usage scenarios- including automated login; simplified online and point-of-sale purchases; assisted appliance personalization; and automated event logging. We then detail the protocols associated with the example usage scenarios, and discuss the security implications of our proposed design.

Presenters:

• Markus Jakobsson - QUALCOMM
  Dr. Markus Jakobsson is a leading voice in advising on advancements in understanding phishing, crimeware, and mobile security. He specializes in research around applied security, ranging from authentication and mobile malware detection to improved user interfaces. Dr. Jakobsson has authored numerous books and more than 100 peer-reviewed conference and journal articles. He holds more than 50 patents and more than 100 pending patents.

Links:

• https://www.blackhat.com/us-14/archives.html#how-to-wear-your-password
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/How to Wear Your Password.mp4
• https://www.youtube.com/watch?v=I-eDLRW_ctc
• https://www.blackhat.com/docs/us-14/materials/us-14-Jakobsson-How-To-Wear-Your-Password.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Jakobsson-How-To-Wear-Your-Password-WP.pdf

Similar Presentations:

• GrrCON 2014 / Security for the People: End-User Authentication Security on the Internet
• BSidesLV 2014 / Security for the People: End-User Authentication Security on the Internet
• 31C3 (2014) / Personal Tracking Devices and Online Identity