Towards Implicit Visual Memory-Based Authentication

Selecting and remembering secure passwords puts a high cognitive burden on the user, which has adverse effects on usability and security. Authentication schemes based on implicit memory can relieve the user of the burden of actively remembering a secure password. In this paper, we propose a new authentication scheme (MooneyAuth) that relies on implicitly remembering the content of previously seen Mooney images. These images are thresholded two-tone images derived from images containing single objects. Our scheme has two phases: In the enrollment phase, a user is presented with Mooney images, their corresponding original images, and labels. This creates an implicit link between the Mooney image and the object in the user's memory that serves as the authentication secret. In the authentication phase, the user has to label a set of Mooney images, a task that gets performed with substantially fewer mistakes if the images have been seen in the enrollment phase. We applied an information-theoretical approach to compute the eligibility of the user, based on which images were labeled correctly. This new dynamic scoring is substantially better than previously proposed static scoring by considering the surprisal of the observed events. We built a prototype and performed three experiments with 230 and 70 participants over the course of 264 and 21 days, respectively. We show that MooneyAuth outperforms current implicit memory-based schemes, and demonstrates a promising new approach for fallback authentication procedures on the Web.

[1]  Christof Koch,et al.  Changes in functional connectivity support conscious object recognition , 2012, NeuroImage.

[2]  M. Gluck,et al.  Learning and Memory: From Brain to Behavior , 2007 .

[3]  M. Chun,et al.  Linking Implicit and Explicit Memory: Common Encoding Factors and Shared Representations , 2006, Neuron.

[4]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[5]  M. Gazzaniga,et al.  Cognitive Neuroscience: The Biology of the Mind , 1998 .

[6]  R. Schvaneveldt,et al.  Facilitation in recognizing pairs of words: evidence of a dependence between retrieval operations. , 1971, Journal of experimental psychology.

[7]  Mike Just,et al.  Pictures or questions?: examining user responses to association-based authentication , 2010, BCS HCI.

[8]  Marten van Dijk,et al.  Exploring implicit memory for painless password recovery , 2011, CHI.

[9]  Michael D. Rugg,et al.  Dissociation of the neural correlates of implicit and explicit memory , 1998, Nature.

[10]  Markus Jakobsson,et al.  Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.

[11]  Joseph Bonneau,et al.  Towards Reliable Storage of 56-bit Secrets in Human Memory , 2014, USENIX Security Symposium.

[12]  Morgan D Barense,et al.  Interactions of memory and perception in amnesia: the figure-ground perspective. , 2012, Cerebral cortex.

[13]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[14]  J. Pernier,et al.  Oscillatory γ-Band (30–70 Hz) Activity Induced by a Visual Search Task in Humans , 1997, The Journal of Neuroscience.

[15]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[16]  C. B. Cave Very Long-Lasting Priming in Picture Naming , 1997 .

[17]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[18]  Alan Richardson-Klavehn,et al.  Generation and the subjective feeling of “aha!” are independently related to learning from insight , 2016, Psychological research.

[19]  C. M. Mooney Age in the development of closure ability in children. , 1957, Canadian journal of psychology.

[20]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[21]  Lorrie Faith Cranor,et al.  Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords , 2015, NDSS.

[22]  D. Schacter,et al.  Neuroimaging of Priming: New Perspectives on Implicit and Explicit Memory , 2001 .

[23]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[24]  Dan Boneh,et al.  Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks , 2012, USENIX Security Symposium.

[25]  Maarten Speekenbrink,et al.  Models of recognition, repetition priming, and fluency: exploring a new framework. , 2012, Psychological review.

[26]  Daphna Weinshall,et al.  Passwords you'll never forget, but can't recall , 2004, CHI EA '04.

[27]  Nava Rubin,et al.  Uncovering Camouflage: Amygdala Activation Predicts Long-Term Memory of Induced Perceptual Insight , 2011, Neuron.

[28]  N. Otsu A threshold selection method from gray level histograms , 1979 .

[29]  Li Fei-Fei,et al.  ImageNet: A large-scale hierarchical image database , 2009, CVPR.

[30]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[31]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[32]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[33]  O. Bertrand,et al.  Oscillatory gamma-band (30-70 Hz) activity induced by a visual search task in humans. , 1997, The Journal of neuroscience : the official journal of the Society for Neuroscience.

[34]  Christof Koch,et al.  MoonBase: Generating a database of two-tone Mooney images , 2013 .

[35]  Alan S. Brown,et al.  Dissociations between procedural and episodic memory: effects of time and aging. , 1990, Psychology and aging.

[36]  N. Kanwisher,et al.  Recognition alters the spatial pattern of FMRI activation in early retinotopic cortex. , 2010, Journal of neurophysiology.

[37]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[38]  Michael Wilson,et al.  MRC psycholinguistic database: Machine-usable dictionary, version 2.00 , 1988 .

[39]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[40]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[41]  Joseph Bonneau,et al.  What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions , 2010 .

[42]  Joseph Bonneau,et al.  Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google , 2015, WWW.

[43]  Karl J. Friston,et al.  How the brain learns to see objects and faces in an impoverished context , 1997, Nature.