Workshop on
The Future of User Authentication and
Authorization on the Web:

Challenges in Current Practice, New Threats, and Research Directions


Friday, March 4, 2011
Co-located with
Financial Cryptography and Data Security 2011
St. Lucia


Preliminary Program

9:00 - 10:00 Keynote: Cormac Herley, Microsoft Research
Passwords and Web Authentication: Two Decades of Confusion and Counting

10:00 - 10:30 Break

10:30 - 11:15 Panel: Password Managers, Single Sign-On, Federated ID: Have users signed up?
Panelists: Dirk Balfanz, Google
Rachna Dhamija, Usable Security Systems
Konstantin Beznosov, University of British Columbia
Chair: Robert Biddle, Carleton University

11:15 - 12:00 Panel: Is the SSL (CA) trust model still working?
Panelists: Steven. M. Bellovin, Columbia University
Jesse Burns, iSEC Partners
Sid Stamm, Mozilla
Chair: Paul van Oorschot, Carleton University

12:00 - 1:15 Lunch

1:15 - 2:00 Invited talk: Robert Biddle, Carleton University
Human computer security: the solution space

2:00 - 2:45 Panel: Authentication By and For Humans: Design and Evaluation
Panelists: Lynne Coventry, Northumbria University
Cynthia Kuo, Nokia Research Center
Andrew Patrick, Office of the Privacy Commissioner of Canada
Chair: Sonia Chiasson, Carleton University

2:45 - 3:15 Break

3:15 - 4:00 Invited talk: Steven M. Bellovin, Columbia University
What am I Doing? Comprehension and Authentication

4:00 - 4:45 Panel: Latest Attacks on User Authentication and Transaction Authorization
Panelists: Markus Jakobsson, PayPal
Engin Kirda, Northeastern University
Steven Murdoch, University of Cambridge
Chair: Fabian Monrose, University of North Carolina at Chapel Hill

4:45 - 5:00 Wrap-up


Invited speakers

Cormac Herley, Microsoft Research
Cormac Herley is a Principal Researcher at Microsoft Research. He's been at MSR since 1999, and before that was at HP where he headed the company's currency anti-counterfeiting efforts. His current interests lie in the overlap between the disciplines of security, economics, usability and data analysis. He's authored numerous publications, is inventor of over seventy patents, and has shipped technologies used by millions of users. Some of his recent work has achieved widespread coverage in venues such as the NY Times, the Boston Globe, NPR All Things Considered, CBS News and Newsweek. He received the PhD degree from Columbia University, the MSEE from Georgia Tech, and the BE(Elect) from the National University of Ireland.
Steven M. Bellovin, Columbia University
Steven M. Bellovin is a professor of computer science at Columbia University, where he does research on networks, security, and especially why the two don't get along. While a graduate student, he helped create Netnews; for this, he and the other perpetrators were given the 1995 Usenix Lifetime Achievement Award (The Flame). He is a member of the U.S. National Academy of Engineering, the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and the recipient of the 2007 NIST/NSA National Computer Systems Security Award. He was a member of the Internet Architecture Board from 1996-2002; he was co-director of the Security Area of the IETF from 2002 through 2004.
Robert Biddle, Carleton University
Robert is a Professor of Human-Computer Interaction appointed to the School of Computer Science at Carleton University, in Ottawa, Canada. He was a British Commonwealth Scholar, and worked for many years at universities in New Zealand. His interests are in "the secret life of software": how software can work in rich and subtle ways with human expression and human behaviour. His current work is on interaction design for computer security, and he leads themes for Canadian research networks on security, on interactive application development, and on new media.