Re: Image, word, and password login

[Karl Bernard <karl.bernard () GMAIL COM>]

A colleague mentioned this thread to me and I'm a consumer of this same
technology (site authentication) at a couple of financial sites. Until
today, I'd always thought it was pretty cool until I was trying to find
the official name for this kind of thing and found some less than
stellar articles and studies about using them:
http://www.finextra.com/news/fullstory.aspx?newsitemid=16469
http://security.stackexchange.com/questions/19155/effectiveness-of-security-images

Karl Bernard
UTHealth, Academic Health Center at Houston



On Fri, Dec 6, 2013 at 1:18 PM, Joel L. Rosenblatt <joel () columbia edu>wrote:

> Hi,
>
> I have an account at a vendor that uses a system like this - I picked
> a picture and a word, and when you enter your account (before your
> password) it takes you to a page that displays the picture and word
> and prompts for the password
>
> It makes the login a 2 screen affair, which may bother some of your
> users who think that everything has to be done in subsecond time.
>
> Our web login to our mail system displays
>
> Greetings, Joel Rosenblatt (or your own name :-)
>
> after you type in your account, but before you type in your password -
> similar idea, but less pages and it doesn't require the user to do
> anything except recognize their name :-)
>
> Good luck!
> Joel
>
>
> Joel Rosenblatt, Director Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<%20212%20854%203033>
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
> On Fri, Dec 6, 2013 at 2:08 PM, Derek Diget
> <derek.diget+educause-security () wmich edu> wrote:
> > We are thinking about creating a login process where user's pick a
> picture
> > and/or word before getting a password entry box.[1]  The main driver is
> to
> > prevent phishers from copying our "static" login pages.
> >
> > The process would go something like....
> >
> > 0) Training, Training, Training...and other carbon based life form user
> > issues...... :)
> >
> > 1) User gets to our login page
> > 2) User enters login ID
> > 3) login process retrieves user's picture and word choice
> > 4) login process displays user's picture with 8 (or 11) others randomly
> > 5) User selects their picture
> > 6) If correct, login process displays user's word with 8 (or 11) others
> > 7) If correct, login process give user a password text box to finish
> > authenticating.
> >
> > (Yes, a phisher could duplicate the pictures and words and disregard what
> > the user picks...so the user would always get to the password box, but
> our
> > current thoughts is that it would take to much "work" for them to
> duplicate
> > this new login process and there are other easier fish in the sea to
> phish.
> > :)
> >
> > I have two questions to the group....
> >
> > 1) Is there an industry term for this type of authentication process? (It
> > kind of is two-factor, but we want to avoid using that term as most
> people
> > think of two-factor having a physical component...token card, key fob,
> > phone, etc).
> >
> > 2) Does anyone know of any research on a multi-step authentication
> process
> > like this?  Be it usability issues, increased security, etc.
> >
> >
> >
> > Note 1: We vet the user.  As part of the process of setting a password,
> they
> > also pick a picture out of ~12 (with a library of 100+) choices and store
> > their choice.  They then pick a word out of ~12 (with a library of 100
> or so
> > words) and store their choice.  Then they finish setting a password.
> >
> > --
> > ***********************************************************************
> > Derek Diget                            Office of Information Technology
> > Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
> > ***********************************************************************