SlideShare uma empresa Scribd logo

CASA: Context Aware Scalable Authentication, at SOUPS 2013

Transferir como PPT, PDF
Jason Hong
Jason Hong

We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user’s current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users’ receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.

TecnologiaNegócios
1 de 67
CASA: Context-Aware Scalable Authentication Eiji Hayashi, Sauvik Das, Shahriyar Amini Jason Hong, Ian Oakery Human-Computer Interaction Institute Carnegie Mellon University
One Fits All? Devices require the same user authentication regardless of contexts
If Cost Too Much Stop using authentication system
A Few Could Fit All How can we choose security lock system for different situations? Do they provide better security and usability from users’ perspectives?
Context-Aware Scalable Authentication •Authenticate users using active factors and passive factors •Adjust an active factor based on passive factors •Quantitative way to choose an active factor
Prototype
Outline • Underlying Model • Feasibility Analysis (Field Study #1) • Prototype Evaluation (Field Study #2) • Security Analysis • Design Iteration (Field Study #3) • Conclusion
Outline • CASA Framework • Feasibility Analysis (Field Study #1) • Prototype Evaluation (Field Study #2) • Security Analysis • Design Iteration (Field Study #3) • Conclusion
CASA Framework
Combining Multiple Factors
Combining Multiple Factors The probability that a person is a legitimate user given a set of signals
Combining Multiple Factors The probability that a person is NOT a legitimate user given a set of signals
Combining Multiple Factors Weight that balances false positives and false negatives
Combining Multiple Factors Authenticate: A user is more likely to be a legitimate user
Combining Multiple Factors Reject: A user is less likely to be a legitimate user
Naive Bayes Model
Prototype Evaluation (Field Study #2)
Field Study #2 Test system that changes authentication schemes based on location
Choosing an Authentication Scheme Location Active Factor Home ? Workplace PIN Other Places ?
Naive Bayes Model
Compare Confidence Type PIN Be at workplace Type PIN Be at other place
Compare Confidence
Compare Confidence
Compare Confidence Type PIN Be at workplace Type Password Be at other place
Compare Confidence
Chosen Authentication Scheme Location Active Factor Home ? Workplace PIN Other Places Password
Two Conditions Location w/ PIN w/o PIN Home PIN None Workplace PIN None Other Places Password PIN
Screenshots
Field Study #2 • 32 participants • 18 to 40 years old (mean=24) • On their phones • For 2 weeks
Result: # of Activations Condition Home Workplace Other Places w/o PIN None 13.1 (1.4) None 2.5 (0.4) PIN 8.1 (1.1) w/ PIN PIN 24.5 (3.2) PIN 7.1 (1.0) Password 15.7 (2.0)
Result: # of Activations Condition Home Workplace Other Places w/o PIN 65.8% 34.2% w/ PIN 66.8% 33.2%
Result: User Feedback Condition Easy to understand Secure Prefer to use w/o PIN 5 4 3.5 w/ PIN 4 4 3
Quotes P3 said, “I don't normally use a security lock, but I would be much more inclined to use one if it didn't require constant unlocking.”
Quotes P5 said, “I like the system. It’s a great pain to type pin at home, because the nature of the phone, it goes to sleep quickly, then I have to type pin again, which is super annoying.”
Quotes P12 said, “Typing passwords to check text was annoying. I don't think I will use it.”
Appropriate Security Level Location Using PIN No Security Locks Home None Workplace Other Places PIN
Appropriate Security Level Location Using PIN No Security Locks Home PIN Workplace PIN Other Places PIN
Appropriate Security Level Location Using PIN No Security Locks Home PIN None Workplace PIN Other Places PIN
Appropriate Security Level Location Using PIN No Security Locks Home PIN None Workplace PIN None Other Places PIN None
Design Iteration (Field Study #3)
Design Iteration • Appropriate security level • Workplace is not as safe as home
Appropriate Security Level Location Active Factor Home None Workplace Other Places
Appropriate Security Level Location Active Factor Home None Workplace Other Places PIN
Workplace is not safe No Active Factor Be at Home No Active Factor Be at Workplace + +
Workplace is not safe No Active Factor Be at Home Type PIN Be at Workplace + +
Workplace is not safe No Active Factor Be at Home Using Computer Be at Workplace + +No Active Factor +
Active Factor Selection Location Active Factor Home None Workplace when using computers None Workplace when not using computers PIN Others PIN
Notification
Field Study #3 • 18 participants • 21 to 40 years old (mean=26.3) • On their phones and laptops • For 10 to 14 days
Result: At Workplace Grey: Computer not used Black: Computer used
Result: User Feedback Feature Easy to understand Useful Secure Prefer to use Location- based 5 4.5 4 4 Comp- based 4.5 4 3.5 3.5 Notification - 4 - 4
Quote • P17 said, “It is annoying to use security locks all the time, but whereas if I had such a system which requires pin only at unsecure places its usefulness adds more value when compared to the annoyance caused by it. So, I will definitely use it.”
Conclusion • Proposed a Naive Bayes framework to combine multiple factors to adjust active authentication schemes • The framework allowed us to choose active factor in a quantitative way • Field studies indicated that users preferred the proposed system
Backup
Feasibility Analysis (Field Study #1)
Location as a Signal • People have their own mobility patterns • Random people don’t have access to certain places
Field Study #1 • Where do people log in to their phones? • 32 participants • 7 to 140 days PlacePlace Mean Time [%]Mean Time [%] Mean Activation [%]Mean Activation [%] 1 (Home) 38.9 31.9 2 (Workplace) 18.7 28.9 Others 42.4 39.2
Security Analysis
Security Analysis Condition Knowledge about target users Uninformed Informed Technical expertise Novice Uninformed Novice Informed Novice Expert Uninformed Expert Informed Expert
Security Analysis Condition Knowledge about target users Uninformed Informed Technical expertise Novice Uninformed Novice Informed Novice Expert Uninformed Expert Informed Expert Strangers •CASA is as strong as PIN/password
Security Analysis Condition Knowledge about target users Uninformed Informed Technical expertise Novice Uninformed Novice Informed Novice Expert Uninformed Expert Informed Expert Family members, Friends, Co-workers •Trusted people •However, users trust co-workers less
Security Analysis Condition Knowledge about target users Uninformed Informed Technical expertise Novice Uninformed Novice Informed Novice Expert Uninformed Expert Informed Expert Dedicated attackers •Rare, but difficult to prevent •Detection rather than prevention
Adjusting Security Levels
Results: # of Activations Gray: w/ PIN Black: w/o PIN
Compare Confidence
Result: User Feedback Condition Easy to understand Secure Prefer to use w/o PIN 5 4 3.5 w/ PIN 4 4 3 3 4
Compare Confidence

Recomendados

CASA: Context-Aware Scalable Authentication, at SOUPS 2013
CASA: Context-Aware Scalable Authentication, at SOUPS 2013CASA: Context-Aware Scalable Authentication, at SOUPS 2013
CASA: Context-Aware Scalable Authentication, at SOUPS 2013Jason Hong
 
Frequency Based Detection Of Task Switches
Frequency Based Detection Of Task SwitchesFrequency Based Detection Of Task Switches
Frequency Based Detection Of Task Switchesrnair
 
PhD Proposal talk
PhD Proposal talkPhD Proposal talk
PhD Proposal talkRay Buse
 
Sigir15
Sigir15Sigir15
Sigir15Telefonica Research
 
Interactive fault localization leveraging simple user feedback - by Liang Gong
Interactive fault localization leveraging simple user feedback - by Liang GongInteractive fault localization leveraging simple user feedback - by Liang Gong
Interactive fault localization leveraging simple user feedback - by Liang GongLiang Gong
 
(Spring 2013) The Impact of Dirty Fingerprints
(Spring 2013) The Impact of Dirty Fingerprints(Spring 2013) The Impact of Dirty Fingerprints
(Spring 2013) The Impact of Dirty FingerprintsInternational Center for Biometric Research
 
Lie detector
Lie detectorLie detector
Lie detectorankit jha
 
Got Myth? Myths in Software Engineering
Got Myth? Myths in Software EngineeringGot Myth? Myths in Software Engineering
Got Myth? Myths in Software EngineeringThomas Zimmermann
 

Recomendados

CASA: Context-Aware Scalable Authentication, at SOUPS 2013
CASA: Context-Aware Scalable Authentication, at SOUPS 2013CASA: Context-Aware Scalable Authentication, at SOUPS 2013
CASA: Context-Aware Scalable Authentication, at SOUPS 2013Jason Hong
 
Frequency Based Detection Of Task Switches
Frequency Based Detection Of Task SwitchesFrequency Based Detection Of Task Switches
Frequency Based Detection Of Task Switchesrnair
 
PhD Proposal talk
PhD Proposal talkPhD Proposal talk
PhD Proposal talkRay Buse
 
Sigir15
Sigir15Sigir15
Sigir15Telefonica Research
 
Interactive fault localization leveraging simple user feedback - by Liang Gong
Interactive fault localization leveraging simple user feedback - by Liang GongInteractive fault localization leveraging simple user feedback - by Liang Gong
Interactive fault localization leveraging simple user feedback - by Liang GongLiang Gong
 
(Spring 2013) The Impact of Dirty Fingerprints
(Spring 2013) The Impact of Dirty Fingerprints(Spring 2013) The Impact of Dirty Fingerprints
(Spring 2013) The Impact of Dirty FingerprintsInternational Center for Biometric Research
 
Lie detector
Lie detectorLie detector
Lie detectorankit jha
 
Got Myth? Myths in Software Engineering
Got Myth? Myths in Software EngineeringGot Myth? Myths in Software Engineering
Got Myth? Myths in Software EngineeringThomas Zimmermann
 
Laura Bell (SafeStack)
Laura Bell (SafeStack)Laura Bell (SafeStack)
Laura Bell (SafeStack)AgileNZ Conference
 
Analytics for software development
Analytics for software developmentAnalytics for software development
Analytics for software developmentThomas Zimmermann
 
Information Needs for Software Development Analytics
Information Needs for Software Development AnalyticsInformation Needs for Software Development Analytics
Information Needs for Software Development AnalyticsRay Buse
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
 
From Bugs to Decision Support - Selected Research Highlights
From Bugs to Decision Support - Selected Research HighlightsFrom Bugs to Decision Support - Selected Research Highlights
From Bugs to Decision Support - Selected Research HighlightsMarkus Borg
 
ProspectusPresentationPrinterFriendly
ProspectusPresentationPrinterFriendlyProspectusPresentationPrinterFriendly
ProspectusPresentationPrinterFriendlymartijnetje
 
Secure software design
Secure software designSecure software design
Secure software designAshis Kumar Chanda
 
MSR End of Internship Talk
MSR End of Internship TalkMSR End of Internship Talk
MSR End of Internship TalkRay Buse
 
Celebrating 30 years of ISSRE
Celebrating 30 years of ISSRECelebrating 30 years of ISSRE
Celebrating 30 years of ISSREISSREConf
 
Celebrating 30 years of ISSRE
Celebrating 30 years of ISSRECelebrating 30 years of ISSRE
Celebrating 30 years of ISSREISSREConf
 
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTA REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTijseajournal
 
Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing servicesAlisha Henderson
 
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...You Got Your Engineering in my Data Science - Addressing the Reproducibility ...
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...jonbodner
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidSteve Branam
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Matthew Park
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
Launch With Confidence! Integrate UX Research Throughout Development
Launch With Confidence! Integrate UX Research Throughout DevelopmentLaunch With Confidence! Integrate UX Research Throughout Development
Launch With Confidence! Integrate UX Research Throughout DevelopmentJennifer Romano Bergstrom
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
 
Eric Proegler Early Performance Testing from CAST2014
Eric Proegler Early Performance Testing from CAST2014Eric Proegler Early Performance Testing from CAST2014
Eric Proegler Early Performance Testing from CAST2014Eric Proegler
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 

Mais conteúdo relacionado

Mais procurados

Analytics for software development
Analytics for software developmentAnalytics for software development
Analytics for software developmentThomas Zimmermann
 
Information Needs for Software Development Analytics
Information Needs for Software Development AnalyticsInformation Needs for Software Development Analytics
Information Needs for Software Development AnalyticsRay Buse
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
 
From Bugs to Decision Support - Selected Research Highlights
From Bugs to Decision Support - Selected Research HighlightsFrom Bugs to Decision Support - Selected Research Highlights
From Bugs to Decision Support - Selected Research HighlightsMarkus Borg
 
ProspectusPresentationPrinterFriendly
ProspectusPresentationPrinterFriendlyProspectusPresentationPrinterFriendly
ProspectusPresentationPrinterFriendlymartijnetje
 
MSR End of Internship Talk
MSR End of Internship TalkMSR End of Internship Talk
MSR End of Internship TalkRay Buse
 
Celebrating 30 years of ISSRE
Celebrating 30 years of ISSRECelebrating 30 years of ISSRE
Celebrating 30 years of ISSREISSREConf
 
Celebrating 30 years of ISSRE
Celebrating 30 years of ISSRECelebrating 30 years of ISSRE
Celebrating 30 years of ISSREISSREConf
 
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTA REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTijseajournal
 
Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing servicesAlisha Henderson
 
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...You Got Your Engineering in my Data Science - Addressing the Reproducibility ...
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...jonbodner
 

Mais procurados (13)

Laura Bell (SafeStack)
Laura Bell (SafeStack)Laura Bell (SafeStack)
Laura Bell (SafeStack)
 
Analytics for software development
Analytics for software developmentAnalytics for software development
Analytics for software development
 
Information Needs for Software Development Analytics
Information Needs for Software Development AnalyticsInformation Needs for Software Development Analytics
Information Needs for Software Development Analytics
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
 
From Bugs to Decision Support - Selected Research Highlights
From Bugs to Decision Support - Selected Research HighlightsFrom Bugs to Decision Support - Selected Research Highlights
From Bugs to Decision Support - Selected Research Highlights
 
ProspectusPresentationPrinterFriendly
ProspectusPresentationPrinterFriendlyProspectusPresentationPrinterFriendly
ProspectusPresentationPrinterFriendly
 
Secure software design
Secure software designSecure software design
Secure software design
 
MSR End of Internship Talk
MSR End of Internship TalkMSR End of Internship Talk
MSR End of Internship Talk
 
Celebrating 30 years of ISSRE
Celebrating 30 years of ISSRECelebrating 30 years of ISSRE
Celebrating 30 years of ISSRE
 
Celebrating 30 years of ISSRE
Celebrating 30 years of ISSRECelebrating 30 years of ISSRE
Celebrating 30 years of ISSRE
 
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTA REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT
 
Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing services
 
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...You Got Your Engineering in my Data Science - Addressing the Reproducibility ...
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...
 

Semelhante a CASA: Context Aware Scalable Authentication, at SOUPS 2013

Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidSteve Branam
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Matthew Park
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
Launch With Confidence! Integrate UX Research Throughout Development
Launch With Confidence! Integrate UX Research Throughout DevelopmentLaunch With Confidence! Integrate UX Research Throughout Development
Launch With Confidence! Integrate UX Research Throughout DevelopmentJennifer Romano Bergstrom
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
 
Eric Proegler Early Performance Testing from CAST2014
Eric Proegler Early Performance Testing from CAST2014Eric Proegler Early Performance Testing from CAST2014
Eric Proegler Early Performance Testing from CAST2014Eric Proegler
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Solving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous TestingSolving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous TestingPerfecto by Perforce
 
Remote usability testing and remote user research for usability
Remote usability testing and remote user research for usabilityRemote usability testing and remote user research for usability
Remote usability testing and remote user research for usabilityUser Vision
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
 
SkillSwap Weekend - Usability Testing
SkillSwap Weekend - Usability TestingSkillSwap Weekend - Usability Testing
SkillSwap Weekend - Usability Testingschaef2493
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Aaron Rinehart
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Security Innovation
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
 

Semelhante a CASA: Context Aware Scalable Authentication, at SOUPS 2013 (20)

Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking Stupid
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
 
Launch With Confidence! Integrate UX Research Throughout Development
Launch With Confidence! Integrate UX Research Throughout DevelopmentLaunch With Confidence! Integrate UX Research Throughout Development
Launch With Confidence! Integrate UX Research Throughout Development
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
 
Eric Proegler Early Performance Testing from CAST2014
Eric Proegler Early Performance Testing from CAST2014Eric Proegler Early Performance Testing from CAST2014
Eric Proegler Early Performance Testing from CAST2014
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Solving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous TestingSolving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous Testing
 
Remote usability testing and remote user research for usability
Remote usability testing and remote user research for usabilityRemote usability testing and remote user research for usability
Remote usability testing and remote user research for usability
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
 
Software testing
Software testingSoftware testing
Software testing
 
SkillSwap Weekend - Usability Testing
SkillSwap Weekend - Usability TestingSkillSwap Weekend - Usability Testing
SkillSwap Weekend - Usability Testing
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
 

Último

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Último (20)

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

CASA: Context Aware Scalable Authentication, at SOUPS 2013

Notas do Editor

  1. Today, devices require the same authentication regardless of the contexts. for instance, when a phone is at user ’ s home and in a foreign country which the user has never been to, the phone always require a PIN to unlock. Because of this, we need to design authentication system to be secure even in the most risky case.
  2. However, if security system costs too much, users simply stop using it. In the case of mobile phones, people stop using security lock. Actually, many existing work reported that about half of the users do not use security lock.
  3. This clearly shows that the concept of one fits all does not work well. Then, a question is, do a few fit all? If we have a few security lock system, do they cover all situations? More specifically, How can we choose security lock system for different situations? Do they provide better security and usability for users? These are questions that we investigated in this work.
  4. So, we propose context-aware scalable authentication In
  5. And we tested the framework through filed studies with two rather simple implementations of the framework
  6. I will come back to this term later in this presentation. Now, we can compare confidence levels given by different sets of signals. The next questions is what signal we should combine ----- Meeting Notes (7/9/13 13:09) ----- explain sign
  7. In the second field study, we developed a authentication system that changes authentication schemes based on users ’ locations. Then, we tested the system using users ’ own phones for two weeks
  8. Now, the question is what authentication schemes we have to use for different locations. For simplicity, we used three locations in our system. Home. workplace ad others. Also, we used three different authentication scheme, None, PIN and password. Finally, we used authentication at workplace as a standard.
  9. Now, we come back to this equation.
  10. We can compare confidence levels from different sets of signals. As an example, let ’ s compare a scenario where a person types correct PIN at workplace and a scenario where a person types correct PIN at other places.
  11. the first terms in these equation denotes the confidence given by typing a correct PIN. These values can be calculated using entropies of PIN. The second term denotes the confidence given by being at certain locations these values were obtain in the first field study.
  12. When we compare these two, the confidence in the second scenario is smaller than the first one. Intuitively, being at other place provide smaller confidence than being at workplace.
  13. So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
  14. it can provide higher confidence than the first scenario ----- Meeting Notes (7/9/13 13:09) ----- entropy
  15. by repeating the process, we came up with the two sets of configurations.
  16. by repeating the process, we came up with the two sets of configurations.
  17. ----- Meeting Notes (7/9/13 13:09) ----- comparison between the first study
  18. ----- Meeting Notes (7/9/13 13:09) ----- add take aways
  19. Qualitative feedback? 10
  20. ----- Meeting Notes (7/25/13 07:30) ----- fix
  21. So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
  22. So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
  23. So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
  24. ----- Meeting Notes (7/25/13 00:46) ----- laptop
  25. ----- Meeting Notes (7/9/13 12:34) ----- location identification
  26. We decided to start from a very simple and effective signal. That is location. Because people have their own mobility patterns, and random people don ’ t have access to users ’ home or workplaces. We thought that location can provide strong confidence about a person ’ s identity
  27. We conducted two field study to investigate our idea. In the first study, we investigated how much we could improve the usability of user authentication in our system. The results were very positive. 60% of the time, people log into their phones at home or workplace. ----- Meeting Notes (7/9/13 13:09) ----- definition of other places
  28. We categorized attackers in a 2x2 grid.
  29. \log\frac{P(PIN|u=1)}{P(PIN|u=-1)}+\log\frac{P(W|u=1)}{P(W|u=-1)}\\ \log\frac{P(A|u=1)}{P(A|u=-1)}+\log\frac{P(H|u=1)}{P(H|u=-1)}
  30. \log\frac{P(PIN|u=1)}{P(PIN|u=-1)}+\log\frac{P(W|u=1)}{P(W|u=-1)}\\ \log\frac{P(A|u=1)}{P(A|u=-1)}+\log\frac{P(H|u=1)}{P(H|u=-1)}