Leveraging autobiographical memory for two-factor online authentication

Purpose Two-factor authentication is being implemented more broadly to improve security against phishing, shoulder surfing, keyloggers and password guessing attacks. Although passwords serve as the first authentication factor, a common approach to implementing the second factor is sending a one-time code, either via e-mail or text message. The prevalence of smartphones, however, creates security risks in which a stolen phone leads to user’s accounts being accessed. Physical tokens such as RSA’s SecurID create extra burdens for users and cannot be used on many accounts at once. This study aims to improve the usability and security for two-factor online authentication. Design/methodology/approach The authors propose a novel second authentication factor that, similar to passwords, is also based on something the user knows but operates similarly to a one-time code for security purposes. The authors design this component to provide higher security guarantee with minimal memory burden and does not require any additional communication channels or hardware. Motivated by psychology research, the authors leverage users’ autobiographical memory in a novel way to create a secure and memorable component for two-factor authentication. Findings In a multi-session lab study, all of the participants were able to log in successfully on the first attempt after a one-week delay from registration and reported satisfaction on the usability of the scheme. Originality/value The results indicate that the proposed approach to leverage autobiographical memory is a promising direction for further research on second authentication factor based on something the user knows.

[1]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Martin A. Conway,et al.  Memory and the self , 2005 .

[3]  James Nicholson,et al.  Age-related performance issues for PIN and face-based authentication systems , 2013, CHI.

[4]  P. Dowland,et al.  A long-term trial of alternative user authentication technologies , 2004, Inf. Manag. Comput. Secur..

[5]  Mahdi N. Al-Ameen,et al.  Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues , 2015, CHI.

[6]  Kevin S. Decker,et al.  Manipulating remember and know judgements of autobiographical memories: an investigation of false memory creation , 1998 .

[7]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[8]  Endel Tulving,et al.  Continuity between recall and recognition. , 1973 .

[9]  David C. Rubin,et al.  Autobiographical Memory , 2019, Encyclopedia of Autism Spectrum Disorders.

[10]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[11]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[12]  Aaron Smith,et al.  U.S. Smartphone Use in 2015 , 2015 .

[13]  Mahdi N. Al-Ameen,et al.  The Impact of Cues and User Interaction on the Memorability of System-Assigned Recognition-Based Graphical Passwords , 2015, SOUPS.

[14]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[15]  高田哲司,et al.  "Exploring the Design Space of Graphical Passwords on Smartphones"の紹介 , 2013 .

[16]  Walter Kintsch,et al.  11 – Models for Free Recall and Recognition1 , 1970 .

[17]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[18]  Mahdi N. Al-Ameen,et al.  A Comprehensive Study of the GeoPass User Authentication Scheme , 2014, ArXiv.

[19]  K.B. Bignell Authentication in an Internet Banking Environment; Towards Developing a Strategy for Fraud Detection , 2006, International Conference on Internet Surveillance and Protection (ICISP’06).

[20]  Claude E. Shannon,et al.  Prediction and Entropy of Printed English , 1951 .

[21]  Songwu Lu,et al.  Analysis of the Reliability of a Nationwide Short Message Service , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[22]  Mahdi N. Al-Ameen,et al.  Leveraging Real-Life Facts to Make Random Passwords More Memorable , 2015, ESORICS.

[23]  B. Desgranges,et al.  Autobiographical memory, autonoetic consciousness, and self-perspective in aging. , 2006, Psychology and aging.

[24]  M. Conway,et al.  The construction of autobiographical memories in the self-memory system. , 2000, Psychological review.

[25]  John R. Anderson,et al.  RECOGNITION AND RETRIEVAL PROCESSES IN FREE RECALL , 1972 .

[26]  Emiliano De Cristofaro,et al.  Two-Factor or not Two-Factor? A Comparative Usability Study of Two-Factor Authentication , 2013, ArXiv.

[27]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.