Markus Jakobsson

Controlling data in the cloud: outsourcing computation without outsourcing control

Cloud computing is clearly one of todays most enticing technology areas due, at least in part, to its cost-efficiency and flexibility. However, despite the surge in activity and interest, there are significant, persistent concerns about cloud computing that are impeding momentum and will eventually compromise the vision of cloud computing as a new IT procurement model. In this paper, we characterize the problems and their impact on adoption. In addition, and equally importantly, we describe how the combination of existing research thrusts has the potential to alleviate many of the concerns impeding adoption. In particular, we argue that with continued research advances in trusted computing and computation-supporting encryption, life in the cloud can be advantageous from a business intelligence standpoint over the isolated alternative that is more common today.

Implicit authentication through learning user behavior

Users are increasingly dependent on mobile devices. However, current authentication methods like password entry are significantly more frustrating and difficult to perform on these devices, leading users to create and reuse shorter passwords and pins, or no authentication at all. We present implicit authentication - authenticating users based on behavior patterns. We describe our model for performing implicit authentication and assess our techniques using more than two weeks of collected data from over 50 subjects.

Authentication in the clouds: a framework and its application to mobile users

Cloud computing is a natural fit for mobile security. Typical handsets have input constraints and practical computational and power limitations, which must be respected by mobile security technologies in order to be effective. We describe how cloud computing can address these issues. Our approach is based on a flexible framework for supporting authentication decisions we call TrustCube (to manage the authentication infrastructure) and on a behavioral authentication approach referred to as implicit authentication (to translate user behavior into authentication scores). The combination results in a new authentication paradigm for users of mobile technologies, one where an appropriate balance between usability and trust can be managed through flexible policies and dynamic tuning.

The benefits of understanding passwords

We study passwords from the perspective of how they are generated, with the goal of better understanding how to distinguish good passwords from bad ones. Based on reviews of large quantities of passwords, we argue that users produce passwords using a small set of rules and types of components, both of which we describe herein. We build a parser of passwords, and show how this can be used to gain a better understanding of passwords, as well as to block weak passwords.

The Future of Authentication

As part of this special issue on authentication, guest editors Richard Chow, Markus Jakobsson, and Jesus Molina put together a roundtable discussion with leaders in the field, who discuss here their views on the biggest problems in authentication, potential solutions, and the direction in which the field is moving.

Your Password is Your New PIN

This chapter will describe a method of deriving new PINs from existing passwords. This method is useful for obtaining friction-free user onboarding to mobile platforms. It has significant business benefits for organizations that wish to introduce mobile apps to existing users who already have passwords, but are reluctant to authenticate the users with the existing passwords. From the user’s perspective, a PIN is easier to enter than a password, and a derived PIN does not need to be remembered—assuming the user has a password and can recall it. In addition, even though the PINs are derived from passwords, they do not contain sufficient information to make the passwords easy to infer from compromised PINs. This, along with different transaction limits for PINs and passwords, makes the derived PINs more useful in a situation where users have to enter their PINs in public. We describe real-life password distributions to quantify exactly how much information about the passwords the derived PINs contain, and how much information is lost during the derivation. We also describe experiments with human subjects to qualitatively and quantitatively show that the user-side derivation method is easy to use.

Authentication - Are We Doing Well Enough? [Guest Editors' Introduction]

Passwords have been used for authentication and authorization purposes since at least the time of Ali Baba. Generals used them to identify messengers, and sentries used them to restrict access to certain areas. Sometimes they were personal; other times they were shared by a group. Passwords are intuitive and were the obvious choice for access control at the dawn of the computer era. The emergence of the Internet changed our authentication needs as well as the risks-but passwords remained.

Mind your SMSes

SMS-based second factor authentication is a cornerstone for many service providers, ranging from email service providers and social networks to financial institutions and online marketplaces. Attackers have not been slow to capitalize on the vulnerabilities of this mechanism by using social engineering techniques to coerce users to forward authentication codes. We demonstrate one social engineering attack for which we experimentally obtained a 50% success rate against Googles SMS-based authentication. At the heart of the problem is the messaging associated with the authentication code, and how this must not have been developed with security against social engineering in mind. Pursuing a top-down methodology, we generate alternative messages and experimentally test these against an array of social engineering attempts. Our most robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Googles standard second factor verification code messages.

Helping You Protect You

Guest editors M. Angela Sasse and Charles C. Palmer speak with security practitioners about what companies are doing to keep customers secure, and what users can do to stay safe.

Traditional Countermeasures to Unwanted Email

This chapter delivers an overview of traditional mechanisms to detect and stop unwanted emails. These mechanisms include email authentication (e.g., DKIM, SPF, DMARC), blacklisting (e.g., DNSBL), and content-based spam filtering (e.g., Naive Bayes Classifier). We explain the extent to which they can be useful to block scam, and point out evasion techniques that help spammers and scammers survive.