Passwords are the most common form of user authentication today. When passwords were first introduced in the 1960s, computers were a scarce resource, and experts had at most a few passwords to manage. However, today, we are surrounded by many computers and services, and passwords are imposing a growing burden on users. As a way of coping, users choose insecure behaviors, such as writing down passwords, choosing weak passwords, or reusing passwords for multiple accounts. One result is that passwords are now a major source of vulnerabilities in computer systems.

To address this problem, I designed, implemented and evaluated the Unified Authentication Framework (UniAuth in short). The three core ideas behind UniAuth are 1) a user will have one smart device that manages all of their credentials, 2) the smart device can communicate with online services as well as physical devices via a standardized protocol to handle activities related to user authentication (such as authentication, account creation and password updates), and 3) the smart device can use its on-board sensors to improve the security and usability of user authentication to the device. With the UniAuth Framework, users only need to authenticate themselves to their smart devices a small number of times a day. Then, the smart device can communicate with online services and physical devices to perform tasks related to user authentication on behalf of users.

This work consists of three lines of research. The first explored how people use and manage their passwords in their daily life to confirm design of UniAuth. The second investigated how smartphones' onboard sensors could be utilized to adjust the security level of user authentication to the smartphones. Finally, the third involved the design, implementation, and evaluation of the UniAuth Framework through an expert review and a field study. These pieces of research demonstrated that UniAuth could realize secure and usable user authentication, which is one of the grand challenges in usable security, provide a smooth transitional path from passwordbased user authentication to a better user authentication, and open up new design space in user authentication research in the Internet of Things era.

176 pages

Thesis Committee:
Jason I. Hong (Chair)
Lorrie F. Cranor
Anind K. Dey
Stuart Schechter (Microsoft Research)

Anind K. Dey, Head, Human-Computer Interaction Institute
Andrew W. Moore, Dean, School of Computer Science

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by reports@cs.cmu.edu