PhotoAuth® Makes Stronger Mobile Authentication Easy
Revised June 2019
Table of Contents
Choices for Mobile Authentication: Frustrating or Futile
Building on Earlier Pictographic Models
Protection against Common Security Attacks
Defeating Man-in-the-Middle Attacks
By their very nature of being portable, mobile devices present unique security challenges. User password fatigue combined with sensitive corporate data on mobile devices intensifies the risk of a data breach. TraitWare ® has created a passwordless authentication solution with inherent multi-factor authentication that makes mobile authentication both simpler and more secure.
Choices for Mobile Authentication: Frustrating or Futile
Mobile devices play an increasingly important role both at home and at work. Nearly half of Americans own smartphones,[1] and nearly a third of American adults own tablets.[2] And nearly all organizations have mobile devices in the workplace. Workers in these organizations are carrying 3.5 devices on average, according to a survey by iPass.[3] Juggling a smartphone, a tablet, and a laptop is simply part of a growing number of white collar and blue collar jobs.
No longer simply tools for telephony and calendaring, mobile devices are now commonly used for a wide variety of tasks: accessing business applications, storing and editing business data that includes customer records, purchasing everything from plane tickets to furniture, and myriad banking and personal financial management tasks. Smartphones and tablets have become our constant companions, with us all hours of the day,[4] small, sleek repositories of everything from email and contact lists to data so confidential it is subject to industry regulations and data privacy laws.
Not surprisingly, hackers and criminal syndicates see these data-rich devices as prime targets for attack. Android and iOS devices make especially tempting targets. Android devices were targeted in 79% of mobile malware attacks, according to a study by the Dept. of Homeland Security (DHS) and the FBI[5]. Unlike BlackBerrys and an earlier generation of mobile devices built expressly for business use and therefore restricted in their functionality, iPhones, iPads, and Android phones and tablets were designed primarily for the consumer market. They were originally built for ease of use, rather than robustness of defense. In order not to overwhelm typical users, these devices have historically lacked rigorous security features or left security features turned off by default. Today Google and Apple incorporate security features into the design of their phones, with additional features that businesses can activate with software designed specifically for enterprise use. But mobile devices remain vulnerable to security breaches.
Exacerbating the security vulnerabilities of mobile devices, most smartphone users ignore even rudimentary protections like screen passcodes that would prevent a stranger who finds a smartphone from accessing all its data. Consider this: a cell phone is lost in the U.S. every 3.5 seconds, and a recent poll found that 22% of smartphone users reported having lost a phone. Yet 52% of smartphone users continue to leave their phones unprotected by a passcode.[6] When criminals find mobile phones, they often gain immediate access to email, contact lists, photos, local files, and possibly login credentials to business applications and services.
Part of the reason so many consumers shirk basic mobile security is sheer password fatigue. By 2017, the average business user was juggling 191 passwords.[7] Security requirements to change passwords for VPNs and business applications every few months only increase users’ exasperation with passwords. No wonder 40% of users now avoid using complex passwords or changing their passwords as often as advised, if they can get away with it.[8]
Here, then, is the conundrum facing mobile security teams in regulated industries such as financial services and healthcare. The mobile devices used by employees and customers are storing vitally important data – data that can be abused for identity theft, hacking, corporate espionage and more. Yet end users – especially consumers – are frustrated with that password-centric experience commonly associated with enterprise-grade security. Every day, these users are shirking security measures for quick and easy access to mobile apps.
Is there a way for enterprises that care about security to meet users in the middle? A way to give them enterprise-grade security with an easy-to-use user interface?
Introducing PhotoAuth®
TraitWare ®, a provider of mobile multi-factor solutions, has created a mobile authentication solution called PhotoAuth® that is more secure than traditional PINs while also easy to remember and easy to enter on the smaller screens featured on mobile devices. PhotoAuth makes mobile authentication both simpler and more secure.
Authentication solutions typically use one or more techniques leveraging some unique capability of the user. This unique capability could be “something you have” or “something you know.” Like a traditional PIN or password, a PhotoAuth image sequence fits in the “something you know” category. But PhotoAuth sequences are more secure than PINs or passwords, while also being easy to remember and quick to enter.
The patented and patent pending technology behind the “PhotoAuth Key” consists of a sequence of user-selected images, which form a “visual key” that must be selected by the user on their Smartphone to “unlock” a mobile app. If the user fails to select the correct image sequence, the TraitWare®-protected App is not unlocked and the smartphone cannot be used to authenticate the user.
The user selects their personal PhotoAuth Key sequence during the device registration process. The PhotoAuth Key can comprise four, five, or six images, which the user selects from a “set” of 24, 48, or 72 images. The Key Length and Set Size can be configured on a per-user or per-application. However, the default is set to 5 out of 24 to meet the NiSt AAL2 requirement.
basis according to the level of security required. The total pool of available PhotoAuth images numbers in the thousands, but the user only sees a fixed set of 24, 48 or 72 images.
As the following statistical table illustrates, even at the lowest-strength setting of four images out of a set of 24 possible images, this provides 33 times more entropy[9] than a four-digit numeric PIN code. At the maximum security setting, PhotoAuth provides 139,000 times more entropy than an equivalent numeric PIN. This setting can be easily configured to the level of security appropriate to the application being protected, and can even be changed on a per-user basis.
| PhotoAuth Key Length | PhotoAuth Set Size | PhotoAuth Key Entropy as 1-chance-in-XXXX | Entropy compared to equivalent Numeric PIN |
| 4 | 24 | 331,776 | 33 times the entropy of a 4-digit PIN |
| 4 | 48 | 5,308,416 | 530 “ |
| 4 | 72 | 26,873,856 | 2,687 “ |
| 5 | 24 | 7,962,624 | 80 times the entropy of a 5-digit PIN |
| 5 | 48 | 254,803,968 | 2,548 “ |
| 5 | 72 | 1,934,917,632 | 19,349 “ |
| 6 | 24 | 191,102,976 | 191 times the entropy of a 6-digit PIN |
| 6 | 48 | 12,230,590,464 | 12,231 “ |
| 6 | 72 | 139,314,069,504 | 139,314 “ |
Table 1: PhotoAuth Key Entropy Statistics Compared to a Numeric PIN
The following sample image from the TraitWare® App shows the PhotoAuth “unlock” screen. This screen is presented to the User when they launch the TraitWare® App:
Figure 2: Sample PhotoAuth Screens
Because PhotoAuth uses easily remembered images instead of numeric or alphanumeric codes, it is more convenient for the user, while also being safer because of its larger entropy. The PhotoAuth key sequence serves another important function: it can be used as part of the cryptographic process to sign the “TraitWare® ID” digital signature. For information about this complementary security solution, see the TraitWare® white paper, “Improving Application Security with Strong, Personalized User Authentication.”
Building on Earlier Pictographic Models
The use of pictograms for computer security purposes first came to prominence with the advent of Personal Digital Assistants (PDAs). Suddenly, users had a small, portable computing device with graphical capabilities that could be applied to common security operations. Considering the security requirements for these devices, which already were storing confidential data, the National Institute for Standards and Technology (NIST) noted: “Adequate user authentication is the first line of defense in protecting the resources of a handheld device.”[10]
The paper proposed that PDAs use a visual login technique as a general-purpose authentication mechanism for users. Creating such a technique became much easier with the introduction of smartphones with touchscreen technology. On touchscreen devices, high-resolution images could be tapped, dragged, and moved in a variety of ways.
In 2003, Takada and Koike proposed using images instead of passwords for mobile phone authentication, noting at the time that there were 20 million users of mobile phones in Japan already, many with images on their phones.[11]
Further studies of the use of images for authentication were published by Dumpy of Newcastle University and Heiner and Asokan of Nokia in 2010. Zhao, Ahn and Seo of Arizona University and Hu of Delaware University have all explored graphically drawn passwords, such as those used in the Microsoft Windows 8™ system.
The design of PhotoAuth takes these earlier works into consideration. For ease of use, PhotoAuth can be configured to use key sets (sequences of selected images) that are four, five, or six images depending on the strength of security desired by the user. The design currently enables a user to select a key set from image sets of 24, 48 and 72 pictures. A 24-image set can be displayed on a single screen of iPhone 5 and 6 series phones and on a single screen of more recent Android phones. When the larger image sets are used (48 and 72), the user can easily access the full list by scrolling. The Takada and Dumpy designs used multiple screens of images but not the scrollable grid used by PhotoAuth.
The Zhao, et al., study found user preferences degraded the entropy of picture gesture authentication, such as the drawing system used in Microsoft Windows 8™, from a theoretical entropy value of 30.1 to 19.[12]
Protection against Common Security Attacks
PhotoAuth is defined to protect against common security attacks, including those described here.
Shoulder Surfing
The Nokia studies found that high entropy systems significantly increase the number of observations required for successful “shoulder surfing” (the surreptitious observation of a mobile user’s onscreen activity).
“Shoulder surfing” becomes more difficult when PhotoAuth image sets contain 30 or more images, making it likely that the user will be quickly scrolling between images to input the
authentication sequence. PhotoAuth also supports an option to randomly display the images each time the app is opened. An observer would have to quickly identify and remember each image, ignoring its location, in order to replicate the authentication sequence.
Keystroke Capture
PhotoAuth is designed to be safe from keyloggers and malware that records the location of touches on the screen. Capturing the location of touches is not sufficient for deriving the PhotoAuth authentication hash, since the hash does not incorporate image location data.
If PhotoAuth’s random image-location option is turned on, even an attacker who managed to use a keylogger to capture the locations of images used in the authentication sequence would still not be able to select the correct image on a stolen or replicated device.
Server Attacks
PhotoAuth also protects against the theft of PhotoAuth key signatures stored on a server. PhotoAuth signatures are hashed and never stored in the clear. An important advantage of PhotoAuth key signatures over standard passwords is that PhotoAuth signatures combine image data (which can include pixel data and other data, such as camera specifications, image date, cropping information) with the identity of each image selected. This rich combination of data results in a very high entropy input being used to create a hexadecimal hash of 40 digits with an entropy of 160. This high degree of entropy makes it essentially impossible to determine the image information needed to recreate the hash.
There have been cases reported where the hash of standard passwords were obtained and where more than 40% of the passwords were recreated using rainbow tables.[13] Rainbow tables would likely prove ineffective against PhotoAuth key signatures[14]. PhotoAuth displays random picture sets culled from a large collection of images, making it difficult for hackers to obtain the files necessary to construct a rainbow table.
Defeating Man-in-the-Middle Attacks
The TraitWare® system uses digital signing where the private key used for signing is not stored on the device but is generated from the PhotoAuth key. The server will not accept a captured PhotoAuth key unless the transmission is correctly signed.
Replicated Devices
PhotoAuth is designed to make replicating a device with captured data extremely difficult. Even if someone manages to get the PhotoAuth selection key, they would still have to capture the user’s device or create a replicated device. During the PhotoAuth registration process each
user is provided with a random selection of stock images from a larger set. This makes it difficult for someone trying to replicate a device to get all the images to create a user image set. Without the correct image set and image file information, the correct hash to authenticate cannot be created.
Ease of Integration
TraitWare® has designed the PhotoAuth solution for ease of integration into mobile applications and mobile environments. Client-side software components can be easily incorporated into mobile apps on platforms such as Android and iOS. Server-side software uses secure REST interfaces that can be configured to interoperate with directory services, mobile provisioning services, and other IT infrastructure and services.
TraitWare® also provides a stand-alone mobile security app that allows PhotoAuth and other TraitWare® security technology to be used in multi-factor authentication solutions for business applications, payment systems, and other online services that require rigorous authentication.
Conclusion
Sales of mobile devices are expected to rise sharply for years to come as more users adopt smartphones, tablets, and other devices such as smart watches. In this “post-PC” era, mobile computing may eventually come to be thought of simply as computing.
As mobile computing becomes more prevalent, the challenges of mobile security will become more pressing. The biggest challenge for enterprises and mobile app providers will be to provide rigorous, hacker-proof security through a user experience that is fast and easy to use – an experience that suits not just IT-savvy professionals, but also the general public.
By integrating PhotoAuth into mobile apps and services, enterprises and mobile app developers can help users protect mobile data without the need for complex passwords or extraneous hardware. Available today, PhotoAuth provides enterprise-grade security with consumer-grade usability. It’s security that mobile users want to use.
To learn more about how PhotoAuth can Secure and Simplify your Digital LifeTM, please email sales@traitware.com or call (530) 264-7661.
[1] http://www.emarketer.com/Article/Android-Apple-Continue-Consolidate-US-Smartphone-Market/1010196
[2] http://www.zdnet.com/a-third-of-american-adults-now-own-tablet-computers-7000016867/
[3] http://www.zdnet.com/blog/sap/average-mobile-worker-carries-3-5-devices-heres-the-downside/3172
[4] https://www.adweek.com/digital/smartphones/
[5] http://sdtimes.com/seventy-nine-percent-of-mobile-malware-attacks-directed-at-android-os/ 1. A study by Jupiter Research found an even higher percentage of attacks – 92% – targeted Android. http://www.cultofandroid.com/31039/92-percent-of-all-mobile-malware-attacks/
[6]https://www.securitymagazine.com/articles/89220-half-of-consumers-dont-password-protect-their-mobile-devices
[7]https://www.securitymagazine.com/articles/88475-average-business-user-has-191-passwords
[8] http://m.news24.com/news24/Technology/News/Password-fatigue-haunts-internet-masses-20130625
[9] The probability of being able to randomly guess a key set or password is presented in terms of the number of possible combinations, expressed as 2 (entropy). To obtain the entropy, first the number of possible combinations is computed, and then the log to base two is computed. This gives the number of bits required to store the probability. For example, if either a 0 or 1 are the possible selections, the entropy is 1, because 20 or 21 are the only possibilities and expressing these possibilities requires just one bit.
[10] “Picture Password: A Visual Login Technique for Mobile Devices,” Wayne Jansen, Serban Gavrila, Vlad Korelev, Rick Ayers, Ryan Swanstrom, July 2003, NISTIR 7030, National Institute of Standards and Technology http://csrc.nist.gov/publications/nistir/nistir-7046.pdf
[11] “Awase-E: Image-based authentication for mobile phones using user’s favorite images”, Tetsuji Takada, Hideki Koike, 2003/1/1, Human-computer interaction with mobile devices and services, 347-351, Springer Berlin Heidelberg
[12] “On the Security of Picture Gesture Authentication,” Zimming Zhao, Gail-Joon Ahn, Jeong-Jin Seo, Hongxin Hu, Proceedings of the 22nd USENIX Security Symposium, August 14-16, 2013, Washington, DC.
[13] “A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.” For more information about rainbow tables, see http://en.wikipedia.org/wiki/Rainbow_table.
[14] It would be ineffective because rainbow tables take words and phrase and create a hash. The word and phrase hash compare to the hashes in the rainbow table of suspected words or phrase. To retrieve the word or phrase there has to be a match, In PhotoAuth, picture information from a section of the jpeg files for multiple pictures are used to create a hash. To create a hash table to generate a rainbow table the hacker has to get the actual picture jpeg file info and know the section of the file that was used to create the hash. Since we supply random picture sets out of large sets of pictures it becomes difficult for a hacker to obtain the specific jpeg files that are needed to create a rainbow table. They would have to decompile the server code to know which section of the files to use and the combination to be tested would be a subset of the file set of pictures which is much larger than 24 pictures.