On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability
The design of leakage-resilient password systems (LRPSes) in the absence of trusted devices remains a challenging problem today despite two decades of intensive research in the security community. In this paper, we investigate the inherent tradeoff between security and usability in designing LRPS. F...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2012
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/1435 https://ink.library.smu.edu.sg/context/sis_research/article/2434/viewcontent/NDSS2012YanDeng.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| Summary: | The design of leakage-resilient password systems (LRPSes) in the absence of trusted devices remains a challenging problem today despite two decades of intensive research in the security community. In this paper, we investigate the inherent tradeoff between security and usability in designing LRPS. First, we demonstrate that most of the existing LRPS systems are subject to two types of generic attacks - brute force and statistical attacks, whose power has been underestimated in the literature. Second, in order to defend against these two generic attacks, we introduce five design principles that are necessary to achieve leakage resilience in the absence of trusted devices. We also show that these attacks cannot be effectively mitigated without significantly sacrificing the usability of LRPS systems. Third, to better understand the tradeoff between security and usability of LRPS, we propose for the first time a quantitative analysis framework on usability costs of password systems. By decomposing the authentication process of existing LRPS systems into atomic cognitive operations in psychology, we show that a secure LRPS in practical settings always imposes a considerable amount of cognitive workload on its users, which indicates the inherent limitations of such systems and in turn implies that an LRPS has to incorporate certain trusted devices in order to be both secure and usable. |
|---|