Training Johnny to Authenticate (Safely)

Amir Herzberg; Ronen Margulies

doi:10.1109/MSP.2011.129

Security&Privacy
2012
Issue No. 1 - January/February
Abstract - Training Johnny to Authenticate (Safely)

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Amir Herzberg Articles by Ronen Margulies

Training Johnny to Authenticate (Safely)

January/February 2012 (vol. 10 no. 1)

pp. 37-45

	ASCII Text	x
	Amir Herzberg, Ronen Margulies, "Training Johnny to Authenticate (Safely)," IEEE Security & Privacy, vol. 10, no. 1, pp. 37-45, January/February, 2012.

	BibTex	x
	@article{ 10.1109/MSP.2011.129, author = {Amir Herzberg and Ronen Margulies}, title = {Training Johnny to Authenticate (Safely)}, journal ={IEEE Security & Privacy}, volume = {10}, number = {1}, issn = {1540-7993}, year = {2012}, pages = {37-45}, doi = {http://doi.ieeecomputersociety.org/10.1109/MSP.2011.129}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Security & Privacy TI - Training Johnny to Authenticate (Safely) IS - 1 SN - 1540-7993 SP37 EP45 EPD - 37-45 A1 - Amir Herzberg, A1 - Ronen Margulies, PY - 2012 KW - phishing KW - training KW - human factors KW - long-term user study KW - forcing functions KW - fallback authentication KW - password reset KW - graphical passwords KW - memorability VL - 10 JA - IEEE Security & Privacy ER -

Amir Herzberg, Bar-Ilan University

Ronen Margulies, Bar-Ilan University

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.129

The authors present the results of a long-term user study of site-based login mechanisms that train users to log in safely. Interactive site-identifying images received 70 percent detection rates, which is significantly better than the 20 percent received by the typical login ceremony. They also found that combining login bookmarks with interactive images and nonworking buttons or links (called negative training functions) achieved the best detection rates (82 percent) and overall resistance rates (93 percent). Because interactive custom images provide effective user training against phishing, the authors extended its authentication usages. The authors present an adaptive authentication mechanism based on recognition of multiple custom images, which can be used for different Web and mobile authentication scenarios. The mechanism relies on memorization of the custom images on each primary login, adaptively increasing the authentication difficulty on detection of impersonation attacks, and recognizing all images for fallback authentication.

1. C. Karlof, J.D. Tygar, and D. Wagner, "Conditioned-Safe Ceremonies and a User Study of an Application to Web Authentication," Proc. 5th Symp. Usable Privacy and Security (SOUPS 09), ACM, 2009.
2. R. Dhamija, J.D. Tygar, and M. Hearst, "Why Phishing Works," Proc. SIGCHI Conf. Human Factors in Computing Systems, ACM, 2006, pp. 581–590.
3. A. Herzberg and A. Jbara, "Security and Identification Indicators for Browsers against Spoofing and Phishing Attacks," ACM Trans. Internet Technology, vol. 8, no. 4, art. 16, 2008; http://doi.acm.org/10.11451391949.1391950 .
4. M. Wu, R.C. Miller, and S.L. Garfinkel, "Do Security Toolbars Actually Prevent Phishing Attacks?," Proc. SIGCHI Conf. Human Factors in Computing Systems (CHI 06), ACM, 2006, pp. 601–610.
5. A. Herzberg, "Why Johnny Can't Surf (Safely)? Attacks and Defenses for Web Users," Computers & Security, vol. 28, nos. 1–2, 2009, pp. 63–71.
6. S. Schechter et al., "The Emperor's New Security Indicators," Proc. 2007 IEEE Symp. Security and Privacy (SP 07), IEEE CS, 2007, pp. 51–65.
7. K.P. Yee and K. Sitaker, "Passpet: Convenient Password Management and Phishing Protection," Proc. 2nd Symp. Usable Privacy and Security, ACM, 2006, pp. 32–43.
8. B. Adida, "BeamAuth: Two-Factor Web Authentication with a Bookmark," Proc. 14th ACM Conf. Computer and Comm. Security (CSS 07), ACM, 2007, pp. 48–57.
9. S. Schechter, A.J.B. Brush, and S. Egelman, "It's No Secret. Measuring the Security and Reliability of Authentication via 'Secret' Questions," Proc. 2009 IEEE Symp. Security and Privacy (SP 09), IEEE CS, 2009, pp. 375–390.
10. R. Dhamija and A. Perrig, "Déjà Vu: A User Study Using Images for Authentication," Proc. 9th Conf. Usenix Security Symp., vol. 9, Usenix, 2000, p. 4.
11. M. Jakobsson, L. Yang, and S. Wetzel, "Quantifying the Security of Preference-Based Authentication," Proc. 4th ACM Workshop on Digital Identity Management (DIM 08), ACM, 2008, pp. 61–70.
12. A. Sotirakopoulos, K. Hawkey, and K. Beznosov, "I Did It Because I Trusted You: Challenges with the Study Environment Biasing Participant Behaviours," SOUPS User Workshop, ACM, 2010; http://cups.cs.cmu.edu/soups/2010/user_papers Sotirakopoulos_environment_biasing_participants_USER2010.pdf .
13. R. Margulies, "Usable and Phishing-Resistant Authentication Mechanisms," master's thesis, Computer Science Dept., Bar-Ilan Univ., 2011.
14. M. Boyle et al., "Toward Gait-Based Smartphone User Identification," Proc. 9th Ann. Int'l Conf. Mobile Systems, Applications, and Services, ACM, 2011, pp. 395–396.

Index Terms:

phishing, training, human factors, long-term user study, forcing functions, fallback authentication, password reset, graphical passwords, memorability

Citation:

Amir Herzberg, Ronen Margulies, "Training Johnny to Authenticate (Safely)," IEEE Security & Privacy, vol. 10, no. 1, pp. 37-45, Jan.-Feb. 2012, doi:10.1109/MSP.2011.129

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.