The Community for Technology Leaders
RSS Icon
Issue No.01 - January/February (2012 vol.10)
pp: 37-45
Amir Herzberg , Bar-Ilan University
Ronen Margulies , Bar-Ilan University
The authors present the results of a long-term user study of site-based login mechanisms that train users to log in safely. Interactive site-identifying images received 70 percent detection rates, which is significantly better than the 20 percent received by the typical login ceremony. They also found that combining login bookmarks with interactive images and nonworking buttons or links (called negative training functions) achieved the best detection rates (82 percent) and overall resistance rates (93 percent). Because interactive custom images provide effective user training against phishing, the authors extended its authentication usages. The authors present an adaptive authentication mechanism based on recognition of multiple custom images, which can be used for different Web and mobile authentication scenarios. The mechanism relies on memorization of the custom images on each primary login, adaptively increasing the authentication difficulty on detection of impersonation attacks, and recognizing all images for fallback authentication.
phishing, training, human factors, long-term user study, forcing functions, fallback authentication, password reset, graphical passwords, memorability
Amir Herzberg, Ronen Margulies, "Training Johnny to Authenticate (Safely)", IEEE Security & Privacy, vol.10, no. 1, pp. 37-45, January/February 2012, doi:10.1109/MSP.2011.129
1. C. Karlof, J.D. Tygar, and D. Wagner, "Conditioned-Safe Ceremonies and a User Study of an Application to Web Authentication," Proc. 5th Symp. Usable Privacy and Security (SOUPS 09), ACM, 2009.
2. R. Dhamija, J.D. Tygar, and M. Hearst, "Why Phishing Works," Proc. SIGCHI Conf. Human Factors in Computing Systems, ACM, 2006, pp. 581–590.
3. A. Herzberg and A. Jbara, "Security and Identification Indicators for Browsers against Spoofing and Phishing Attacks," ACM Trans. Internet Technology, vol. 8, no. 4, art. 16, 2008; .
4. M. Wu, R.C. Miller, and S.L. Garfinkel, "Do Security Toolbars Actually Prevent Phishing Attacks?," Proc. SIGCHI Conf. Human Factors in Computing Systems (CHI 06), ACM, 2006, pp. 601–610.
5. A. Herzberg, "Why Johnny Can't Surf (Safely)? Attacks and Defenses for Web Users," Computers & Security, vol. 28, nos. 1–2, 2009, pp. 63–71.
6. S. Schechter et al., "The Emperor's New Security Indicators," Proc. 2007 IEEE Symp. Security and Privacy (SP 07), IEEE CS, 2007, pp. 51–65.
7. K.P. Yee and K. Sitaker, "Passpet: Convenient Password Management and Phishing Protection," Proc. 2nd Symp. Usable Privacy and Security, ACM, 2006, pp. 32–43.
8. B. Adida, "BeamAuth: Two-Factor Web Authentication with a Bookmark," Proc. 14th ACM Conf. Computer and Comm. Security (CSS 07), ACM, 2007, pp. 48–57.
9. S. Schechter, A.J.B. Brush, and S. Egelman, "It's No Secret. Measuring the Security and Reliability of Authentication via 'Secret' Questions," Proc. 2009 IEEE Symp. Security and Privacy (SP 09), IEEE CS, 2009, pp. 375–390.
10. R. Dhamija and A. Perrig, "Déjà Vu: A User Study Using Images for Authentication," Proc. 9th Conf. Usenix Security Symp., vol. 9, Usenix, 2000, p. 4.
11. M. Jakobsson, L. Yang, and S. Wetzel, "Quantifying the Security of Preference-Based Authentication," Proc. 4th ACM Workshop on Digital Identity Management (DIM 08), ACM, 2008, pp. 61–70.
12. A. Sotirakopoulos, K. Hawkey, and K. Beznosov, "I Did It Because I Trusted You: Challenges with the Study Environment Biasing Participant Behaviours," SOUPS User Workshop, ACM, 2010; Sotirakopoulos_environment_biasing_participants_USER2010.pdf .
13. R. Margulies, "Usable and Phishing-Resistant Authentication Mechanisms," master's thesis, Computer Science Dept., Bar-Ilan Univ., 2011.
14. M. Boyle et al., "Toward Gait-Based Smartphone User Identification," Proc. 9th Ann. Int'l Conf. Mobile Systems, Applications, and Services, ACM, 2011, pp. 395–396.
20 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool