Cognitive Authentication Schemes for Unassisted Humans, Safe Against Spyware

Can we secure user authentication against eavesdropping adversaries, relying on human cognitive functions alone, unassisted by any external computational device? To accomplish this goal, we propose challenge response protocols that rely on a shared secret set of pictures. Under the brute-force attack the protocols are safe against eavesdropping, in that an observer who fully records any feasible series of successful interactions cannot practically compute the user’s secret. Moreover, the protocols can be tuned to any desired level of security against random guessing, where security can be traded-off with authentication time. The proposed protocols have two drawbacks: First, training is required to familiarize the user with the secret set of pictures. Second, depending on the level of security required, entry time can be significantly longer than with alternative methods. We describe user studies showing that people can use these protocols successfully, and quantify the time it takes for training and for successful authentication. We show evidence that the secret can be effortlessly maintained for a long time (up to a year) with relatively low loss.

[1]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[2]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[3]  Harry Shum,et al.  Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI , 2005, IACR Cryptol. ePrint Arch..

[4]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[5]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[6]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[7]  R. Haber,et al.  Perception and memory for pictures: Single-trial learning of 2500 visual stimuli , 1970 .

[8]  Ronald A. Rensink,et al.  On the Failure to Detect Changes in Scenes Across Brief Interruptions , 2000 .

[9]  C. B. Cave Very Long-Lasting Priming in Picture Naming , 1997 .

[10]  Tsutomu Matsumoto,et al.  Human-computer cryptography: an attempt , 1998, CCS '96.

[11]  A. Salasoo,et al.  Building permanent memory codes: codification and repetition effects in word identification. , 1985, Journal of experimental psychology. General.

[12]  R. Shepard Recognition memory for words, sentences, and pictures , 1967 .

[13]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[14]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[15]  A. Karni,et al.  The time course of learning a visual skill , 1993, Nature.

[16]  Moni Naor,et al.  Visual Authentication and Identification , 1997, CRYPTO.

[17]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[18]  Daphna Weinshall,et al.  Passwords you'll never forget, but can't recall , 2004, CHI EA '04.