Researchers Develop "Narrative Authentication" System

hypnosec writes "Researchers have developed a 'narrative authentication' system that could put an end to the need of remembering complex passwords to logging onto computer systems. The new system has been developed by Carson Brown and his colleagues over at Carleton University in Ottawa, Canada. The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time. Users can interact with the logging software and add their own events in the real world like wedding dates, holidays, travel dates, etc."

B.S. For funding

[Great+Big+Bird]

Sounds like useless bullshit produced to get funding dollars.

Re: B.S. For funding

Cynic. How can you not believe in something that tracks your computer use and then lets you add commonly known dates as additional verification? There's no way a co worker will ever be able to log into your account at work, or a family member at home.

BTW, who wants to play 20 questions when logging in and what company gets to own the data about your computer use?

Re: B.S. For funding

You forgot about stalkers. They'll love this type of thing.

Re: B.S. For funding

[buck-yar]

The problem with this is its a weak system. Many accounts are already hacked via the security questions.

Re: B.S. For funding

[PvtVoid]

The problem with this is its a weak system. Many accounts are already hacked via the security questions.

Does anybody seriously answer "security questions" honestly? I always, always, fill them in with a random character string.

Re:B.S. For funding

Oh it is more sinister than merely a funding vehicle if you look beneath the surface. Carleton University is a direct feeder into various Government of Canada departments and agencies.

Re:B.S. For funding

[MitchDev]

No kidding, how many people rememb er what they had for lunch yesterday as opposed to a password? That's all this sounds like.

Re: B.S. For funding

Exactly this. Mod parent up!

Re: B.S. For funding

The problem with this is its a weak system. Many accounts are already hacked via the security questions.

Does anybody seriously answer "security questions" honestly? I always, always, fill them in with a random character string.

Heh. "What is my password?"

Re: B.S. For funding

[dkleinsc]

And of course, there's absolutely no possible way that a Facebook employee would have access to that information.

Re: B.S. For funding

Pick obscure vegetable for all security questions, like tomato.

Re: B.S. For funding

[mlts]

We had this with Facebook in the past. It would pop up a picture and you would match it up with a friend. However, a lot of people use cat pictures, red "=" symbols, just a black picture, or some other cause they are trying to champion. So, choosing between five pictures that are solid black (like Spinal Tap's album) to match up with a friend is pointless.

Of course, challenge/response questions are not great either. Palin can tell one this. Plus, sniff one password, sniff them all.

Recovery of an account is a hard nut to crack, on both the password protection/authentication front, as well as key recovery/escrow.

For key escrow/recovery, in a previous life, a place I worked at (long since bought up by another company) had a no name holding corporation which rented an office. Once past the alarm system (had both duress and holdup alarms), and into a side room, there was a large jewelry safe with glass panels that would fire off relockers if the door was hit with a hammer and a Mas-Hamilton (Now Kaba Mas) X-08 combination lock. The safe had a locked compartment that housed the private keys that were uuencoded and printed out. In the safe were a couple burned CDs with the info as well.

This office (as well as another remote site) provided adequate key recovery for this SMB, although trying to scale up from that would be tough.

Authentication is easier... you don't have to have the exact key, just prove that you are whom you claim to be. For a lot of things, having a website text a person number with a 4-6 digit code, and one inputting that in a website is good enough, especially if the SMS protocol gets augmented by better security a la Apple's iMessage. This isn't 100% though, especially if the number gets cut off by the telco. However, combining this with a scratch off card with some one use numbers might cover more bases, although if one loses everything (phone, scratch off card) in a fire, they are hosed.

Re: B.S. For funding

A tomato is such an obscure vegetable that it's actually a fruit.

Re: B.S. For funding

[vlad30]

ask for wedding date! Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift

Re: B.S. For funding

[ShanghaiBill]

Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift

Pro-tip: Buy wedding/birthday/whatever gifts in advance, and in bulk, and already professionally gift wrapped. Then hide them someplace your wife/gf will never look, such as your toolbox in the garage. Then we she says "you forgot our anniversary", you can say "no I didn't!" and go fetch a gift. I already have a dozen pre-wrapped swarovski crystals that I bought on eBay, so I am covered for the next few years.

Re: B.S. For funding

[neoritter]

I tried this and ended up with a closet full of dead puppies...

Re: B.S. For funding

[rioki]

My wedding is about a week after my birthday. I remember the my birthday obviously and that is the trigger to get something. The exact date is then irrelevant.

Re: B.S. For funding

[gzuckier]

My computer got hacked. Now my mother has to change her maiden name.

Re: B.S. For funding

[gzuckier]

It could ask you which porn site you visited yesterday.

Re: B.S. For funding

[kmoser]

If only I had a small electronic device on my person that contained a calendar and the ability to automatically remind me of upcoming events.

No, thank you.

[Parsiuk]

I'm sick of "intelligent" systems which are making my life more and more complicated.

Re:No, thank you.

[Chrisq]

Why do you H8 the government?

is that a rhetorical question?

Re:No, thank you.

[smittyoneeach]

Mostly

Re:No, thank you.

[MitchDev]

More accurately, why wouldn't you hate the government?

Re:No, thank you.

[parkinglot777]

You shouldn't involve irrelevant topic into this discussion. It is not really funny but rather troll or flame bait.

Back to the topic, I agree with the GP the new system in TFA is actually more complicated than simply memorize a set of passwords. In other words, you will have to remember what you did. If you ever need a log in everyday, it "may" be OK (some people may unintentionally forget what they did because of many reasons). If you required to log in once a week, you are likely to forget what you did last week.

Re: No, thank you.

This is private corporation what makes things more difficult!

Re:No, thank you.

[rioki]

What did you do yesterday evening? Duno... watch porn? Good, what porn exactly? Um...

i'm drunk and i don't remember my activities

lemme in ya fukcin piceec of shhhtt!!!!!!

so, you just have to remember everything

you ever did to be able to log in?

Re:so, you just have to remember everything

Yeah, now not only your wife will sulk if you forget your wedding day, but also your computer. ;-)

Gosh...

[fuzzyfuzzyfungus]

An authentication system that combines the fun of 'intelligent' phone-tree voice recognition 'expert' systems with the assumption that biographical trivia are anything other than hilariously public.... Where do I sign up?

Re:Gosh...

[Impy+the+Impiuos+Imp]

"log a user's activitieson the system or any other device that he/she may be using and then ask questions about them when they login next time"

"Based on your history, who do you think is sexier, JLaw, Tay Tay, or Bailey Jay?"

"Where's the goddam opt out button on this thing?"

XKCD FTW

[Gothmolly]

I'll just leave this right here

https://xkcd.com/936/

Re:XKCD FTW

Ah, the correct battery staple horse. No, wait, that's wrong. It must be horse battery staple correct. Or was it battery staple horse correct?

Re:XKCD FTW

Long passphrases are more memorable than short passphrases, and if you don't like punctuation, don't use it. Could the comic be any more obvious?

Personally, I like my long passphrases with caps, substitutions, and random junk mixed in.

Re:XKCD FTW

The comic also disregards bigram, trigram, ... and n-gram probabilities. People who quote it should study cryptography or change careers.

Re: XKCD FTW

the problem with very long passwords is that typing them in gets tedious when you have to do it all the time

Re:XKCD FTW

[Mathinker]

Uh, it's still only going to take 24 tries before you get it correct, in the very worst case in the scenario you propose. And the xkcd strip was making a "differential" argument, not an absolute one (e.g., for the same security, are you more likely to forget a password of random characters versus a series of words).

What's actually of greatest importance is how often you use the password. In my experience, complex passwords which are seldom used are a recipe for disaster. When I go on vacation, I sometime take SHA1 hashes of my more problematic passwords with me so I can "practice" them...

Re:XKCD FTW

[FilmedInNoir]

How dare you question the humor and wisdom of stick men AC!

Re:XKCD FTW

[PvtVoid]

The comic also disregards bigram, trigram, ... and n-gram probabilities. People who quote it should study cryptography or change careers.

No it doesn't. The entropy in a set of N unique randomly chosen words from a P-word dictionary is P*(P-1)*(P-2)...*(P-N), or approximately P^N. Period. N-gram probabilities from natural language have absolutely fuck all to do with anything here.

Re: XKCD FTW

the problem with very long passwords is that typing them in gets tedious when you have to do it all the time

on your phone.

Re:XKCD FTW

[jfengel]

It gets worse once you have more than one password to remember. The silly image tries to link them all together, so that you don't get your "correct horse battery staple" mixed up with your "blender green lobster carburetor" at your bank and your "mango bookbag tooth bitter" for your work computer, but if you've left any of them alone for more than a few weeks they fade and get mixed up. "Correct horse battery staple" stands out by itself from your eight-letter passwords for being different, but as part of a whole password ecosystem the advantages diminish.

In the end, I think that entropy is entropy. Trying to use visual mnemonics to handle more entropy is an old (and helpful) trick, but the XKCD example isn't a good one: three of the four words appear as words. Only the horse shows up solely as a horse; only the "battery staple" really connects two separate words together visually.

"Memory castles" work because they tell a story, and they're for memorizing stories. But they're not all that good at memorizing them exactly, letter for letter, which is the point of a pass phrase. And when the elements of the story truly are random, they don't evoke each other. To provide real continuity you'd need to turn your four words into a full story, and now you're memorizing lots of extra bits to make them cohere.

This isn't a terrible idea; passwords are hard. But it's not the automatic win that Munroe makes it look like. You simply won't be able to keep hundreds of bits of entropy in your head without flaw unless you practice them over and over. And if you practice over and over, you can do just as well with "Tr0ub4d0r" as anything else.

Re:XKCD FTW

[psithurism]

I use grammatically correct and spell checked sentences for my old true crypt passwords; I've never forgotten one.

"Alice had a little lamb. Porn Filter unit test files"

Occasionally I've had to try a few variations, but never been as baffled as I have for some old accounts that I've lost completely, with leetified names as most of my online passwords of "8-12 characters one special character [^"' ` ] and a number and capital letter.

Re: XKCD FTW

[psithurism]

I hate how overused that comic is, but I have to disagree with most disagreements with it.

I can type a full sentence about as fast as I can contort and remember a 13373D password.

I've used both and I'd say I get faster at a sentence you type 5 times a day as you do a sequence of random characters.

Of course if you use your favorite vim shortcut or a good line of assembly as your 8 character password, then I guess you could beat the full sentence strategy.

Re: XKCD FTW

[fisted]

the problem with very long passwords is that typing them in gets tedious when you have to do it all the time

on your phone.

at -40 degC.

Re:XKCD FTW

[Mathinker]

> You simply won't be able to keep hundreds of bits of entropy in your head
> without flaw unless you practice them over and over.

This is why it pays, for all of those passwords for websites which are low-risk, to either use some kind of "Password Safe" program, or simply have a personal algorithm for generating passwords which enables you to write down reminders in a personal shorthand.

Anyone who needs to keep hundreds of bits of entropy in their heads is simply "doing it wrong".

NSA thanks the devs

Yeah, really good idea... I bet the NSA already has some guys rubbing their hands in glee while they wait for this tool to be released and start collecting information for them for free!

Completely unhackable

[mwvdlee]

Completely unhackable because there can only ever be one system that can scan all these sources.
A hacker could not possibly create their own system that scans the same public facebook pages and twitter posts.

Re:Completely unhackable

[alphatel]

Completely unhackable because there can only ever be one system that can scan all these sources.

Yes it's called the NSA

Retarded

[Hognoxious]

Last time I forgot a gmail password it did this. Something like the last 3 people I'd emailed, and the last three I'd received emails from and some other tripe. I don't mean the magic "first pet dog's name" question or anything like that.

I remembered my password before I even got close to figuring any of that shit out.

Re:Retarded

[Frankie70]

I remembered my password before I even got close to figuring any of that shit out.

So it worked.

Re:Retarded

last three I'd received emails from and some other tripe.

Seriously? Nine out of ten emails I receive live in the twilight zone between genuine spam and vaguely useless communications. Conference CFPs, mail from various alleged "rewards" programs, irrelevant work emails reminding people not to stick scissors in toasters, facebook telling me I've been porked or some such... and they imagine we remember that crapola? I stand amazed!

Re:Retarded

[psithurism]

I cam here to say exactly this. They locked my account while I was on travel internationally.

When did you sign up for gmail MM/YY? Uh, after 2002 but before 2008.
What are three tags you've applied to your email? TODO, NotSpam, ImportantInfo....wait no To Do, Mostly no spam, Saved info... no it was soon-to-do, Unspam.
When did you last successfully sign in to gmail. yesterday afternoonish or morning, is that in the future from this time zone? no wait, I did only work email yesterday? Does my phone's mail app count?
Who are three people you commonly email. Jim69@yahoo.com, oh wait he moved to some leetified version of jimmyjimmy@gmail.com now, but I can't remember because I've just typed jim into the "to:" field and gmail knew who to send it to, (tines 3)

This's why I have a gmail account, dammit! To keep track of contacts and dates for me. If I remembered all this stuff, I'd just use the free email provided by my ISP so people could send me messages.

Needless to say, I had to wait to get to a country, which I guess has fewer gmail attacks, before I could use my account again. I did remember my password though, I remember my last 3 passwords and more if you allow me natural human memory loss (was it @mailPass3? or @mailP4ssThree,)?

A questioner instead of a password? Really?

[LostMonk]

So, instead of a single password I'll need to answer a questioner every time I want to login?? And, of course, they company is happy to save me the trouble and storage space and will gladly store all my activities on their servers. No thanks.

Re:A questioner instead of a password? Really?

Boss: I need the data for XY.
You: OK, I'll give it to you. Let me just log in.
Computer: This is the narrative authentication system. What have you been doing most of the time yesterday?
You: Working on the report.
Computer: The answer is wrong. Please try again.
You: Programming.
Computer: The answer is wrong. Please try again.
You. Surfing Slashdot.
Computer: Authentication succeeded.
Boss: You're fired.

SCNR ;-)

Consistency

[Nerdfest]

I think the big problem with it is that it would tend to be inconsistent in its complexity and might dip to a very low complexity on occasion making it easy to compromise. The algorithm wouldn't have any real idea of when something was easily guessable. Still, probably better in almost all cases than most people's passwords, but not as good as people who use them well.

Re:Consistency

[CastrTroy]

I seriously don't know why most people just don't use a program like PasswordSafe of Keepass and just be done with the whole problem. Just 1 password to remember, and you can have complicated, unique passwords for every single system, and not have to remember any of them. You can also get apps that read the encrypted password files for your phone, and tablet, so you don't really have to worry about being without your passwords. Typing in your master password on your phone can be a little cumbersome, but it's not something you'll have to do every day.

Logging into a pron site account

... would become even more weird

Choose your own adventure authentication scheme

[anchovy_chekov]

I'd prefer an authentication system that forces you to play a variant of Zork.

Re:Choose your own adventure authentication scheme

Invalid login attempt. Your data has been eaten by a grue.

Questions

[fazig]

Imagine this: Your wife wants to log into her gmail account, you didn't remove your account from the account management, she doesn't notice that she tried to login to your account.
Gmail: What kind of porn were you looking up when you used your gmail account the last time?

Re:Completely rehackable

[VortexCortex]

It's not meant to be incompletely unhackable. Think of it as adding another factor of authentication. So, with three factor authentication there will be something you know (your password), something you have (your ID card / token), and something you are (a nerd). This adds a fourth factor: Something you did (forgot what that was and called tech support).

The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long has it been since you logged in? What's your favorite sports team? What kind of accent is that? What's your mother's maiden name? What are you wearing? Etc.

Sounds like a plan!

[RenHoek]

Yes, because a site breach wasn't annoying enough yet when they take all of the passwords. Let's give them more information which to do spearphising with.

Re:Sounds like a plan!

"Hello, you surely remember me from Harvard 1983. I was in your math class. Do you remember the fun we had? I hope you can help me now. I urgently need 1000 dollars, or I'll be in big trouble."

"Wait a moment ... Harvard 1983, you said? Ah, I see, you've hacked my eBay account."

"Why do you think so?"

"Well, if it had been my Amazon account, it would have been MIT 1995. And on Google it's Stanford 1977."

Looks like a great oppoortunity for criminals...

[Keyboard+Rage]

Have these people never heard of microphones?

It also sounds like a really great way to obtain a lot of extremely interesting metadata for nefarious purposes. Personal information that may be also used for things like bank accounts + travel dates? Yay, break in + plundering of all the victim's money!

And then the bank will say "You did this yourself, only you know all this sensitive information. Say bye bye to your money."

The real problem...

[tlambert]

lemme in ya fukcin piceec of shhhtt!!!!!!

The real problem is not when you're drunk; eventually, you'll be sober and be able to log in later. That's almost a feature, like a breathalyzer on your phone to keep you from drunk-dialing old lovers who got married to someone else 5 years ago.

No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?

Re:The real problem...

eventually, you'll be sober

Not a chance!

Re:The real problem...

"No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?"

Does that mean when you're drunk, you don't remember the color of the 17th cat you watched yesterday?

Re:The real problem...

How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?

"Namibian midget Hang Glider Porn"
Now, it's memorable!
Also, several other parties may keep track of it for you.

Sneakers?

[wbr1]

Hi, my name is Werner Brandes. My voice is my passport. Verify Me. My wife's birthday is 8/1/67, and I like puppy posts on Facebook.

Re:Sneakers?

Picard-Epsilon-7-9-3

Re:Sneakers?

[Joe_Dragon]

please speak more slowly

Re:Sneakers?

[Vitriol+Angst]

I'ts way more exacting in detecting patterns;
"Candy Crush, twitter feed, Facebook, Pr0n, CHECKS EMAIL, Candy Crush, twitter feed Facebook, Pr0n, ,..."

NEW SECURITY SYSTEM:
"Yup, that's user 210072B all right!"

Lot's of code in the heuristics to add the "Yup" on that challenge response.

Re:Sneakers?

Sneakers predates Facebook by over a decade. Hell, it predates the Web by a couple of years. For that matter, "voiceprint identification" was used in the movie 2001: A Space Odyssey which was released in 1968.

Simple

[The+Cat]

There's nothing wrong with passwords. Use a good password and everything will be fine.

Can we start working on something important for a change instead of obsessively re-inventing the wheel?

Re:Simple

[MitchDev]

But then how would eggheads steal, I mean waste, I mean get more money?

Re:Completely rehackable

The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long has it been since you logged in? What's your favorite sports team? What kind of accent is that? What's your mother's maiden name? What are you wearing? Etc.

"Security questions" are a threat to security, as they enable a shortcut past (i.e. easier to guess than) the regular protection of a password. If you demand security questions _in_addition_ to passwords, and never EVER use them without also demanding passwords, then you can create a system that is at least not less secure than a system with only passwords.

In most cases, when I review the security of some system, the existance of security questions is sufficient reason to reject the product altogether and tell the developers to re-think the security aspects from scratch. It's not the programmers' fault, it's their "security" guys' fault, but it is the developers who will suffer for it. Unfortunately.

Let's see...

A system that's inconvenient when it works, is insecure, and get increases the chance of you getting locked out of your own account.

I really can't see a use case for this.

Tell my NSA tapped cell phone ALL my secrets

Can't lose!

Last activity?

[hcs_$reboot]

The main idea is to log a user's activities on the system and then ask questions about them when they login next time

it'll be interesting when the system asks "what was that porn site you visited a lot last time?"

I'm beginning to think that

[LookIntoTheFuture]

giving up privacy is the solution to everything! What could possibly go wrong?!

Re:I'm beginning to think that

[LookIntoTheFuture]

The guy with herpes forgot his password. Log him in!

Blizzard solved this ages ago!

[hoborg1]

Why doesn't every website just let me use my Blizzard authenticator?! Problem solved!

Re:Blizzard solved this ages ago!

Why doesn't every website just recognize I'm me? Problem solved!

It's all spin!

So now "they" are trying to spin tracking online activities as a "security feature"?

Come the revolution....

WHAT is your favorite color?

Blue... I mean red... AHHHHHHHHH

Kindly accept this here blood sample

[Tristao]

After all, They (tm) wouldn't really get a complete view without getting our DNA as well.
Let me just check here real quick what They (tm) have been know to ask for a simple login:
Name - check
Favourite food / first pet /mother's maiden head (or name) - check
Fingerprints - check and IOScheck
All kinds of other details rendered irrelevant after having our name - check
What we've been up to - check
Rectal probe with RFID - check (wait, I think I dreamt that one, better patent it)
Complete DNA profile - to-do

novel authentication

This particular one isn't so clever, but there are a lot of interesting schemes that rely on keep track of how you type or use the mouse, or what length words and sentences you use, etc.

None of them are super accurate for the general population, but for some subset they're very, very good, and the subset changes depending on what the mechanism is. That is, some people have very unique writing styles, others have unique keystroke timing. So a combination of these techniques might be very powerful.

The comments in this thread all fall into the "we can only use *one true best method*" fallacy. That may be what you're forced to do if you're implementing it in little pieces of metal (key/lock) or on an Intel 4004 or using TTL MSI parts, but with modern computational horsepower and good analysis, using multiple modalities is an appropriate and wise thing to do.

Laugh

[koan]

"The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time."

Cloud security?
I think I'll stick with pass phrases.

Do you really want this?

[stinkydog]

Computer: Last time you were on, you watched a video. In that video a _____ was having sex with a ____. Respond?

End of Line

Re:Do you really want this?

In that video a _____ was having sex with a ____.

What is this "having sex" thing of which you speak. Please tell me more. I am interested in investing in your project.

Can you say, "I want a GRANT"? WORTHLESS SHIT

So, how many of you want all of this personal information in a system that will be hacked and stolen? 100% guarantee that hackers would target this
information and than you are REALLY screwed if you're dumb enough to use real anniversary dates, birthdates, etc.

And what is the system going to ask you, "What were you last running on your machine before you shutdown?" Don't remember, Oh shit. That wasn't me but
my wife that was logged on.

Just plain stupid and someone looking to get money from fools.

Prior Art

[joshuao3]

Narrative authentication has been used by the military for years to authenticate the identity of soldiers found in the battlefield who are able to communicate but don't have any form of identification.

Re:Completely rehackable

[Somebody+Is+Using+My]

Except this isn't an example of the third "something you are" factor; it is just more of "something you know".

Now, if the system analyzed your data, created an accurate profile of you and then postulated a rhetorical situation, asked you how you would respond to same, and gave access based on your response, that might be a better example of a third-factor. This changes it from a recitation of a fact (be it a password or personal data) which anyone can answerto an analysis of attributes unique to the individual (biometric data or psychological traits), which purportedly can only be provided by the authorized person.

Example

Computer: It's Friday night, and your girlfriend wants to go to see %chickflick%, but you want %scifiepic%; what do you do?
Slashdot User: Neither, on Friday nights I play World of Warcraft with my guild!
Computer: Access granted.
(alternately, "what's a girlfriend" would also have sufficed)

Of course, that would require the system to make a 100% accurate /and unique/ profile for each user, and somehow I don't think the proposed system is quite up to the task.

No, what is being suggested is just changing a static password to a collection of facts which supposedly are both easier to remember and only known in full to the authorized user.

foiled....

[smash]

... by twitter, facebook, etc.

Really, Again??????

[Otaku-GenX]

And how many times have we heard "an end to passwords". UGH Please stop blaring that unless you have it up and running in real life on many different environments.

Re:Completely rehackable

[Electricity+Likes+Me]

The problem is all of this information is incredibly public. What did I last buy on ebay? Probably a thing I then told a bunch of people I bought for a great price on ebay.

You could even game this system - do a bunch of fake logins, and use the questions to reverse-engineer the responses.

Actually, this could be useful

[davide+marney]

As a basis for the knowledge factor component ("something only the user knows") of a multi-factor authentication scheme, this could be very useful, indeed, because it changes every time the user does something. Other forms of knowledge factors such as passwords are vulnerable to spying or code-breaking. The benefit here is it could seriously raise the bar for spoofing the user, since now the attacker would need access to the entire log of activity rather than just a single knowledge factor, and be able to infer the answer to a question rather than just crack an encryption scheme.

Of course, details matter, but I suspect there is a lot of value here. You want to try and eliminate entire categories of attack vectors, and this sounds pretty interesting in that regard.

Seriously Stupid

[wcrowe]

Nobody is going to want to go through an interrogation every time they log in.

dates

Like I can remember my anniversary? A pharmacist used my sons birthday as a check before handing me a prescription (one dose antibiotic... whew). She finally said "is it ...". Yes, yes it is.

User activities

[PPH]

Computer: "What did you do the last time you logged on?"
Me: "Surfed for porn and posted snotty comments on Slashdot."

Who woulda' guessed that?

Re:User activities

[Vitriol+Angst]

That means only 20 million people could potentially log in as you or me.

Re:User activities

[Common+Joe]

Computer: "What did you do the last time you logged on?"

Me: "Surfed for porn and posted snotty comments on Slashdot."

Pinky: Gee, Brain, what do you want to do tonight?

Brain: The same thing we do every night, Pinky.

A co-author's thoughts

[soma]

Hello. I'm one of the co-authors of the workshop paper that inspired this article. I say "inspired" because the article is completely misleading.

First off, the paper was a position paper. It was primarily speculation about how we could do authentication in the future. The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives. What would it mean to authenticate using stories? Think about how you'd verify the identity of a friend communicating via text message from an unknown phone number or account. Make a computer do that.

And yes, fully developed such a system would be AI-complete. But I think there are lesser incarnations that might be usable and secure. But that is just educated speculation on my part.

Now the paper did present a simple example of how you could do something kinda-narrative-like using text adventures (yes, think Zork). Such a system isn't discussed in more detail because there are many usability challenges. But it can be done. Carson Brown got his Master's thesis in fact by by building such a system. (Yes, I was his advisor.)

If anyone wants to build a PAM module based on Inform 7 drop me a line. Could be fun! But it won't be practical.

If you want to learn more, the paper is "Towards narrative authentication, or, against boring authentication.". The workshop in question is the New Security Paradigms Workshop.

And in case you were wondering, none of us are doing any follow-up work on this right now. But I'm always open to collaboration opportunities. :-)

    --Anil Somayaji

Re:A co-author's thoughts

[tftp]

The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives

As long as you don't require accuracy of facts that build up that story. In this proof the storytellers are very much unsure what happened, and to who.

It may be that an attacker, with the story researched and printed, will pass this authentication easier than the legitimate user who made no such preparations.

I have terrible experiences with this

[remoteshell]

I was in a national disaster, and FEMA required this type of narrative 20 questions system with data that was culled from public records. Since I have a common name, and have moved several times, I was never able to disambiguate myself from others with my name. I ended up having to correspond with FEMA via US Mail, which seems more secure and accurate. I can only speculate on the authentication problems that this methodology is causing in the healthcare.gov site. The term 'doomed to failure' immediately comes to mind

in the words of J. Jonah Jameson...

crap, crap, mega-crap

This is a horrible idea.

[Arancaytar]

The NSA monitors everything everybody ever does. They would know the answer to every single one of those questions, and they could use them to break into your accounts and read all your emai----

oh wait.

Who owns and protects answers to security question

If I have to answer a security question to get into a site, who owns the answer to the security question?
Why should I have to tell them what High School I graduated from, so they can spam me with reunion advertising?
Isn't asking and answering security questions itself a form of phishing?

The problem with giving false answers is having to remember or record what answer was for what question.
I used to give the same answer for all questions too, but sites have started checking for and prohibiting that.

Where do I join the class action lawsuit claiming the requiring answers to security questions is an invasion of my privacy and not required according to previously established relationship and asking security questions is phishing and hence a computer crime itself!

Memory game

[fox171171]

their own events in the real world like wedding dates

So if I can't seem to convince the system to let me log in to my computer, I should buy my wife flowers?

Surely it's true this time

[J'raxis]

Wow, I've seen so many inventions claiming to "end the need for complex passwords" over the past twenty years that we've certainly ended the need for complex passwords by now, haven't we? Wait, we haven't?

On another topic, has the Voyager probe left the solar system again yet?

Re:Completely rehackable

The problem is all of this information is incredibly public. What did I last buy on ebay? Probably a thing I then told a bunch of people I bought for a great price on ebay.

That sort of thing is only public if you're an idiot. I don't tell anyone that shit.

How about...

[WillyWanker]

A system that stops asking me for passwords for every fucking account, website, and game, BECAUSE I'M THE ONLY FUCKING USER OF THIS PC??????

security questions

[cstacy]

AUTHENTICATION CHALLENGE:
During your last session, did you (choose one):
(a) Receive email from your sister, Dorothy about her medical condition.
(b) Access your bank account 101000187-33400301
(c) Install a root kit onto 0F13C73AAB0D4E000028038C99D3125A
  [CONTINUE TO LOGIN]