How many times a day do you enter passwords in different places and multiple times in the same place?
[I enter passwords about 10-20 times a day — to log onto my desktop, read emails, keep up with friends on social networks, buy books online, do my online banking, unlock my mobile phone, VNC or SSH into my Linux machine, VPN into my company network from home, get some cash back at the grocery store, and so on.]
What’s wrong with passwords?
First, what’s right with them: they’re the most widely used method for authenticating users to computer systems and protecting our information.
But here’s what’s wrong with them:
They’re difficult to remember. We’re told to use different passwords at different sites, which of course makes it even more difficult to remember them. Forgot your password? You probably tried multiple combinations, gave up on your recollections, hunted through an email folder, waited for a reset message, or worse: had to call customer service and wait on hold. Some people give up and just create a new account — but that doesn’t work for everything, and just adds to the problem.
They’re inconvenient. We’re instructed to use complex passwords with long strings of inconveniently mixed characters to harden against dictionary attacks. But on mobile phones, it’s way too easy to mistype letters with “fat fingers”, and too irritating to combine upper/lower case and different characters. Based on our survey of 50 iPhone, BlackBerry, and gPhone users, we found that over half mistype passwords at least 1 out of every 10 times. Users find password entry on mobile devices more annoying than lack of coverage, small screen size, or poor voice quality. [you can get our paper here]
They’re not used, or are used poorly. Many people use the same passwords everywhere, too-easy passwords, shared group passwords, or insecure password managers. Some just throw up their hands and disable passwords altogether.
They’re not always secure. One problem is the limited security of common password reset questions. For example, your mother’s maiden name, the name of your high school, and the make of your first car are not hard to find. [See how Sarah Palin’s email account got hacked.] Password reset questions are also commonly reused at different websites — what happens when one of these sites gets hacked? Another problem is that phishers can send you emails or IMs with a fraudulent link disguised to look like a message from a trusted source like a bank. When you click on the link, you’re directed to a page that looks identical to the trusted source’s webpage — but when you enter your password, you’re giving it away to the attacker.
Reducing the password burden by enabling our habits to authenticate us
How can we “authenticate” users without bothering them or interfering with their daily routines? In reality, many things authenticate us: something we know (answers to questions); something we have (a secure ID token); or something we are (biometrics such as fingerprints, voice). But something often overlooked is our implicit habits or routines.
Here are some example routines, all of which can be detected by my mobile phone:
- commutes — I usually drive from Sunnyvale to Palo Alto around 9:30am every day
- eating habits — I usually eat dinner in downtown Mountain View
- extracurricular activities — I go to the gym every other day, and table tennis almost every Wednesday evening
- phone calls — I call my boyfriend about 3 times a day
- online sites — I browse Flickr, Google News, Wikipedia, and Mitbbs every day, and occasionally visit Yelp, imdb, Amazon, Tudou, and ITTF (table tennis again)
How can these scenarios be used to “implicitly authenticate” me?
To replace passwords. For example, after making a 10-minute call to my boyfriend over lunch, I go to a talk and decide to browse my emails while waiting for the speaker to begin. The habits reflect my pattern, so it’s probably okay to allow me to read my emails without requiring a password.
To provide double verification. I’m much more paranoid about the security of my online finances, so for these websites implicit authentication can be used as a secondary factor to augment password-based authentication. The bank can more easily detect something suspicious if someone steals my password.
To detect fraud early. While my mobile phone detects that I’ve been sitting in a meeting at my company for the past hour — which is confirmed by my phone calendar — someone is using my credit card to purchase a $2000 TV at an electronics store 15 miles away from me. So the credit card company can detect something odd, and flag or deny the transaction up front.
Making implicit authentication possible
The ubiquity of smart phones and PDAs provides an excellent opportunity for realizing implicit authentication, especially since these mobile internet devices provide rich sources of input (see examples, right). All of these inputs define our habits, and can be used to authenticate us.
Our proposed solution: (1) have your mobile phone collect these events; (2) upload them to a remote authentication server which records your past behavior, learns your habits, and computes your real-time authentication score; and (3) send the authentication score to a party that demands it. When you log onto your banking site, the bank can request the score from the authentication server for higher assurance. [Alternatively, all of the above can also be handled on the device itself, but there are resource constraints and security risks to consider.]
How you can help
With most of the things our security team works on, we try to ground and refine our assumptions with actual user data. You can help.