A User Experience for Strong Authentication in the Consumer Space

This is the last post of a four-part series on cryptographic authentication. Links to earlier posts can be found at the end of this post.

A few months ago I was talking with a business woman about technology topics. As I was trying to explain the concept of cryptographic authentication with a key pair, she asked: what if the attacker steals the computer?

She then told me that a boyfriend had once stolen her computer and used it to launch a devastating attack against her life, which it took her months to recover from, by impersonating her on the internet. We did not discuss the details of the attack, but it is easy to imagine how it may have been carried out. He may have screen-unlocked her computer using her PIN, which she may have given to him before they became estranged, or he may have obtained the PIN through shoulder surfing. Her browser may have saved all her passwords and supplied them as he logged in to her financial and social media accounts with the stolen computer. He may also have been able to extract the passwords from the browser and transfer them to his own computer, using the same PIN to authenticate to the browser.

As I remembered this story I realized that I had missed this attack as I listed attacks relevant to the consumer space in part 2 of the series. I did list theft of the computer by a determined attacker who plans ahead and mounts a prior attack to get the PIN. But this attack is different because the attacker has to make little or no effort to get the PIN if he lives in the same house or apartment as the victim or visits often. It is also a different kind of attack, because the the goal of the attacker is to inflict pain rather than to obtain information or material gain. Together with cyberstalking and other forms of digital abuse against women, the attack belongs in a category that deserves special efforts to protect against. Yet FIDO2 and WebAuthn provide no defense against it, since no password is used, and only a PIN is required to unlock a credential.

A password-centric user experience

Remembering the story also made me rethink the user experience that I was going the propose in this blog post for the strong authentication method that I specified in the previous post (part 3).

Continue reading “A User Experience for Strong Authentication in the Consumer Space”

New Conference to Address the Human Aspects of Cybersecurity and Cryptography

Human factors are an essential aspect of cybersecurity. Take for example credit card payments on the web. A protocol for reducing fraud by authenticating the cardholder, 3-D Secure, was introduced by VISA in 1999 and adopted by other payment networks, but has seen limited deployment because of poor usability. Now 3-D Secure 2.0 attempts to reduce friction by asking the merchant to share privacy-sensitive customer information with the bank and giving up on cardholder authentication for transactions deemed low-risk based on that data. A protocol with better usability would provide better security without impinging on cardholder privacy.

But human factors are not limited to the usability of cybersecurity defenses. In biometric authentication, human factors are the very essence of the defense. Human factors are also of the essence in cybersecurity attacks such as phishing and social engineering attacks, and play a role in enabling or spreading attacks that exploit technical vulnerabilities.

The 1st International Conference on HCI for Cybersecurity, Privacy and Trust (HCI-CPT) recognizes the multifaceted role played by human factors in cybersecurity, and intends to promote research that views Human-Computer Interaction (HCI) as “a fundamental pillar for designing more secure systems”. A call for participation can be found here.

Continue reading “New Conference to Address the Human Aspects of Cybersecurity and Cryptography”