Cognitive password

Last updated

A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. Cognitive password systems have been researched for many years and are currently commonly used as a form of secondary access. They were developed to overcome the common memorability vs. strength problem that exists with the traditional password. Cognitive passwords, when compared to other password systems, can be measured through the usage of a memorability vs. guessability ratio. [1]

Contents

History

Research on passwords as an authentication method has struggled between memorability and strong security. [2] Passwords that are easily remembered are easily cracked by attackers. On the other hand, strong passwords are difficult to crack but also difficult to remember. [3] [4] When passwords are difficult to remember, users may write them down, and the secrecy of the password is compromised. [5] Early research into this trade-off between security and usability aimed to develop a password system that utilized easily remembered personal facts and encouraged user participation. This line of research resulted in the concept of the associative password, a password system based on user selected cues and responses. [6] This concept of associative passwords was extended to a pre-specified set of questions and answers that users would be expected to know and could easily recall. [7] Empirical analysis of passwords and human cognition resulted in a recommendation that people should not be expected to remember more the four complex passwords. [8]

Building upon the idea of questions later researchers developed a series of innovations for cognitive passwords. Pass faces used the ability to identify individuals in a social network and the particular cognitive strength of recognizing faces. [9] Later work evaluating these cues reified the recommendation of four passwords as a reasonable cognitive expectation. [10]

A historical overview of the use of various cues found that the specific design and layout of the page impinge the memorability and strength. [11] Later work illustrated that inclusion of a visual cue enabled strongly significant improvements in the trade-off between memorability and security. [12]

Cognitive questions

The core of a cognitive password system lies the cues. These can be photos of faces, newspapers, images, or other graphical or textual cues. One early method of assisting recall recommended the now later security questions. These questions were designed to be more memorable than the standard username/password authentication method. As such, a measure of the strength of a cognitive password is the memorability/guessability ratio. [13]

Question development

Questions developed for cognitive password systems are classified as being either fact or opinion based. Fact based systems have questions with answers that are considered independent of an individual's feelings such as "What is the name of the high school you attended?". Opinion based questions are the opposite and, as the name implies, have answers based on personal opinions such as, "What is your favorite color?" [14] Later research developed a set of criteria for question selection which included generalized answerability, number of potential answers, and generalized lack of ambiguity. The first criterion suggested that questions should be answerable by all (i.e. not asking "When did you purchase your first home?" because not all users may have purchased homes). The second criterion recommended selecting questions with a sufficiently large set of potential answers (i.e. not asking "How many children do you have?" because a majority of people would answer 0, 1 or 2). One design goal is to have questions that were as unambiguous as possible (i.e. not asking "How many family members do you have?" as there may be some confusion as to who would be included in that count). [15] For creating usable questions one effective criterion is the use of persuasive, engaging questions. [16]

Older people dealing with the normal cognitive decline of aging may respond well to visual cues. [17] Tactile interactions can make technology more accessible. [18]

Memorability vs. guessability

A user's ability to correctly recall their password is expected to decrease as time progresses. [19] However, the memorability of cognitive passwords remains relatively stable over time with recall rates significantly higher than traditional passwords. [20] [21] When fact and opinion-based questions are compared, the fact-based questions are more likely to be correctly remembered than opinion-based questions, but still far more likely than traditional passwords. [20] Cognitive questions, with a group averaged as a whole, show relatively high guessability, much higher than traditional passwords but when analyzed individually, certain questions have been shown to have acceptable memorability/guessability ratios. [20]

Examples

The following are some typical cognitive password questions:

Related Research Articles

Password Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.

Personal identification number

A personal identification number (PIN), or sometimes redundantly a PIN number, is a numeric passcode used in the process of authenticating a user accessing a system.

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping.

Password strength Measure of the effectiveness of a password in resisting guessing and brute-force attacks

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

A password manager is a computer program that allows users to store, generate, and manage their passwords for local applications and online services.

A security question is form of shared secret used as an authenticator. It is commonly used by banks, cable companies and wireless providers as an extra security layer.

Draw a Secret (DAS) is a graphical password input scheme developed by Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter and Aviel D. Rubin and presented in a paper at the 8th USENIX Security Symposium in Augusts 1999.

Smudge attack Information extraction attack that discerns the password input of a touchscreen device from fingerprint smudges

A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.

Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an individual. It ensures that the users of these digital services are entitled to what they receive. The most common form of identity-based security involves the login of an account with a username and password. However, recent technology has evolved into fingerprinting or facial recognition.

A graphical password or graphical user authentication is a form of authentication using images rather than letters, digits, or special characters. The type of images used and the ways in which users interact with them vary between implementations.

PassMap is a map-based graphical password method of authentication, similar to passwords, proposed by National Tsing Hua University researchers. The word PassMap originates from the word password by substituting word with map.

Usability of web authentication systems refers to the efficiency and user acceptance of online authentication systems. Examples of web authentication systems are passwords, federated identity systems, email-based single sign-on (SSO) systems, QR code-based systems or any other system used to authenticate a user's identity on the web. Even though the usability of web authentication systems should be a key consideration in selecting a system, very few web authentication systems have been subjected to formal usability studies or analysis.

Moshe Zviran Israeli professor

Moshe Zviran is professor and dean of the Coller School of Management at Tel Aviv University and chief entrepreneurship and innovation officer at Tel Aviv university. He is also the founder of “The Zviran Index” for comparative salary and benefits surveys in Israel.

References

  1. Shon Harris (2002). "2". Mike Meyers' CISSP(R) Certification Passport. Mike Meyers' certification passport Passport Series (illustrated ed.). McGraw-Hill Professional. p. 36. ISBN   978-0-07-222578-5.
  2. Simon HA. Cognitive science: The newest science of the artificial. Cognitive science. 1980 Jan 1;4(1):33-46.
  3. Zviran and Haga, 1990a
  4. J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password Memorability and Security: Empirical Results. [IEEE Security and Privacy, 2(5):25–31, 2004.
  5. Zviran and Haga, 1999, p. 173
  6. Smith, 1987
  7. Zviran and Haga, 1990a, p. 723
  8. A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40–46, 1999.
  9. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy,and N. Memon. PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud., 63(1-2):102–127, 2005.
  10. Brostoff, S., & Sasse, M. A. (2000). Are Passfaces more usable than passwords? A field trial investigation. In People and computers XIV—usability or else! (pp. 405-424). Springer, London.
  11. Biddle R, Chiasson S, Van Oorschot PC. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys. 2012 Aug 1;44(4):19.
  12. Camp, L. Jean, Jacob Abbott, and Siyu Chen. "CPasswords: Leveraging Episodic Memory and Human-Centered Design for Better Authentication." 2016 49th Hawaii International Conference on System Sciences (HICSS). IEEE, 2016.
  13. Bunnell et. al, 1997, p. 631
  14. Zviran and Haga, 1990
  15. Bunnell et. al, 1997, p. 633
  16. Alain Forget, Sonia Chiasson, P. C. van Oorschot, and Robert Biddle. 2008. Improving text passwords through persuasion. In Proceedings of the 4th symposium on Usable privacy and security (SOUPS '08). ACM, New York, NY, USA, 1-12.
  17. Anderson, N. and Craik, F., “Memory in the aging brain”, The Oxford handbook of memory, pp. 411–425, 2000.
  18. Z. Zimmerman & L Jean Camp, "Elder-friendly Design’s Effects on Acceptance of Novel Technologies", Elderly Interaction Design CHI; CHI 2010 Workshop, (Atlanta GA.) 4 April 2010.
  19. (Brown et al., 2004, p. 642)
  20. 1 2 3 Bunnell et. al, 1997, p. 635
  21. Zviran and Haga, 1990a, p.728

Works cited

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.