1st TIPPI Workshop

Trustworthy Interfaces for Passwords and Personal Information

Speaker: Steven Myers,    School of Informatics, Indiana University at Bloomington

Title: Delayed Password Disclosure

In order to reduce the ability of phishers to launch successful attacks, we suggest that users request authentication from their service providers. In other words, we suggest that the client and service provider engage in mutual authentication. Such authentication is known to be achievable with techniques from public-key cryptography, but the traditional solutions are not appealing due to the historical difficulty users have had in understanding related concepts such as certificates and the notions of public and private keys. Further, when accessed through the web-browser, there ability of the user to trust the supposedly secure interface is severely limited.

We will discuss a protocol for mutual authentication that relies solely on a client being able to remember a password to authenticate him or herself to the service provider, and the ability to recognize ---and not recall, as in the case of a password--- a unique series of images and/or sound corresponding to the appropriate service provider. If the user recognizes the correct sequence of pictures and sounds, then he or she can have considerable trust that they are talking to the correct server, and interfacing with the appropriate authentication software. Alternatively, if the user does not recognize the presented sequence of images or sounds, then the user is likely to be interacting with an inappropriate server.

Steven Myers is an Assistant Professor at the School of Informatics, Indiana University at Bloomington and Adjunct Assistant Professor for the Department of Computer Science at Indiana University at Bloomington. He is also an affiliate of the Centre for Applied Cybersecurity at Indiana University. In industry, he has interned at the Mathematical Research Division of Telcordia Technologies and developed and implemented cryptographic technology for Echoworx Corp., a company that has developed easy to use SMIME compliant e-mail products. He also has two patents pending, and is in the process of filing for a third.

Back to TIPPI workshop page