The use of mobile devices in authentication

The two main problems that make authentication difficult for users have been known for some time and result in a number of coping mechanisms. The first problem is that users need to provide a large number of passwords, leading to password reuse. The second problem is that it is difficult to find passwords and PINS that are both secure and memorable, leading to writing them down. One technical solution to the first problem is to use a password manager, but this gives a large amount of personal information to the organisation providing the password manager, leading to issues of trust. One technical solution to the second problem is to use graphical passwords, but they are less usable because of the long registration process. Mobile devices provide a different environment for authentication, with both advantages and disadvantages. One immediate difference is that these devices are mobile, meaning that authentication can be location based. They usually contain a camera and microphone and some input from these peripherals can also be used in authentication. Another difference is that users typically spend a lot of time with their mobile device, making the registration time for graphical passwords less of a problem, provided it was entertaining enough. Most mobile devices have a touch screen which can also be used to create graphical passwords if necessary. Mobile devices also have drawbacks, mainly that they are easily lost, stolen or accessed by someone else. Also, it is not possible to write a password down on a sticky note and attach it to the screen! Using the memo app or 'fake' contacts is vulnerable to being downloaded. I will talk about work done with Md. Sadek Ferdous on Federated Authentication Systems. We look at ways of giving users control over the attributes that they wish to reveal to the various parties to the system. We also look at aggregating attributes from different providers, creating dynamic federations. This is quite useful for mobile devices where portable personal ID providers can be aware of their context. Whether such systems will actually be adopted depends on the views of the various stakeholders, and I will briefly discuss this issue. I will also talk about work done with Salem Jebriel, Rose English, Hani Aljahdali and Soum Chowdhury on graphical passwords. We have focussed on recognition based graphical passwords, where the user has to recognise the pass-images they provided on registration among other distracter images. They are easier to use than other approaches and so more likely to be adopted. The images can either be created by the user on registration, or selected from a collection provided by the system. Both ways have their advantages and disadvantages. It is possible to quantify how secure each type of system is under a variety of attacks. One attack is to guess which images a person would have created or chosen based on other readily available information about the user. There are interesting effects of culture, gender and the way the distracter images are chosen. If graphical passwords are widely adopted and a federated system not used, then remembering multiple graphical passwords becomes a problem. I will discuss experiments with multiple graphical passwords and how giving pass hints can alleviate the problem.