Use Your Illusion:Secure Authentication Usable Anywhere

Eiji HayashiNicolas Christin

Rachna DhamijaAdrian Perrig

Carnegie Mellon CyLab Japan

Key Concept: Distortion

You can recognize a baby nowbecause you know the original picture

Distorted Picture Original Picture

Use Your Illusion

Graphical Authentication

• Passfaces• Pass Points• DAS (Draw-A-Secret)• Déjà vu

Passfaces• Faces are used as a graphical portfolio

• Preference could be a limitation

Cited from “On User Choice in Graphical Password Schemes”, Darren Daivis et. al, 2004

Pass Points• Use “a sequence of clicks” as a shared

secret

• There are hot spots

Cited from “Authentication Usin Graphical Passwords: Basic Results”, Susan Wiednbeck et. al, 2004

Most Straightforward Way

• Choose graphical portfolio from a set of pictures

Graphical Portfolio • If a user can choose whatever

graphical portfolio…

• If system assigns portfoliorandomly…

Fundamental Tradeoff

Secu

rity

Memorability

“Use Your Illusion”1. Allow users to take/choose pictures by

themselves2. Distort the pictures3. Assign the distorted pictures as graphical

portfolio

“Use Your Illusion”1. Allow users to take/choose pictures by

themselves2. Distort the pictures3. Assign the Distorted pictures as graphical

token

Secu

rity

Memorability

Requirements for Distortion • One-way

• Discarding precise shapes and colors

• Preserving rough shapes and colors

Oil Painting Filter• Choose RGB values which appears most

frequently in a neighborhood

0 50 100 150 200 2500

10

20

30

40

50

60

Oil Painting Filter

Distortion Level• If high, difficult to guess

but difficult to memorize

• If low, easy to memorizebut easy to guess

Distortion Level• Two parameters affect distortion level

–If too high, not usable

–If too low, not secure

Secu

rity

Memorability

Low-Fidelity Test

Most distorted

Least distorted

Low-Fidelity Test

Low-Fidelity Test

Low-Fidelity Test

Low-Fidelity Test

Low-Fidelity Test

Low-Fidelity Test

It’s a dog!!

Low-Fidelity Test

Difficult to guessw/o knowing original picture

Low-Fidelity Test

Can’t recognize a dog

Low-Fidelity Test

Easy to recognizew/ knowing original picture

Low-Fidelity Test

Satisfiesrequirements

Prototype• Implemented on Nokia’s cell-phone for

usability test

• Also implemented on the web

Prototype

Demo

Usability Test

• 45 participants and for 1 week

• 54 participants and for 4 weeks

1st Usability Test• 45 participants were divided into 3 groups

– Self-selected, Non-distorted– Self-selected, distorted (Use Your Illusion)– Imposed, highly-distorted

Self-selected, Non-distorted

Self-selected, Distorted

Imposed, Highly-distorted

ProcedureDate Task

Before the 1st day Take 3 pictures

The 1st day Memorize portfolio

Practice

Authenticate

2 days after Authenticate

1 week after Authenticate

Fill out questionnaires

Success RateThe 1st

day2 days after

1 week after

Self-selected,

Non-distorted

100%

(15)

100%

(15)

100%

(15)

Self-selected,

Distorted

100%

(15)

100%

(15)

100%

(15)

Imposed,

Highly-distorted

93.3%

(14)

73.3%

(11)

73.3%

(11)

Authentication Time (Mean)

Imposed,Highly-distorted

Self-selected,Distorted

Self-selected,Non-distorted

Process of Memorization• Participants assign meanings to distorted pictures• Assigning meanings helps memorization

Mountain Sea Moai statue

2nd Usability Test• 54 participants were divided into 3 groups

– Self-selected, Non-distorted– Self-selected, Distorted– Imposed, Distorted

• Authenticate– On the 1st day– 2 days after– 1 week after– 4 weeks after

Imposed, Distorted

Success RateThe 1st

day2 days after

1 week after

4 weeks

after

Self-selected,

Non-distorted

100%

(18)

100%

(18)

100%

(18)

100%

(18)

Self-selected,

Distorted

100%

(18)

100%

(18)

100%

(18)

100%

(18)

Imposed,

Distorted

100%

(18)

89%

(16)

94%

(17)

89%

(16)

Authentication Time (Mean)

Imposed,DistortedSelf-selected,

Distorted

Self-selected, Non-distorted

Tolerance against Guessing Attack

• Original pictures are vulnerable

• Distorted pictures are more tolerant

Future Work• Detailed usability test

• Long term test

• Find an optimal distortion

• Investigate a metric evaluating distortion level

Use Your Illusion• Use distorted pictures as a portfolio• As memorable as non-distorted pictures• More memorable than imposed (highly-)

distorted pictures• Fits human memorization process• More tolerant to guessing attack

Thank you for listening

Prototype is available onhttp://arima.okoze.net/illusion/Please try it!