Sauvik Das
Gierad Laput
Chris Harrison
Jason I. Hong
ABSTRACT
Small, local groups who share protected resources (e.g., families, work teams, student organizations) have unmet authentication needs. For these groups, existing authentication strategies either create unnecessary social divisions (e.g., biometrics), do not identify individuals (e.g., shared passwords), do not equitably distribute security responsibility (e.g., individual passwords), or make it difficult to share or revoke access (e.g., physical keys). To explore an alternative, we designed Thumprint: inclusive group authentication with a shared secret knock. All group members share one secret knock, but individual expressions of the secret are discernible. We evaluated the usability and security of our concept through two user studies with 30 participants. Our results suggest that (1) individuals who enter the same shared thumprint are distinguishable from one another, (2) that people can enter thumprints consistently over time, and (3) that thumprints are resilient to casual adversaries.
Supplemental Material
- Lujo Bauer, Lorrie LF Cranor, RW Robert W Reeder, Michael K MK Reiter, and Kami Vaniea. 2007. Comparing access-control technologies: A study of keys and smartphones. Carnegie Mellon University CyLab Tech Report 07-005. Retrieved from http://repository.cmu.edu/cylab/46/Google Scholar
- Mike Bond. 2005. The Dining Freemasons (Security Protocols for Secret Societies). In Security Protocols. Springer Berlin Heidelberg, 258--265.Google Scholar
- Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. Symposium on Security and Privacy (S&P'12), IEEE, 553--567. http://doi.org/10.1109/SP.2012.44 Google ScholarDigital Library
- Anders Brandt. 2011. Noise and Vibration Analysis: Signal Analysis and Experimental Procedures. John Wiley & Sons. Google ScholarCross Ref
- A J Bernheim Brush. 2012. It's Used by Us: Family Friendly Access Control. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Workshop on Technology for Today's Family.Google Scholar
- L.F. Cranor and S. Garinkel. 2005. Security and Usability: Designing Secure Systems that People Can Use. O'Reilly Media.Google Scholar
- Sauvik Das, LaToya Green, Beatrice Perez, Michael Murphy, and Adrian Perrig. 2010. Detecting User Activities Using the Accelerometer on Android Smartphones. Carnegie Mellon University.Google Scholar
- Sauvik Das, Hyun Jin Kim, Laura A. Dabbish, and Jason I. Hong. 2014. The Effect of Social Influence on Security Sensitivity. Proceedings of the 10th Symposium on Usable Privacy and Security (SOUPS'14).Google Scholar
- Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2014. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14), ACM Press, 739--749. http://doi.org/10.1145/2660267.2660271 Google ScholarDigital Library
- Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, and Jason I. Hong. 2015. The Role of Social Influence in Security Feature Adoption. Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (CSCW '15), ACM Press, 1416--1426. http://doi.org/10.1145/2675133.2675225 Google ScholarDigital Library
- Serge Egelman, A.J. Bernheim Brush, and Kori M. Inkpen. 2008. Family accounts. Proceedings of the ACM 2008 conference on Computer supported cooperative work (CSCW '08), ACM Press, 669. http://doi.org/10.1145/1460563.1460666 Google ScholarDigital Library
- Usama M. Fayyad and Keki B. Irani. 1993. MultiInterval Discretization of Continuos-Valued Attributes for Classification Learning. Proc. International Joint Conference on Uncertainty in AI, 1022--1027. Retrieved from http://trsnew.jpl.nasa.gov/dspace/handle/2014/35171Google Scholar
- Shirley Gaw, Edward W Felten, and Patricia Fernandez-Kelly. 2006. Secrecy, flagging, and paranoia. Proceedings of the SIGCHI conference on Human Factors in computing systems (CHI '06), ACM Press, 591--600. http://doi.org/10.1145/1124772.1124862 Google ScholarDigital Library
- Eric Gilbert. 2015. Open Book. Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15), ACM Press, 477--486. http://doi.org/10.1145/2702123.2702295 Google ScholarDigital Library
- Mayank Goel, Jacob Wobbrock, and Shwetak Patel. 2012. GripSense. Proceedings of the 25th annual ACM symposium on User interface software and technology (UIST '12), ACM Press, 545--554. http://doi.org/10.1145/2380116.2380184 Google ScholarDigital Library
- Mark A. Hall. 1999. Correlation-based Feature Selection for Machine Learning. University of Waikato. http://doi.org/10.1080/01422419908228843 Google ScholarCross Ref
- Eiji Hayashi, Sauvik Das, Shahriyar Amini, Jason Hong, and Ian Oakley. 2013. CASA: A Framework for Context-Aware Scalable Authentication. Proceedings of the 9th Symposium on Usable Privacy and Security (SOUPS'13). Google ScholarDigital Library
- Cormac Herley and P van Oorschot. 2009. Passwords: If We're So Smart, Why Are We Still Using Them? Proceedings of the 13th International Conference on Financial Cryptography and Data Security (FC'09). http://doi.org/10.1007/978--3--642-03549--4_14Google ScholarCross Ref
- Seong Seob Hwang, Sungzoon Cho, and Sunghoon Park. 2009. Keystroke dynamics-based authentication for mobile devices. Computers and Security 28, 1--2: 85--93. http://doi.org/10.1016/j.cose.2008.10.002Google ScholarDigital Library
- Steven J. Karau and Kipling D. Williams. 1993. Social Loafing: A Meta-Analytic Review and Theoretical Integration. Interpersonal Relations and Group Processes 65, 4: 681--706. http://doi.org/10.1037/00223514.65.4.681Google Scholar
- Amy K Karlson, A.J. Bernheim Brush, and Stuart Schechter. 2009. Can i borrow your phone? Proceedings of the 27th international conference on Human factors in computing systems (CHI 09), ACM Press, 1647--1650. http://doi.org/10.1145/1518701.1518953 Google ScholarDigital Library
- Brendan Kiley. 2005. Secret Knocks and Passwords. The Stranger. Retrieved January 5, 2017 from http://www.thestranger.com/seattle/secret-knocks-andpasswords/Content?oid=25434Google Scholar
- Ross Koppel, Sean Smith, Jim Blythe, and Vijay Kothari. 2015. Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient? Studies in Health Technology and Informatics 208: 215--220. http://doi.org/10.3233/9781--61499--488--6--215Google Scholar
- Bibb Latané, Kipling Williams, and Stephen Harkins. 1979. Many hands make light the work: The causes and consequences of social loafing. Journal of Personality and Social Psychology 37, 6: 822--832. http://doi.org/10.1037/0022--3514.37.6.822Google ScholarCross Ref
- Felix Xiaozhu Lin, Daniel Ashbrook, and Sean White. 2011. RhythmLink: Securely Pairing I/O-Constrained Devices by Tapping Felix. Proceedings of the 24th annual ACM symposium on User interface software and technology (UIST '11), ACM Press, 263--271. http://doi.org/10.1145/2047196.2047231 Google ScholarDigital Library
- Michelle L Mazurek, Brandon Salmon, Richard Shay, et al. 2010. Access control for home data sharing: Attitudes, needs, and practices. Proceedings of the 28th international conference on Human factors in computing systems (CHI '10), ACM Press, 645--654. http://doi.org/10.1145/1753326.1753421 Google ScholarDigital Library
- Fabian Monrose and Aviel D. Rubin. 2000. Keystroke dynamics as a biometric for authentication. Future Generation Computer Systems 16, 4: 351--359. http://doi.org/10.1016/S0167-739X(99)00059-X Google ScholarDigital Library
- Deborah A. Prentice, Dale T. Miller, and Jenifer R. Lightdale. 1994. Asymmetries in attachments to groups and to their members: Distinguishing between common-identity and common-bond groups. Personality and Social Psychology Bulletin (PSPB) 20, 5: 484--493. Google ScholarCross Ref
- Frank Rieger. 2013. Chaos Computer Club breaks Apple TouchID. Retrieved January 5, 2017 from https://www.ccc.de/en/updates/2013/ccc-breaks-appletouchidGoogle Scholar
- Peter J. Rousseeuw. 1987. Silhouettes: A graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics 20, C: 53--65. http://doi.org/10.1016/03770427(87)90125-7Google Scholar
- Bruce Schneier. 2000. Secret & Lies: Digital Security in a Networked World. John Wiley & Sons.Google ScholarDigital Library
- Supriya Singh, Anuja Cabraal, Catherine Demosthenous, Gunela Astbrink, and Michele Furlong. 2007. Password sharing. Proceedings of the SIGCHI conference on Human factors in computing systems (CHI '07), ACM Press, 895--904. http://doi.org/10.1145/1240624.1240759 Google ScholarDigital Library
- Michael Toomim, Xianhang Zhang, James Fogarty, and James A Landay. 2008. Access control by testing for shared knowledge. Proceeding of the Twenty-sixth annual CHI conference on Human factors in computing systems (CHI '08), ACM Press, 193--196. http://doi.org/10.1145/1357054.1357086 Google ScholarDigital Library
- Gérard Vincent. 1991. A history of secrets? In A History of Private Life: Riddles of Identity in Modern Times. 145--281.Google Scholar
- Stanley Wasserman and Katherine Faust. 1994. Social network analysis: Methods and applications. Cambridge University Press. Google ScholarCross Ref
- Jacob Otto Wobbrock. 2009. TapSongs. Proceedings of the 22nd annual ACM symposium on User interface software and technology (UIST '09), ACM Press, 93--96. http://doi.org/10.1145/1622176.1622194 Google ScholarDigital Library
- Shibboleth. Wikipedia. Retrieved January 5, 2017 from https://en.wikipedia.org/wiki/ShibbolethGoogle Scholar
Index Terms
- Thumprint: Socially-Inclusive Local Group Authentication Through Shared Secret Knocks
Recommendations
A non-interactive deniable authentication scheme based on designated verifier proofs
A deniable authentication protocol enables a receiver to identify the source of the given messages but unable to prove to a third party the identity of the sender. In recent years, several non-interactive deniable authentication schemes have been ...
A new signature scheme without random oracles
Digital signature is commonly used for authentication of a user or data. In order to ensure the security of a signature scheme, it is important to design a signature scheme with a security proof. In 1999, Gennaro et al. and Cramer et al. respectively ...
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfacesWhen users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
Comments