IDC seminar (4 Aug): Observer-Resistant Password Systems (ORPSs): Security versus Usability

IDC seminar (4 Aug): Observer-Resistant Password Systems (ORPSs): Security versus Usability

Dr Shujun Li

Presentation slides


Observer-resistant password systems (ORPSs, also known as human authentication against observers or leakage-resilient password systems)have been studied since the early 1990s in both cryptography and computer security contexts, but until today a both secure and usable ORPS remains an open question to the research community. The concept of ORPS can be used to cover a large family of attacks against password-based human authentication systems such as shoulder surfers, hidden cameras, man-in-the-middle, keyloggers and other malware. A key assumption of ORPS is that human users must respond to authentication challenges without using any computational devices (which are considered untrusted). In other words, the threat model behind ORPSs assumes that other than the human user’s brain, nothing is trusted. The main security requirement is to avoid disclosure of the shared secret between the human user and the verifier (i.e., password) even after a practically large number of authentication sessions observed by untrusted parties.

According to Yan et al.’s NDSS 2012 paper which reviews research efforts on this topic for over two decades, it has been clear that no existing systems meet both security and usability requirements although many meet one. In this talk, the speaker will introduce his research on ORPS since the early 2000s, with a particular focus on his more recent works at NDSS 2013 and under review which have revealed new insights about how close we are to secure and usable ORPSs. He will contextualise some part of his talk using a particular design of ORPS called Foxtail, one of whose implementations was shown to have a relatively better balance between security and usability as reviewed by Yan et al. at NDSS 2012. Known rules about designing ORPSs and future research directions will also be discussed.


Dr Shujun Leadership got his PhD degree in Information and Communication Engineering from the Xi’an Jiaotong University, China in 2003. After obtaining his PhD degree, he was doing postdoctoral research at the City University of Hong Kong and the Hong Kong Polytechnic University for several years. From 2007-2008 he was a Humboldt Research Fellow at the FernUniversität in Hagen, Germany. From 2008-2011 he was holding a 5-year Research Fellowship (Junior Group Leadership) at the Zukunftskolleg, Universität Konstanz, Germany, funded by the German Research Foundation (DFG) through its “Excellence Iniative” programme. Since 2011 he has been a Senior Lecturer working at the Department of Computing, University of Surrey. Since July 2014, he has been a Deputy Director of the Surrey Centre for Cyber Security (SCCS), leading the research theme “Human-Centred Security”. As a core member of the management team of the SCCS, he helped the Centre to achieve its title as a Academic Centre of Excellence status in Cyber Security Research (ACE-CSR) recognised by GCHQ in March 2015. His research interests are mainly around interplays among cyber security, user privacy, digital forensics, multimedia computing, human factors, and also other interdisciplinary topics such as security economics and cyber crime. He has published more than 80 papers at international journals and conferences in cyber security and multimedia computing fields. He also contributed to international standards in multimedia coding domain, and was the lead editor of ISO/IEC 23001-4:2011 “Information technology – MPEG systems technologies – Part 4: Codec configuration representation”, 2nd edition of the MPEG RVC (Reconfigurable Video Coding) standard. He also had early research interests on applications of chaos and fractals to computer science and communication engineering, and was publishing actively in physics and circuits and systems venues in the past. One of his remaining interests on chaos and fractals is dynamic degradation of chaotic systems in digital domain, for which he was funded by Royal Society from 2011-2013. He is/was the PI and co-I of a number of research projects in cyber security, digital forensics, and multimedia computing funded mainly by UK and German funding bodies. Many of his research projects have human factors as a key research element. More about his research can be found at his personal website

Kai Xu

Leave a Reply