Internet Authentication Based on Personal History – A Feasibility
Test
Ann Nosseir , Richard Connor, Mark DunlopUniversity of Strathclyde
Computer and Information Sciences [email protected]
Introduction
• On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms
How we are authenticated?
Authentication Scheme Stajano, 2002. three-part classification is• "something you know" (e.g. password); • "something you hold" (e.g. device holding digital certificate), • "who you are" (e.g. biometric assessment)
Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users.
Context
Human Mobility e.g. internet coffee
Authentication Characteristics
• Mobile
• Lightweight
• Low in cost
"something you know"
Passwords are not without Human Problems
Yan and his colleagues 2004 in Cambridge University Computer Laboratory
• There are trade offs between good non-guessable passwords and the limitations of the human memory.
• It is hard for users to remember random passwords, but others are guessable; although passwords provide users with mobility, they can be stolen, guessed, or cracked.
Electronic Personal History.
1.The personal history.it is not given.
2.It has a characteristic that it is very large so nobody can remember except the person him self.
But what are good authentication questions?
Solutions “Related Work ”
Question Based Facts and Opinion
• Cognitive Passwords –Question Based Zviran 1990 • Challenge Response Questions Cartwright 2004 Recognition-Based, rather than Recall-Based
Opinion
• Image Portfolios Dhamija and Perring 2002
• Passfaces Brostoff and Sasse 2000
Two Pilot Studies
Population in both experiments includes the people who have and use electronic calendar either in palm format or Microsoft format
Experiment Onea. Sample size (Six calendar data of the staff)b. No. of Questions (5) Randomly selected c. Kind of questions (true/ false)
First Experiment Results
Surprising results
1.The person can’t remember his calendar
2.Others scored better that the person him self in a few questions.
Sensitivity and Specificity
First Test Is the person Not the person
Correct answer‘ Positive’
0.53(Sensitivity)
(True Positive)
0.5
Wrong answer‘Negative’
0.47 0.5(Specificity)
(True Negative)
1 1
Human Memory
• Long-term memory is divided into episodic, procedural and semantic memory. In our research, we have focused on the long-term memory and in particular the episodic memory which some researchers define it as autobiographical memory. Baddeley, A.
1997
Parameter (Human Memory)
Psychology Parameters
• Recent
• Repetitive
• Pleasant
Experiments Parameters
• Easy
• Difficult
Second Experiment
a. Sample size (9 calendar data of the staff)
b. No. of Questions (8)
c. Kind of questions (6 true/ false) (Recent, Repetitive, Pleasant)
& (2 Multiple Choice)
for each (Easy and Difficult)
Sensitivity and Specificity
Second Test
Answer
Genuine Impostor
Correct 0.71 ±0.19 0.57
Wrong 0.29 0.43 ±0.10
Total 1 1
Sensitivity and Specificity
Multiple- Choice
QuestionsAnswer
Genuine Impostor
Correct 0.75 ±0.25 0.78
Wrong 0.25 0.22 ±0.18
Total 1 1
ROC CurveROC Curve
Diagonal segments are produced by ties.
1 - Specificity
1.00.75.50.250.00
Se
nsitiv
ity
1.00
.75
.50
.25
0.00
Source of the Curve
Reference Line
Question 8
Question 7
Question 6
Question 5
Question 4
Question 3
Question 2
Question 1
Q1 Pleasant Easy Q2 Pleasant Difficult Q3 Recent Easy, Q4 Recent Difficult Q5 Repeat Easy Q6 Repeated Difficult, Q7 Multiple-Choice Q8 Multiple Choice
Variables AUC
Q1 0.777
Q2 0.545
Q3 1
Q4 0.464
Q5 0.75
Q6 0.696
Q7 0.75
Q8 0.75
Conclusions
• The pilot study showed feasibility of this novel idea.
• Surprising results that person can’t remember his calendar
• The recent, repetitive, pleasant question types are better remembered and these types need further investigations in a bigger experiment.
• In the reality, information will not be shared usually population is random people which gives the idea more creditability.
Trusted Third Party (TTP)
Mitchell, 2004 summarized authentication stages for SSO or certificate into two major :
A. the initial authentication stage
B. authentication at instant time stage
Question Based-Model
Question /Answer
Authentication
Electronic Personal History e.g. pay-pal on e-bay
Future Work
• The research can go further and use other electronic data such as data stored on mobile phone (E911) legislation, GPS, PC, government or organizations database and, in the future with the smart environment application, there will a huge amount of stored electronic personal data. This large bulk of information can provide better security and, at the same time, will provide users with mobility because it is memorable.
• more investigation is required to gain more confidence in the results
Top Related