Stronger Mobile Authentication Made Easy

Secure  and  Simplify  Mobile  Apps™  

Stronger Mobile Authentication Made Easy

October 2013

One Market Plaza, Spear Tower, Suite 3600 San Francisco, CA 94105 Tel: 415-293-8224 [email protected]

Table of Contents

Choices for Mobile Authentication: Frustrating or Futile ... 3

Introducing PhotoAuth ... 4

Building on Earlier Pictographic Models ... 6

Protection against Common Security Attacks ... 7

Shoulder Surfing ... 7

Key Stroke Capture ... 8

Server Attacks ... 8

Defeating Man-in-the-Middle Attacks ... 8

Replicated Devices ... 8

Ease of Integration ... 9

Choices for Mobile Authentication: Frustrating or Futile

Mobile devices play an increasingly important role both at home and at work. About half of Americans own smartphones,1 _{and nearly a third of American adults own tablets.}2 _{Nearly all} organizations (97%) have mobile devices in the workplace.3 _{Workers in these organizations are} carrying 3.5 devices on average, according to a recent survey by iPass.4 _{Juggling a smartphone,} a tablet, and a laptop is simply part of a growing number of white collar and blue-collar jobs. No longer simply tools for telephony and calendaring, mobile devices are now commonly used for accessing business applications; for storing and editing business data, including customer records; for purchasing everything from plane tickets to furniture; and for banking and personal financial management (PFM). Smartphones and tablets have become our constant

companions, with us all or nearly all hours of the day,5 _{small, sleek repositories of everything from} email and contact lists to data so confidential it is covered by industry regulations and data privacy laws.

Not surprisingly, hackers and criminal syndicates see these data-rich devices as prime targets for attack. Android and iOS devices make especially tempting targets. Android devices were targeted in 79% of mobile malware attacks, according to a study by the Department of Homeland Security (DHS) and the FBI.6 _{Unlike BlackBerrys and an earlier generation of mobile} devices built expressly for business use and therefore restricted in their functionality, iPhones, iPads, and Android phones and tablets were designed primarily for the consumer market. They were built for ease of use, rather than robustness of defense. In order not to overwhelm typical users, these devices lack rigorous security features or leave security features turned off by default.

Exacerbating the security vulnerabilities of mobile devices, most smartphone users ignore even rudimentary protections like screen passcodes that would prevent a stranger who finds a smartphone from accessing all its data. Consider this: a cell phone is lost in the U.S. every 3.5 seconds, and a recent poll found that 22% of smartphone users reported having lost a phone; but 70% of smartphone users continue to leave their phones unprotected by a passcode.7 _When criminals find mobile phones, they usually gain immediate access to email, contact lists, photos, local files, and possibly login credentials to business applications and services.

1_{http://www.emarketer.com/Article/Android-Apple-Continue-Consolidate-US-Smartphone-Market/1010196} 2_{http://www.zdnet.com/a-third-of-american-adults-now-own-tablet-computers-7000016867/} 2_{http://www.zdnet.com/a-third-of-american-adults-now-own-tablet-computers-7000016867/} 3_{http://www.accellion.com/blog/2013/08/72-of-organizations-rate-own-mobile-security-as-poor-to-adequate/} 4_{http://www.zdnet.com/blog/sap/average-mobile-worker-carries-3-5-devices-heres-the-downside/3172}

5 _{In a recent survey by Jumio, 72% of Americans reported being within five feet of their smartphones the majority of the}

time. http://www.jumio.com/2013/07/where-do-you-take-your-phone/

6_{http://sdtimes.com/content/article.aspx?ArticleID=64053&page=1. A study by Jupiter Research found an even higher}

percentage of attacks—92%—targeted Android.

http://www.cultofandroid.com/31039/92-percent-of-all-mobile-malware-attacks/

Most likely, part of the reason so many consumers shirk basic mobile security is sheer password fatigue. By 2009, the average computer user was juggling 25 password-protected accounts and 6.5 passwords.8 _{Security requirements to change passwords for VPNs and business applications} every few months only increase users’ exasperation with passwords. No wonder that 40% of users avoid using complex passwords or changing their passwords as often as advised, if they can get away with it.9

Here, then, is the conundrum facing mobile security teams in regulated industries such as financial services and healthcare. The mobile devices used by employees and customers are now storing vitally important data—data that can be abused for identity theft, hacking, corporate espionage and more. Yet end users—especially consumers—are frustrated with the user experience that password-centric user experience commonly associated with enterprise-grade security. Every day, these users are shirking security measures for quick-and-easy access to mobile apps.

Is there a way for enterprises that care about security to meet users in the middle—a way to give them enterprise-grade security with an easy-to-use user interface?

Introducing PhotoAuth

TraitWare, a provider of mobile multi-factor solutions, has created a mobile authentication solution called PhotoAuth that is more secure than traditional PINs while also being easy to remember and easy to enter on the smaller screens featured on mobile devices. PhotoAuth makes mobile authentication both simpler and more secure.

Authentication solutions typically use one or more techniques leveraging some unique

capability of the user. This unique capability could be “something you have” or “something you know.” Like a traditional PIN or password, a PhotoAuth image sequence fits in the “something you know” category. But PhotoAuth sequences are more secure than PINs or passwords, while also being easy to remember and quick to enter.

The patent-pending technology behind the “PhotoAuth Key” consists of a sequence of user-selected images, which form a “visual key” which must be user-selected by the user on their

Smartphone to “unlock” a mobile app. If the user fails to select the correct image sequence, the TraitWare-protected App is not unlocked and the smartphone cannot be used to authenticate the user.

The user selects their personal PhotoAuth Key sequence during the device registration process. The PhotoAuth Key can comprise 4, 5, or 6 images, which the user selects from a “set” of 24, 48 or 72 images. The Key Length and Set Size can be configured on a per-user or per-application

8_{http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf} 9_{http://m.news24.com/news24/Technology/News/Password-fatigue-haunts-internet-masses-20130625}

basis according to the level of security required. The total pool of available PhotoAuth images number in the thousands, but the user only sees a fixed set of 24, 48 or 72 images.

As the following statistical table illustrates, even at the lowest-strength setting of 4 images out of a set of 24 possible images, this provides 33 times more entropy10 _{than a 4-digit numeric PIN} code. At the maximum security setting, PhotoAuth provides 139,000 times more entropy than an equivalent numeric PIN. This setting can be easily configured to the level of security appropriate to the application being protected, and can even be changed on a per-user basis.

PhotoAuth

Key Length PhotoAuth Set Size PhotoAuth Key Entropy as 1-chance-in-XXXX Entropy compared to equivalent Numeric PIN

4 24 331,776 33 times the entropy of a 4-digit PIN

4 48 5,308,416 530 “

4 72 26,873,856 2,687 “

5 24 7,962,624 80 times the entropy of a 5-digit PIN

5 48 254,803,968 2,548 “

5 72 1,934,917,632 19,349 “

6 24 191,102,976 191 times the entropy of a 6-digit PIN

6 48 12,230,590,464 12,231 “

6 72 139,314,069,504 139,314 “

Table 1: PhotoAuth Key Entropy Statistics Compared to a Numeric PIN

10 _{The probability of being able to randomly guess a key set or password is presented in terms of the number of possible}

combinations, expressed as 2^(entropy). To obtain the entropy, First the number of possible combination is computed, and then the log to base two is computed. This gives the number of bits required to store the probability. For example, if either a 0 or 1 are the possible selections, the entropy is 1 because 2^0 or 2^1 are the only possibilities and expressing these possibilities requires just one bit.

The following sample image from the TraitWare App shows the PhotoAuth “unlock” screen. This screen is presented to the User when they launch the TraitWare App:

Figure 2: Sample PhotoAuth Screens

Because PhotoAuth uses easily remembered images instead of numeric or alphanumeric codes, it is more convenient for the user. It is also more secure because of its larger entropy.

The PhotoAuth key sequence serves another important function: it can be used as part of the cryptographic process to sign the “TraitWare ID” digital signature. For information about this complementary security solution, see the TraitWare white paper, “Improving Application Security with Strong, Personalized User Authentication.”

Building on Earlier Pictographic Models

The use of pictograms for computer security purposes first came to prominence with the advent of Personal Digital Assistants (PDAs). Suddenly, users had a small, portable computing device with graphical capabilities that could be applied to common security operations.

Considering the security requirements for these devices, which already were storing confidential data, the National Institute for Standards and Technology (NIST) noted: “Adequate user

authentication is the first line of defense to protecting the resources of a handheld device.”11

11 _{"Picture Password: A Visual Login Technique for Mobile Devices," Wayne Jansen, Serban Gavrila, Vlad Korelev, Rick}

Ayers, Ryan Swanstrom, July 2003, NISTIR 7030, National Institute of Standards and Technology http://csrc.nist.gov/publications/nistir/nistir-7046.pdf

The paper proposed that PDAs use a visual login technique as a general-purpose authentication mechanism for users. Creating such a technique became much easier with the introduction of smartphones with touchscreen technology. On touchscreen devices, high-resolution images could be tapped, dragged, and moved in a variety of ways.

In 2003, Takada and Koike proposed using images instead of passwords for mobile phone authentication, noting at the time that there were 20 million users of mobile phones in Japan already many with images on their phones.12

Further studies of the use of images for authentication were published by Dumpy of Newcastle University and Heiner and Asokan of Noika in 2010. Graphically drawn passwords, such as those used in the Microsoft Windows 8 system, were addressed recently by Zhao, Ahn and Seo of Arizona University and Hu of Delaware University.

The design of PhotoAuth takes these earlier works into consideration. For ease of use, PhotoAuth can be configured to use key sets (sequences of selected images) that are 4, 5, or 6 images long, depending on the strength of security desired by the user. The design currently enables a user to select a key set from image sets of 24, 48 and 72 pictures. A 24-image set can be

displayed on a single screen of iPhone 4 and 5 series phones as well as on a single screen of more recent Android phones. When the larger image sets are used (48 and 72), the user can easily access the full list by scrolling. The Takada and Dumpy designs used multiple screens of images but not the scrollable grid featured by PhotoAuth.

The Zhao, et. al., study found user preferences degraded the entropy of picture gesture authentication, such as the drawing system used in Microsoft Windows 8, from a theoretical entropy value of 30.1 to 19.13

Protection against Common Security Attacks

PhotoAuth is defined to protect against common security attacks, including those described here.

Shoulder Surfing

The Nokia studies found that high entropy systems significantly increase the number of

observations required for successful “shoulder surfing” (the surreptitious observation of a mobile user’s onscreen activity).

“Shoulder surfing” becomes more difficult when PhotoAuth image sets contain 30 or more images, making it likely that the user will be quickly scrolling between images to input the

12 _{"Awase-E: Image-based authentication for mobile phones using user’s favorite images", Tetsuji Takada, Hideki Koike,}

2003/1/1, Human-computer interaction with mobile devices and services, 347-351, Springer Berlin Heidelberg

13 _{"On The Security of picture Gesture Authentication", Zimming Zhao, Gail-Joon Ahn, Jeong-Jin Seo, Hongxin Hu,}

authentication sequence. PhotoAuth also supports an option to randomly display the images each time the app is opened. The observer would have to quickly identify and remember each image, ignoring its location, in order to replicate the authentication sequence.

Key Stroke Capture

PhotoAuth is designed to be safe from keyloggers and malware that records the location of touches on the screen. Capturing the location of touches is not sufficient for deriving the PhotoAuth authentication hash, since the hash does not incorporate image location data. If PhotoAuth’s random image-location option is turned on, even an attacker who managed to use a keylogger to capture the locations of images used in the authentication sequence would still not be able to select the correct image on a stolen or replicated device.

Server Attacks

PhotoAuth also protects against the theft of PhotoAuth key signatures stored on a server. PhotoAuth signatures are hashed and never stored in the clear. An important advantage of PhotoAuth key signatures over standard passwords is that PhotoAuth signatures combine image data (which can include pixel data and other data, such as camera specifications, image date, cropping information) with the identity of each image selected. This rich combination of data results in a very high entropy input being used to create a hexadecimal hash of 40 digits with an entropy of 160. This high degree of entropy makes it essentially impossible to determine the image information needed to recreate the hash.

There have been cases reported where the hash of standard passwords were obtained and where more than 40% of the passwords were recreated using rainbow tables.14 _{Rainbow tables} would likely prove ineffective against PhotoAuth key signatures. PhotoAuth displays random picture sets culled from a large collection of images, making it difficult for hackers to obtain the files necessary to construct a rainbow table.

Defeating Man-in-the-Middle Attacks

The TraitWare system uses digital signing where the private key used for signing is not stored on the device but is generated from the PhotoAuth key. The server will not accept a captured PhotoAuth key unless the transmission is correctly signed.

Replicated Devices

PhotoAuth is designed to make replicating a device with captured data extremely difficult. Even if someone manages to get the PhotoAuth selection key, they would still have to capture the user’s device or create a replicated device. During the PhotoAuth registration process each

14 _{“A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password}

user is provided with a random selection of stock images from a larger set. This makes it difficult for someone trying to replicate a device to get the all the images to create a user image set. Without the correct image set and image file information the correct hash to authenticate cannot be created.

Ease of Integration

TraitWare has designed the PhotoAuth solution for ease of integration into mobile applications and mobile environments. Client-side software components can be easily incorporated into mobile apps on platforms such as Android and iOS. Server-side software uses secure REST interfaces that can be configured to interoperate with directory services, mobile provisioning services, and other IT infrastructure and services.

TraitWare also provides a stand-alone mobile security app that allows PhotoAuth and other TraitWare security technology to be used in multi-factor authentication solutions for business applications, payment systems, and other online services that require rigorous authentication.

Conclusion

Sales of mobile devices are expected to rise sharply sharply for years to come. More users adopt smartphones, tablets, and other devices such as smart watches. In this “post-PC” era, mobile computing may eventually come to be thought of simply as computing.

As mobile computing becomes more prevalent, the challenges of mobile security will become more pressing. The biggest challenge for enterprises and mobile app providers will be to provide rigorous, hacker-proof security through a user experience that’s fast and easy to use—an

experience that suits not just IT-savvy professionals, but also the general public.

By integrating PhotoAuth into mobile apps and services, enterprises and mobile app developers can help users protect mobile data without the need for complex passwords or extraneous hardware. Available today, PhotoAuth provides enterprise-grade security with consumer-grade usability. It’s security that mobile users want to use.