Internet Authentication Based on Personal History – A Feasibility

Test

Ann Nosseir , Richard Connor, Mark DunlopUniversity of Strathclyde

Computer and Information Sciences FirstName.SecondName@cis.strath.ac.uk

Goal of the Study

Is to assess the feasibility of distinguishing the two groups

Person & Impostor

Introduction

• On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms

How we are authenticated?

Authentication Scheme Stajano, 2002. three-part classification is• "something you know" (e.g. password); • "something you hold" (e.g. device holding digital certificate), • "who you are" (e.g. biometric assessment)

Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users.

Context

Human Mobility e.g. internet coffee

Authentication Characteristics

• Mobile

• Lightweight

• Low in cost

"something you know"

Passwords are not without Human Problems

Yan and his colleagues 2004 in Cambridge University Computer Laboratory

• There are trade offs between good non-guessable passwords and the limitations of the human memory.

• It is hard for users to remember random passwords, but others are guessable; although passwords provide users with mobility, they can be stolen, guessed, or cracked.

Our Solution

Light weight

Memorable

Mobile

Low in cost

Electronic Personal History.

1.The personal history.it is not given.

2.It has a characteristic that it is very large so nobody can remember except the person him self.

But what are good authentication questions?

Solutions “Related Work ”

Question Based Facts and Opinion

• Cognitive Passwords –Question Based Zviran 1990 • Challenge Response Questions Cartwright 2004 Recognition-Based, rather than Recall-Based

Opinion

• Image Portfolios Dhamija and Perring 2002

• Passfaces Brostoff and Sasse 2000

Question Based-Model

Two Pilot Studies

Population in both experiments includes the people who have and use electronic calendar either in palm format or Microsoft format

Experiment Onea. Sample size (Six calendar data of the staff)b. No. of Questions (5) Randomly selected c. Kind of questions (true/ false)

First Experiment Results

Surprising results

1.The person can’t remember his calendar

2.Others scored better that the person him self in a few questions.

Sensitivity and Specificity

First Test Is the person Not the person

Correct answer‘ Positive’

0.53(Sensitivity)

(True Positive)

0.5

Wrong answer‘Negative’

0.47 0.5(Specificity)

(True Negative)

1 1

Human Memory

• Long-term memory is divided into episodic, procedural and semantic memory. In our research, we have focused on the long-term memory and in particular the episodic memory which some researchers define it as autobiographical memory. Baddeley, A.

1997

Parameter (Human Memory)

Psychology Parameters

• Recent

• Repetitive

• Pleasant

Experiments Parameters

• Easy

• Difficult

Second Experiment

a. Sample size (9 calendar data of the staff)

b. No. of Questions (8)

c. Kind of questions (6 true/ false) (Recent, Repetitive, Pleasant)

& (2 Multiple Choice)

for each (Easy and Difficult)

Sensitivity and Specificity

Second Test

Answer

Genuine Impostor

Correct 0.71 ±0.19 0.57

Wrong 0.29 0.43 ±0.10

Total 1 1

Sensitivity and Specificity

  Multiple- Choice

QuestionsAnswer

Genuine Impostor

Correct 0.75 ±0.25 0.78

Wrong 0.25 0.22 ±0.18

Total  1 1

ROC CurveROC Curve

Diagonal segments are produced by ties.

1 - Specificity

1.00.75.50.250.00

Se

nsitiv

ity

1.00

.75

.50

.25

0.00

Source of the Curve

Reference Line

Question 8

Question 7

Question 6

Question 5

Question 4

Question 3

Question 2

Question 1

Q1 Pleasant Easy Q2 Pleasant Difficult Q3 Recent Easy, Q4 Recent Difficult Q5 Repeat Easy Q6 Repeated Difficult, Q7 Multiple-Choice Q8 Multiple Choice

Variables AUC

Q1 0.777

Q2 0.545

Q3 1

Q4 0.464

Q5 0.75

Q6 0.696

Q7 0.75

Q8 0.75

Conclusions

• The pilot study showed feasibility of this novel idea.

• Surprising results that person can’t remember his calendar

• The recent, repetitive, pleasant question types are better remembered and these types need further investigations in a bigger experiment.

• In the reality, information will not be shared usually population is random people which gives the idea more creditability.

Future Work

• Implementation Model

• Additional Information

Trusted Third Party (TTP)

Mitchell, 2004 summarized authentication stages for SSO or certificate into two major :

A. the initial authentication stage

B. authentication at instant time stage

TTP

Question Based-Model

Question /Answer

Authentication

Electronic Personal History e.g. pay-pal on e-bay

Future Work

Future Work

• The research can go further and use other electronic data such as data stored on mobile phone (E911) legislation, GPS, PC, government or organizations database and, in the future with the smart environment application, there will a huge amount of stored electronic personal data. This large bulk of information can provide better security and, at the same time, will provide users with mobility because it is memorable.

• more investigation is required to gain more confidence in the results

Thank you