Researchers Develop "Narrative Authentication" System 117
hypnosec writes "Researchers have developed a 'narrative authentication' system that could put an end to the need of remembering complex passwords to logging onto computer systems. The new system has been developed by Carson Brown and his colleagues over at Carleton University in Ottawa, Canada. The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time. Users can interact with the logging software and add their own events in the real world like wedding dates, holidays, travel dates, etc."
B.S. For funding (Score:5, Insightful)
Re: B.S. For funding (Score:5, Insightful)
Cynic. How can you not believe in something that tracks your computer use and then lets you add commonly known dates as additional verification? There's no way a co worker will ever be able to log into your account at work, or a family member at home.
BTW, who wants to play 20 questions when logging in and what company gets to own the data about your computer use?
Re: B.S. For funding (Score:1)
You forgot about stalkers. They'll love this type of thing.
Re: (Score:2)
The problem with this is its a weak system. Many accounts are already hacked via the security questions.
Re: (Score:2)
The problem with this is its a weak system. Many accounts are already hacked via the security questions.
Does anybody seriously answer "security questions" honestly? I always, always, fill them in with a random character string.
Re: B.S. For funding (Score:1)
My computer got hacked. Now my mother has to change her maiden name.
Re: (Score:2)
And of course, there's absolutely no possible way that a Facebook employee would have access to that information.
Re: (Score:3)
We had this with Facebook in the past. It would pop up a picture and you would match it up with a friend. However, a lot of people use cat pictures, red "=" symbols, just a black picture, or some other cause they are trying to champion. So, choosing between five pictures that are solid black (like Spinal Tap's album) to match up with a friend is pointless.
Of course, challenge/response questions are not great either. Palin can tell one this. Plus, sniff one password, sniff them all.
Recovery of an accoun
Re: (Score:3)
Re: (Score:2)
Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift
Pro-tip: Buy wedding/birthday/whatever gifts in advance, and in bulk, and already professionally gift wrapped. Then hide them someplace your wife/gf will never look, such as your toolbox in the garage. Then we she says "you forgot our anniversary", you can say "no I didn't!" and go fetch a gift. I already have a dozen pre-wrapped swarovski crystals that I bought on eBay, so I am covered for the next few years.
Re: (Score:3, Funny)
Re: (Score:2)
My wedding is about a week after my birthday. I remember the my birthday obviously and that is the trigger to get something. The exact date is then irrelevant.
Re: (Score:1)
Re: (Score:3)
No kidding, how many people rememb er what they had for lunch yesterday as opposed to a password? That's all this sounds like.
Re: B.S. For funding (Score:1)
It could ask you which porn site you visited yesterday.
No, thank you. (Score:5, Insightful)
Re: (Score:2)
Why do you H8 the government?
is that a rhetorical question?
Re: (Score:1)
Re: (Score:2)
More accurately, why wouldn't you hate the government?
Re: (Score:2)
You shouldn't involve irrelevant topic into this discussion. It is not really funny but rather troll or flame bait.
Back to the topic, I agree with the GP the new system in TFA is actually more complicated than simply memorize a set of passwords. In other words, you will have to remember what you did. If you ever need a log in everyday, it "may" be OK (some people may unintentionally forget what they did because of many reasons). If you required to log in once a week, you are likely to forget what you did la
Re: (Score:2)
What did you do yesterday evening? Duno... watch porn? Good, what porn exactly? Um...
i'm drunk and i don't remember my activities (Score:4, Funny)
lemme in ya fukcin piceec of shhhtt!!!!!!
The real problem... (Score:3)
lemme in ya fukcin piceec of shhhtt!!!!!!
The real problem is not when you're drunk; eventually, you'll be sober and be able to log in later. That's almost a feature, like a breathalyzer on your phone to keep you from drunk-dialing old lovers who got married to someone else 5 years ago.
No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after
Re: (Score:1)
"No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?"
Does that mean when you're drunk, you don't remember the color of the 17th cat you watched yesterday?
Gosh... (Score:5, Insightful)
Re: (Score:1)
"Based on your history, who do you think is sexier, JLaw, Tay Tay, or Bailey Jay?"
"Where's the goddam opt out button on this thing?"
XKCD FTW (Score:5, Insightful)
I'll just leave this right here
https://xkcd.com/936/ [xkcd.com]
Re: (Score:2, Insightful)
Ah, the correct battery staple horse. No, wait, that's wrong. It must be horse battery staple correct. Or was it battery staple horse correct?
Re: (Score:1)
Uh, it's still only going to take 24 tries before you get it correct, in the very worst case in the scenario you propose. And the xkcd strip was making a "differential" argument, not an absolute one (e.g., for the same security, are you more likely to forget a password of random characters versus a series of words).
What's actually of greatest importance is how often you use the password. In my experience, complex passwords which are seldom used are a recipe for disaster. When I go on vacation, I sometime ta
Re: (Score:2)
It gets worse once you have more than one password to remember. The silly image tries to link them all together, so that you don't get your "correct horse battery staple" mixed up with your "blender green lobster carburetor" at your bank and your "mango bookbag tooth bitter" for your work computer, but if you've left any of them alone for more than a few weeks they fade and get mixed up. "Correct horse battery staple" stands out by itself from your eight-letter passwords for being different, but as part of
Re: (Score:2)
I use grammatically correct and spell checked sentences for my old true crypt passwords; I've never forgotten one.
"Alice had a little lamb. Porn Filter unit test files"
Occasionally I've had to try a few variations, but never been as baffled as I have for some old accounts that I've lost completely, with leetified names as most of my online passwords of "8-12 characters one special character [^"' ` ] and a number and capital letter.
Re: (Score:1)
> You simply won't be able to keep hundreds of bits of entropy in your head
> without flaw unless you practice them over and over.
This is why it pays, for all of those passwords for websites which are low-risk, to either use some kind of "Password Safe" program, or simply have a personal algorithm for generating passwords which enables you to write down reminders in a personal shorthand.
Anyone who needs to keep hundreds of bits of entropy in their heads is simply "doing it wrong".
Re: (Score:3)
Re: (Score:2)
The comic also disregards bigram, trigram, ... and n-gram probabilities. People who quote it should study cryptography or change careers.
No it doesn't. The entropy in a set of N unique randomly chosen words from a P-word dictionary is P*(P-1)*(P-2)...*(P-N), or approximately P^N. Period. N-gram probabilities from natural language have absolutely fuck all to do with anything here.
Re: (Score:1)
the problem with very long passwords is that typing them in gets tedious when you have to do it all the time
on your phone.
Re: (Score:2)
the problem with very long passwords is that typing them in gets tedious when you have to do it all the time
on your phone.
at -40 degC.
Re: (Score:2)
I hate how overused that comic is, but I have to disagree with most disagreements with it.
I can type a full sentence about as fast as I can contort and remember a 13373D password.
I've used both and I'd say I get faster at a sentence you type 5 times a day as you do a sequence of random characters.
Of course if you use your favorite vim shortcut or a good line of assembly as your 8 character password, then I guess you could beat the full sentence strategy.
NSA thanks the devs (Score:1)
Yeah, really good idea... I bet the NSA already has some guys rubbing their hands in glee while they wait for this tool to be released and start collecting information for them for free!
Completely unhackable (Score:3)
Completely unhackable because there can only ever be one system that can scan all these sources.
A hacker could not possibly create their own system that scans the same public facebook pages and twitter posts.
Re:Completely rehackable (Score:3)
It's not meant to be incompletely unhackable. Think of it as adding another factor of authentication. So, with three factor authentication there will be something you know (your password), something you have (your ID card / token), and something you are (a nerd). This adds a fourth factor: Something you did (forgot what that was and called tech support).
The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long
Re: (Score:1)
The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long has it been since you logged in? What's your favorite sports team? What kind of accent is that? What's your mother's maiden name? What are you wearing? Etc.
"Security questions" are a threat to security, as they enable a shortcut past (i.e. easier to guess than) the regular protection of a password. If you demand security questions _in_addition_ to passwords, and never EVER use them without also demanding passwords, then you can create a system that is at least not less secure than a system with only passwords.
In most cases, when I review the security of some system, the existance of security questions is sufficient reason to reject the product altogether and t
Re: (Score:2)
Except this isn't an example of the third "something you are" factor; it is just more of "something you know".
Now, if the system analyzed your data, created an accurate profile of you and then postulated a rhetorical situation, asked you how you would respond to same, and gave access based on your response, that might be a better example of a third-factor. This changes it from a recitation of a fact (be it a password or personal data) which anyone can answerto an analysis of attributes unique to the individ
Re: (Score:2)
The problem is all of this information is incredibly public. What did I last buy on ebay? Probably a thing I then told a bunch of people I bought for a great price on ebay.
You could even game this system - do a bunch of fake logins, and use the questions to reverse-engineer the responses.
Re: (Score:2)
Completely unhackable because there can only ever be one system that can scan all these sources.
Yes it's called the NSA
Retarded (Score:5, Insightful)
Last time I forgot a gmail password it did this. Something like the last 3 people I'd emailed, and the last three I'd received emails from and some other tripe. I don't mean the magic "first pet dog's name" question or anything like that.
I remembered my password before I even got close to figuring any of that shit out.
Re:Retarded (Score:5, Funny)
So it worked.
Re: (Score:2)
I cam here to say exactly this. They locked my account while I was on travel internationally.
When did you sign up for gmail MM/YY? Uh, after 2002 but before 2008.
What are three tags you've applied to your email? TODO, NotSpam, ImportantInfo....wait no To Do, Mostly no spam, Saved info... no it was soon-to-do, Unspam.
When did you last successfully sign in to gmail. yesterday afternoonish or morning, is that in the future from this time zone? no wait, I did only work email yesterday? Does my phone's mail app
A questioner instead of a password? Really? (Score:1)
Re: (Score:2, Funny)
Boss: I need the data for XY.
You: OK, I'll give it to you. Let me just log in.
Computer: This is the narrative authentication system. What have you been doing most of the time yesterday?
You: Working on the report.
Computer: The answer is wrong. Please try again.
You: Programming.
Computer: The answer is wrong. Please try again.
You. Surfing Slashdot.
Computer: Authentication succeeded.
Boss: You're fired.
SCNR ;-)
Consistency (Score:2)
I think the big problem with it is that it would tend to be inconsistent in its complexity and might dip to a very low complexity on occasion making it easy to compromise. The algorithm wouldn't have any real idea of when something was easily guessable. Still, probably better in almost all cases than most people's passwords, but not as good as people who use them well.
Re: (Score:2)
Choose your own adventure authentication scheme (Score:2)
Questions (Score:1)
Gmail: What kind of porn were you looking up when you used your gmail account the last time?
Sounds like a plan! (Score:5, Insightful)
Yes, because a site breach wasn't annoying enough yet when they take all of the passwords. Let's give them more information which to do spearphising with.
Looks like a great oppoortunity for criminals... (Score:1)
Have these people never heard of microphones?
It also sounds like a really great way to obtain a lot of extremely interesting metadata for nefarious purposes. Personal information that may be also used for things like bank accounts + travel dates? Yay, break in + plundering of all the victim's money!
And then the bank will say "You did this yourself, only you know all this sensitive information. Say bye bye to your money."
Sneakers? (Score:3)
Re: (Score:2)
please speak more slowly
Re: (Score:2)
I'ts way more exacting in detecting patterns; ,..."
"Candy Crush, twitter feed, Facebook, Pr0n, CHECKS EMAIL, Candy Crush, twitter feed Facebook, Pr0n,
NEW SECURITY SYSTEM:
"Yup, that's user 210072B all right!"
Lot's of code in the heuristics to add the "Yup" on that challenge response.
Re: (Score:2)
But then how would eggheads steal, I mean waste, I mean get more money?
Let's see... (Score:2)
A system that's inconvenient when it works, is insecure, and get increases the chance of you getting locked out of your own account.
I really can't see a use case for this.
Last activity? (Score:2)
The main idea is to log a user's activities on the system and then ask questions about them when they login next time
it'll be interesting when the system asks "what was that porn site you visited a lot last time?"
I'm beginning to think that (Score:2)
Re: (Score:1)
Blizzard solved this ages ago! (Score:1)
Laugh (Score:1)
"The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time."
Cloud security?
I think I'll stick with pass phrases.
Do you really want this? (Score:3)
Computer: Last time you were on, you watched a video. In that video a _____ was having sex with a ____. Respond?
End of Line
Prior Art (Score:2)
foiled.... (Score:2)
Really, Again?????? (Score:1)
Actually, this could be useful (Score:2)
As a basis for the knowledge factor component ("something only the user knows") of a multi-factor authentication scheme, this could be very useful, indeed, because it changes every time the user does something. Other forms of knowledge factors such as passwords are vulnerable to spying or code-breaking. The benefit here is it could seriously raise the bar for spoofing the user, since now the attacker would need access to the entire log of activity rather than just a single knowledge factor, and be able to i
Seriously Stupid (Score:2)
Nobody is going to want to go through an interrogation every time they log in.
User activities (Score:3)
Computer: "What did you do the last time you logged on?"
Me: "Surfed for porn and posted snotty comments on Slashdot."
Who woulda' guessed that?
Re: (Score:2)
That means only 20 million people could potentially log in as you or me.
Re: (Score:2)
Computer: "What did you do the last time you logged on?"
Me: "Surfed for porn and posted snotty comments on Slashdot."
Pinky: Gee, Brain, what do you want to do tonight?
Brain: The same thing we do every night, Pinky.
A co-author's thoughts (Score:5, Informative)
Hello. I'm one of the co-authors of the workshop paper that inspired this article. I say "inspired" because the article is completely misleading.
First off, the paper was a position paper. It was primarily speculation about how we could do authentication in the future. The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives. What would it mean to authenticate using stories? Think about how you'd verify the identity of a friend communicating via text message from an unknown phone number or account. Make a computer do that.
And yes, fully developed such a system would be AI-complete. But I think there are lesser incarnations that might be usable and secure. But that is just educated speculation on my part.
Now the paper did present a simple example of how you could do something kinda-narrative-like using text adventures (yes, think Zork). Such a system isn't discussed in more detail because there are many usability challenges. But it can be done. Carson Brown got his Master's thesis [carleton.ca] in fact by by building such a system. (Yes, I was his advisor.)
If anyone wants to build a PAM module based on Inform 7 [inform7.com] drop me a line. Could be fun! But it won't be practical.
If you want to learn more, the paper is "Towards narrative authentication, or, against boring authentication." [nspw.org]. The workshop in question is the New Security Paradigms Workshop [nspw.org].
And in case you were wondering, none of us are doing any follow-up work on this right now. But I'm always open to collaboration opportunities. :-)
--Anil Somayaji
Re: (Score:2)
The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives
As long as you don't require accuracy of facts that build up that story. In this proof [youtube.com] the storytellers are very much unsure what happened, and to who.
It may be that an attacker, with the story researched and printed, will pass this authentication easier than the legitimate user who made no such preparations.
I have terrible experiences with this (Score:2)
This is a horrible idea. (Score:2)
The NSA monitors everything everybody ever does. They would know the answer to every single one of those questions, and they could use them to break into your accounts and read all your emai----
oh wait.
Memory game (Score:2)
So if I can't seem to convince the system to let me log in to my computer, I should buy my wife flowers?
Surely it's true this time (Score:2)
Wow, I've seen so many inventions claiming to "end the need for complex passwords" over the past twenty years that we've certainly ended the need for complex passwords by now, haven't we? Wait, we haven't?
On another topic, has the Voyager probe left the solar system again yet?
How about... (Score:2)
A system that stops asking me for passwords for every fucking account, website, and game, BECAUSE I'M THE ONLY FUCKING USER OF THIS PC??????
security questions (Score:2)
AUTHENTICATION CHALLENGE:
During your last session, did you (choose one):
(a) Receive email from your sister, Dorothy about her medical condition.
(b) Access your bank account 101000187-33400301
(c) Install a root kit onto 0F13C73AAB0D4E000028038C99D3125A
[CONTINUE TO LOGIN]