Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Develop "Narrative Authentication" System

Posted by samzenpus on from the tell-me-about-yourself dept.

hypnosec writes "Researchers have developed a 'narrative authentication' system that could put an end to the need of remembering complex passwords to logging onto computer systems. The new system has been developed by Carson Brown and his colleagues over at Carleton University in Ottawa, Canada. The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time. Users can interact with the logging software and add their own events in the real world like wedding dates, holidays, travel dates, etc."

27 of 117 comments (clear)

  1. B.S. For funding by Great+Big+Bird · · Score: 5, Insightful

    Sounds like useless bullshit produced to get funding dollars.

    1. Re: B.S. For funding by Anonymous Coward · · Score: 5, Insightful

      Cynic. How can you not believe in something that tracks your computer use and then lets you add commonly known dates as additional verification? There's no way a co worker will ever be able to log into your account at work, or a family member at home.

      BTW, who wants to play 20 questions when logging in and what company gets to own the data about your computer use?

    2. Re:B.S. For funding by MitchDev · · Score: 2

      No kidding, how many people rememb er what they had for lunch yesterday as opposed to a password? That's all this sounds like.

    3. Re: B.S. For funding by mlts · · Score: 2

      We had this with Facebook in the past. It would pop up a picture and you would match it up with a friend. However, a lot of people use cat pictures, red "=" symbols, just a black picture, or some other cause they are trying to champion. So, choosing between five pictures that are solid black (like Spinal Tap's album) to match up with a friend is pointless.

      Of course, challenge/response questions are not great either. Palin can tell one this. Plus, sniff one password, sniff them all.

      Recovery of an account is a hard nut to crack, on both the password protection/authentication front, as well as key recovery/escrow.

      For key escrow/recovery, in a previous life, a place I worked at (long since bought up by another company) had a no name holding corporation which rented an office. Once past the alarm system (had both duress and holdup alarms), and into a side room, there was a large jewelry safe with glass panels that would fire off relockers if the door was hit with a hammer and a Mas-Hamilton (Now Kaba Mas) X-08 combination lock. The safe had a locked compartment that housed the private keys that were uuencoded and printed out. In the safe were a couple burned CDs with the info as well.

      This office (as well as another remote site) provided adequate key recovery for this SMB, although trying to scale up from that would be tough.

      Authentication is easier... you don't have to have the exact key, just prove that you are whom you claim to be. For a lot of things, having a website text a person number with a 4-6 digit code, and one inputting that in a website is good enough, especially if the SMS protocol gets augmented by better security a la Apple's iMessage. This isn't 100% though, especially if the number gets cut off by the telco. However, combining this with a scratch off card with some one use numbers might cover more bases, although if one loses everything (phone, scratch off card) in a fire, they are hosed.

    4. Re: B.S. For funding by vlad30 · · Score: 2

      ask for wedding date! Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift

      --
      Your'e all thinking it, I just said it for you
    5. Re: B.S. For funding by neoritter · · Score: 3, Funny

      I tried this and ended up with a closet full of dead puppies...

  2. No, thank you. by Parsiuk · · Score: 5, Insightful

    I'm sick of "intelligent" systems which are making my life more and more complicated.

  3. i'm drunk and i don't remember my activities by Anonymous Coward · · Score: 4, Funny

    lemme in ya fukcin piceec of shhhtt!!!!!!

  4. Gosh... by fuzzyfuzzyfungus · · Score: 4, Insightful

    An authentication system that combines the fun of 'intelligent' phone-tree voice recognition 'expert' systems with the assumption that biographical trivia are anything other than hilariously public.... Where do I sign up?

  5. XKCD FTW by Gothmolly · · Score: 5, Insightful

    I'll just leave this right here

    https://xkcd.com/936/

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:XKCD FTW by Anonymous Coward · · Score: 2, Insightful

      Ah, the correct battery staple horse. No, wait, that's wrong. It must be horse battery staple correct. Or was it battery staple horse correct?

    2. Re:XKCD FTW by FilmedInNoir · · Score: 2

      How dare you question the humor and wisdom of stick men AC!

      --
      Sig. Sig. Sputnik
  6. Completely unhackable by mwvdlee · · Score: 2

    Completely unhackable because there can only ever be one system that can scan all these sources.
    A hacker could not possibly create their own system that scans the same public facebook pages and twitter posts.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. Retarded by Hognoxious · · Score: 4, Insightful

    Last time I forgot a gmail password it did this. Something like the last 3 people I'd emailed, and the last three I'd received emails from and some other tripe. I don't mean the magic "first pet dog's name" question or anything like that.

    I remembered my password before I even got close to figuring any of that shit out.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re:Retarded by Frankie70 · · Score: 4, Funny

      I remembered my password before I even got close to figuring any of that shit out.

      So it worked.

  8. Re:A questioner instead of a password? Really? by Anonymous Coward · · Score: 2, Funny

    Boss: I need the data for XY.
    You: OK, I'll give it to you. Let me just log in.
    Computer: This is the narrative authentication system. What have you been doing most of the time yesterday?
    You: Working on the report.
    Computer: The answer is wrong. Please try again.
    You: Programming.
    Computer: The answer is wrong. Please try again.
    You. Surfing Slashdot.
    Computer: Authentication succeeded.
    Boss: You're fired.

    SCNR ;-)

  9. Re:Completely rehackable by VortexCortex · · Score: 2

    It's not meant to be incompletely unhackable. Think of it as adding another factor of authentication. So, with three factor authentication there will be something you know (your password), something you have (your ID card / token), and something you are (a nerd). This adds a fourth factor: Something you did (forgot what that was and called tech support).

    The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long has it been since you logged in? What's your favorite sports team? What kind of accent is that? What's your mother's maiden name? What are you wearing? Etc.

  10. Sounds like a plan! by RenHoek · · Score: 4, Insightful

    Yes, because a site breach wasn't annoying enough yet when they take all of the passwords. Let's give them more information which to do spearphising with.

  11. The real problem... by tlambert · · Score: 2

    lemme in ya fukcin piceec of shhhtt!!!!!!

    The real problem is not when you're drunk; eventually, you'll be sober and be able to log in later. That's almost a feature, like a breathalyzer on your phone to keep you from drunk-dialing old lovers who got married to someone else 5 years ago.

    No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?

  12. Sneakers? by wbr1 · · Score: 2

    Hi, my name is Werner Brandes. My voice is my passport. Verify Me. My wife's birthday is 8/1/67, and I like puppy posts on Facebook.

    --
    Silence is a state of mime.
  13. Let's see... by Anonymous Coward · · Score: 2

    A system that's inconvenient when it works, is insecure, and get increases the chance of you getting locked out of your own account.

    I really can't see a use case for this.

  14. I'm beginning to think that by LookIntoTheFuture · · Score: 2

    giving up privacy is the solution to everything! What could possibly go wrong?!

    --
    Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
  15. Do you really want this? by stinkydog · · Score: 2

    Computer: Last time you were on, you watched a video. In that video a _____ was having sex with a ____. Respond?

    End of Line

    --
    âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
  16. Prior Art by joshuao3 · · Score: 2

    Narrative authentication has been used by the military for years to authenticate the identity of soldiers found in the battlefield who are able to communicate but don't have any form of identification.

    --
    Monitor bandwidth usage on IIS6 in real-time: http://www.waetech.com/services/iisbm/
  17. User activities by PPH · · Score: 2

    Computer: "What did you do the last time you logged on?"
    Me: "Surfed for porn and posted snotty comments on Slashdot."

    Who woulda' guessed that?

    --
    Have gnu, will travel.
  18. A co-author's thoughts by soma · · Score: 5, Informative

    Hello. I'm one of the co-authors of the workshop paper that inspired this article. I say "inspired" because the article is completely misleading.

    First off, the paper was a position paper. It was primarily speculation about how we could do authentication in the future. The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives. What would it mean to authenticate using stories? Think about how you'd verify the identity of a friend communicating via text message from an unknown phone number or account. Make a computer do that.

    And yes, fully developed such a system would be AI-complete. But I think there are lesser incarnations that might be usable and secure. But that is just educated speculation on my part.

    Now the paper did present a simple example of how you could do something kinda-narrative-like using text adventures (yes, think Zork). Such a system isn't discussed in more detail because there are many usability challenges. But it can be done. Carson Brown got his Master's thesis in fact by by building such a system. (Yes, I was his advisor.)

    If anyone wants to build a PAM module based on Inform 7 drop me a line. Could be fun! But it won't be practical.

    If you want to learn more, the paper is "Towards narrative authentication, or, against boring authentication.". The workshop in question is the New Security Paradigms Workshop.

    And in case you were wondering, none of us are doing any follow-up work on this right now. But I'm always open to collaboration opportunities. :-)

        --Anil Somayaji

  19. I have terrible experiences with this by remoteshell · · Score: 2

    I was in a national disaster, and FEMA required this type of narrative 20 questions system with data that was culled from public records. Since I have a common name, and have moved several times, I was never able to disambiguate myself from others with my name. I ended up having to correspond with FEMA via US Mail, which seems more secure and accurate. I can only speculate on the authentication problems that this methodology is causing in the healthcare.gov site. The term 'doomed to failure' immediately comes to mind

    --
    Just the washing instructions on life's rich tapestry