Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security Technology

Researchers Develop "Narrative Authentication" System 117

Posted by samzenpus
from the tell-me-about-yourself dept.
hypnosec writes "Researchers have developed a 'narrative authentication' system that could put an end to the need of remembering complex passwords to logging onto computer systems. The new system has been developed by Carson Brown and his colleagues over at Carleton University in Ottawa, Canada. The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time. Users can interact with the logging software and add their own events in the real world like wedding dates, holidays, travel dates, etc."
This discussion has been archived. No new comments can be posted.

Researchers Develop "Narrative Authentication" System

Comments Filter:
  • B.S. For funding (Score:5, Insightful)

    by Great Big Bird (1751616) on Monday January 06, 2014 @05:10AM (#45876761)
    Sounds like useless bullshit produced to get funding dollars.
    • by Anonymous Coward on Monday January 06, 2014 @05:44AM (#45876867)

      Cynic. How can you not believe in something that tracks your computer use and then lets you add commonly known dates as additional verification? There's no way a co worker will ever be able to log into your account at work, or a family member at home.

      BTW, who wants to play 20 questions when logging in and what company gets to own the data about your computer use?

      • by Anonymous Coward

        You forgot about stalkers. They'll love this type of thing.

      • by buck-yar (164658)

        The problem with this is its a weak system. Many accounts are already hacked via the security questions.

        • by PvtVoid (1252388)

          The problem with this is its a weak system. Many accounts are already hacked via the security questions.

          Does anybody seriously answer "security questions" honestly? I always, always, fill them in with a random character string.

        • My computer got hacked. Now my mother has to change her maiden name.

      • by dkleinsc (563838)

        And of course, there's absolutely no possible way that a Facebook employee would have access to that information.

      • by mlts (1038732)

        We had this with Facebook in the past. It would pop up a picture and you would match it up with a friend. However, a lot of people use cat pictures, red "=" symbols, just a black picture, or some other cause they are trying to champion. So, choosing between five pictures that are solid black (like Spinal Tap's album) to match up with a friend is pointless.

        Of course, challenge/response questions are not great either. Palin can tell one this. Plus, sniff one password, sniff them all.

        Recovery of an accoun

      • by vlad30 (44644)
        ask for wedding date! Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift
        • Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift

          Pro-tip: Buy wedding/birthday/whatever gifts in advance, and in bulk, and already professionally gift wrapped. Then hide them someplace your wife/gf will never look, such as your toolbox in the garage. Then we she says "you forgot our anniversary", you can say "no I didn't!" and go fetch a gift. I already have a dozen pre-wrapped swarovski crystals that I bought on eBay, so I am covered for the next few years.

          • Re: (Score:3, Funny)

            by neoritter (3021561)
            I tried this and ended up with a closet full of dead puppies...
          • by rioki (1328185)

            My wedding is about a week after my birthday. I remember the my birthday obviously and that is the trigger to get something. The exact date is then irrelevant.

          • by kmoser (1469707)
            If only I had a small electronic device on my person that contained a calendar and the ability to automatically remind me of upcoming events.
    • by MitchDev (2526834)

      No kidding, how many people rememb er what they had for lunch yesterday as opposed to a password? That's all this sounds like.

  • No, thank you. (Score:5, Insightful)

    by Parsiuk (2002994) on Monday January 06, 2014 @05:11AM (#45876763) Homepage
    I'm sick of "intelligent" systems which are making my life more and more complicated.
  • by Anonymous Coward on Monday January 06, 2014 @05:12AM (#45876771)

    lemme in ya fukcin piceec of shhhtt!!!!!!

    • lemme in ya fukcin piceec of shhhtt!!!!!!

      The real problem is not when you're drunk; eventually, you'll be sober and be able to log in later. That's almost a feature, like a breathalyzer on your phone to keep you from drunk-dialing old lovers who got married to someone else 5 years ago.

      No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after

      • by Anonymous Coward

        "No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?"

        Does that mean when you're drunk, you don't remember the color of the 17th cat you watched yesterday?

  • Gosh... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Monday January 06, 2014 @05:16AM (#45876791) Journal
    An authentication system that combines the fun of 'intelligent' phone-tree voice recognition 'expert' systems with the assumption that biographical trivia are anything other than hilariously public.... Where do I sign up?
    • "log a user's activitieson the system or any other device that he/she may be using and then ask questions about them when they login next time"

      "Based on your history, who do you think is sexier, JLaw, Tay Tay, or Bailey Jay?"

      "Where's the goddam opt out button on this thing?"

  • XKCD FTW (Score:5, Insightful)

    by Gothmolly (148874) on Monday January 06, 2014 @05:19AM (#45876803)

    I'll just leave this right here

    https://xkcd.com/936/ [xkcd.com]

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Ah, the correct battery staple horse. No, wait, that's wrong. It must be horse battery staple correct. Or was it battery staple horse correct?

      • by Mathinker (909784)

        Uh, it's still only going to take 24 tries before you get it correct, in the very worst case in the scenario you propose. And the xkcd strip was making a "differential" argument, not an absolute one (e.g., for the same security, are you more likely to forget a password of random characters versus a series of words).

        What's actually of greatest importance is how often you use the password. In my experience, complex passwords which are seldom used are a recipe for disaster. When I go on vacation, I sometime ta

        • by jfengel (409917)

          It gets worse once you have more than one password to remember. The silly image tries to link them all together, so that you don't get your "correct horse battery staple" mixed up with your "blender green lobster carburetor" at your bank and your "mango bookbag tooth bitter" for your work computer, but if you've left any of them alone for more than a few weeks they fade and get mixed up. "Correct horse battery staple" stands out by itself from your eight-letter passwords for being different, but as part of

          • I use grammatically correct and spell checked sentences for my old true crypt passwords; I've never forgotten one.

            "Alice had a little lamb. Porn Filter unit test files"

            Occasionally I've had to try a few variations, but never been as baffled as I have for some old accounts that I've lost completely, with leetified names as most of my online passwords of "8-12 characters one special character [^"' ` ] and a number and capital letter.

          • by Mathinker (909784)

            > You simply won't be able to keep hundreds of bits of entropy in your head
            > without flaw unless you practice them over and over.

            This is why it pays, for all of those passwords for websites which are low-risk, to either use some kind of "Password Safe" program, or simply have a personal algorithm for generating passwords which enables you to write down reminders in a personal shorthand.

            Anyone who needs to keep hundreds of bits of entropy in their heads is simply "doing it wrong".

      • How dare you question the humor and wisdom of stick men AC!
  • by Anonymous Coward

    Yeah, really good idea... I bet the NSA already has some guys rubbing their hands in glee while they wait for this tool to be released and start collecting information for them for free!

  • by mwvdlee (775178) on Monday January 06, 2014 @05:23AM (#45876817) Homepage

    Completely unhackable because there can only ever be one system that can scan all these sources.
    A hacker could not possibly create their own system that scans the same public facebook pages and twitter posts.

    • It's not meant to be incompletely unhackable. Think of it as adding another factor of authentication. So, with three factor authentication there will be something you know (your password), something you have (your ID card / token), and something you are (a nerd). This adds a fourth factor: Something you did (forgot what that was and called tech support).

      The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long

      • by Anonymous Coward

        The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long has it been since you logged in? What's your favorite sports team? What kind of accent is that? What's your mother's maiden name? What are you wearing? Etc.

        "Security questions" are a threat to security, as they enable a shortcut past (i.e. easier to guess than) the regular protection of a password. If you demand security questions _in_addition_ to passwords, and never EVER use them without also demanding passwords, then you can create a system that is at least not less secure than a system with only passwords.

        In most cases, when I review the security of some system, the existance of security questions is sufficient reason to reject the product altogether and t

        • Except this isn't an example of the third "something you are" factor; it is just more of "something you know".

          Now, if the system analyzed your data, created an accurate profile of you and then postulated a rhetorical situation, asked you how you would respond to same, and gave access based on your response, that might be a better example of a third-factor. This changes it from a recitation of a fact (be it a password or personal data) which anyone can answerto an analysis of attributes unique to the individ

      • The problem is all of this information is incredibly public. What did I last buy on ebay? Probably a thing I then told a bunch of people I bought for a great price on ebay.

        You could even game this system - do a bunch of fake logins, and use the questions to reverse-engineer the responses.

    • by alphatel (1450715) *

      Completely unhackable because there can only ever be one system that can scan all these sources.

      Yes it's called the NSA

  • Retarded (Score:5, Insightful)

    by Hognoxious (631665) on Monday January 06, 2014 @05:28AM (#45876833) Homepage Journal

    Last time I forgot a gmail password it did this. Something like the last 3 people I'd emailed, and the last three I'd received emails from and some other tripe. I don't mean the magic "first pet dog's name" question or anything like that.

    I remembered my password before I even got close to figuring any of that shit out.

    • Re:Retarded (Score:5, Funny)

      by Frankie70 (803801) on Monday January 06, 2014 @06:05AM (#45876941)

      I remembered my password before I even got close to figuring any of that shit out.

      So it worked.

    • I cam here to say exactly this. They locked my account while I was on travel internationally.

      When did you sign up for gmail MM/YY? Uh, after 2002 but before 2008.
      What are three tags you've applied to your email? TODO, NotSpam, ImportantInfo....wait no To Do, Mostly no spam, Saved info... no it was soon-to-do, Unspam.
      When did you last successfully sign in to gmail. yesterday afternoonish or morning, is that in the future from this time zone? no wait, I did only work email yesterday? Does my phone's mail app

  • So, instead of a single password I'll need to answer a questioner every time I want to login?? And, of course, they company is happy to save me the trouble and storage space and will gladly store all my activities on their servers. No thanks.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Boss: I need the data for XY.
      You: OK, I'll give it to you. Let me just log in.
      Computer: This is the narrative authentication system. What have you been doing most of the time yesterday?
      You: Working on the report.
      Computer: The answer is wrong. Please try again.
      You: Programming.
      Computer: The answer is wrong. Please try again.
      You. Surfing Slashdot.
      Computer: Authentication succeeded.
      Boss: You're fired.

      SCNR ;-)

  • I think the big problem with it is that it would tend to be inconsistent in its complexity and might dip to a very low complexity on occasion making it easy to compromise. The algorithm wouldn't have any real idea of when something was easily guessable. Still, probably better in almost all cases than most people's passwords, but not as good as people who use them well.

    • by CastrTroy (595695)
      I seriously don't know why most people just don't use a program like PasswordSafe of Keepass and just be done with the whole problem. Just 1 password to remember, and you can have complicated, unique passwords for every single system, and not have to remember any of them. You can also get apps that read the encrypted password files for your phone, and tablet, so you don't really have to worry about being without your passwords. Typing in your master password on your phone can be a little cumbersome, but
  • I'd prefer an authentication system that forces you to play a variant of Zork.
  • Imagine this: Your wife wants to log into her gmail account, you didn't remove your account from the account management, she doesn't notice that she tried to login to your account.
    Gmail: What kind of porn were you looking up when you used your gmail account the last time?
  • by RenHoek (101570) on Monday January 06, 2014 @06:14AM (#45876955) Homepage

    Yes, because a site breach wasn't annoying enough yet when they take all of the passwords. Let's give them more information which to do spearphising with.

  • Have these people never heard of microphones?

    It also sounds like a really great way to obtain a lot of extremely interesting metadata for nefarious purposes. Personal information that may be also used for things like bank accounts + travel dates? Yay, break in + plundering of all the victim's money!

    And then the bank will say "You did this yourself, only you know all this sensitive information. Say bye bye to your money."

  • by wbr1 (2538558) on Monday January 06, 2014 @06:46AM (#45877015)
    Hi, my name is Werner Brandes. My voice is my passport. Verify Me. My wife's birthday is 8/1/67, and I like puppy posts on Facebook.
    • please speak more slowly

    • I'ts way more exacting in detecting patterns;
      "Candy Crush, twitter feed, Facebook, Pr0n, CHECKS EMAIL, Candy Crush, twitter feed Facebook, Pr0n, ,..."

      NEW SECURITY SYSTEM:
      "Yup, that's user 210072B all right!"

      Lot's of code in the heuristics to add the "Yup" on that challenge response.

  • by Anonymous Coward

    A system that's inconvenient when it works, is insecure, and get increases the chance of you getting locked out of your own account.

    I really can't see a use case for this.

  • The main idea is to log a user's activities on the system and then ask questions about them when they login next time

    it'll be interesting when the system asks "what was that porn site you visited a lot last time?"

  • giving up privacy is the solution to everything! What could possibly go wrong?!
  • Why doesn't every website just let me use my Blizzard authenticator?! Problem solved!
  • by koan (80826)

    "The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time."

    Cloud security?
    I think I'll stick with pass phrases.

  • by stinkydog (191778) <sdNO@SPAMstrangedog.net> on Monday January 06, 2014 @08:58AM (#45877455) Homepage

    Computer: Last time you were on, you watched a video. In that video a _____ was having sex with a ____. Respond?

    End of Line

  • Narrative authentication has been used by the military for years to authenticate the identity of soldiers found in the battlefield who are able to communicate but don't have any form of identification.
  • ... by twitter, facebook, etc.
  • And how many times have we heard "an end to passwords". UGH Please stop blaring that unless you have it up and running in real life on many different environments.
  • As a basis for the knowledge factor component ("something only the user knows") of a multi-factor authentication scheme, this could be very useful, indeed, because it changes every time the user does something. Other forms of knowledge factors such as passwords are vulnerable to spying or code-breaking. The benefit here is it could seriously raise the bar for spoofing the user, since now the attacker would need access to the entire log of activity rather than just a single knowledge factor, and be able to i

  • Nobody is going to want to go through an interrogation every time they log in.

  • by PPH (736903) on Monday January 06, 2014 @10:54AM (#45878319)

    Computer: "What did you do the last time you logged on?"
    Me: "Surfed for porn and posted snotty comments on Slashdot."

    Who woulda' guessed that?

    • That means only 20 million people could potentially log in as you or me.

    • Computer: "What did you do the last time you logged on?"

      Me: "Surfed for porn and posted snotty comments on Slashdot."

      Pinky: Gee, Brain, what do you want to do tonight?

      Brain: The same thing we do every night, Pinky.

  • by soma (20246) on Monday January 06, 2014 @11:23AM (#45878651) Homepage

    Hello. I'm one of the co-authors of the workshop paper that inspired this article. I say "inspired" because the article is completely misleading.

    First off, the paper was a position paper. It was primarily speculation about how we could do authentication in the future. The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives. What would it mean to authenticate using stories? Think about how you'd verify the identity of a friend communicating via text message from an unknown phone number or account. Make a computer do that.

    And yes, fully developed such a system would be AI-complete. But I think there are lesser incarnations that might be usable and secure. But that is just educated speculation on my part.

    Now the paper did present a simple example of how you could do something kinda-narrative-like using text adventures (yes, think Zork). Such a system isn't discussed in more detail because there are many usability challenges. But it can be done. Carson Brown got his Master's thesis [carleton.ca] in fact by by building such a system. (Yes, I was his advisor.)

    If anyone wants to build a PAM module based on Inform 7 [inform7.com] drop me a line. Could be fun! But it won't be practical.

    If you want to learn more, the paper is "Towards narrative authentication, or, against boring authentication." [nspw.org]. The workshop in question is the New Security Paradigms Workshop [nspw.org].

    And in case you were wondering, none of us are doing any follow-up work on this right now. But I'm always open to collaboration opportunities. :-)

        --Anil Somayaji

    • by tftp (111690)

      The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives

      As long as you don't require accuracy of facts that build up that story. In this proof [youtube.com] the storytellers are very much unsure what happened, and to who.

      It may be that an attacker, with the story researched and printed, will pass this authentication easier than the legitimate user who made no such preparations.

  • I was in a national disaster, and FEMA required this type of narrative 20 questions system with data that was culled from public records. Since I have a common name, and have moved several times, I was never able to disambiguate myself from others with my name. I ended up having to correspond with FEMA via US Mail, which seems more secure and accurate. I can only speculate on the authentication problems that this methodology is causing in the healthcare.gov site. The term 'doomed to failure' immediate
  • The NSA monitors everything everybody ever does. They would know the answer to every single one of those questions, and they could use them to break into your accounts and read all your emai----

    oh wait.

  • their own events in the real world like wedding dates

    So if I can't seem to convince the system to let me log in to my computer, I should buy my wife flowers?
  • Wow, I've seen so many inventions claiming to "end the need for complex passwords" over the past twenty years that we've certainly ended the need for complex passwords by now, haven't we? Wait, we haven't?

    On another topic, has the Voyager probe left the solar system again yet?

  • A system that stops asking me for passwords for every fucking account, website, and game, BECAUSE I'M THE ONLY FUCKING USER OF THIS PC??????

  • AUTHENTICATION CHALLENGE:
    During your last session, did you (choose one):
    (a) Receive email from your sister, Dorothy about her medical condition.
    (b) Access your bank account 101000187-33400301
    (c) Install a root kit onto 0F13C73AAB0D4E000028038C99D3125A
      [CONTINUE TO LOGIN]

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...