If you’re anything like the average Internet user, you have an arsenal of logins and passwords stored in your head. And sometimes, to make your passwords easier to remember, you resort to choosing simple words or phrases, repeating the same password across multiple accounts, or even committing the worst security sin and simply typing in “password” when you’re asked to create yet another login.
But many researchers are intent on making such insecure passwords a thing of the past. MIT Technology Review’s Rachel Metz reports that a group of researchers is investigating whether asking you to recall your text messages, calls, or Facebook likes could be a more useful and secure log-in strategy than relying on a traditional password to protect your accounts. They think that the types of tasks you complete regularly on your smartphone or computer could be easy for you to remember, but would be much more difficult for a hacker to guess.
As part of a project called ActivPass, researchers from the Indian Institute of Technology Kharagpur in West Bengal, India, the University of Texas at Austin, and the University of Illinois Urbana-Champaign studied how well people could answer questions based on a log of their activity, such as what they posted on Facebook, the websites they visited, the songs they downloaded, and the people they called and texted.
The researchers used an app to collect data from the study participants’ smartphones, and also gathered some data from their computers. They quizzed participants to find out what they could remember about their activity, using an algorithm to find infrequent events to use as the basis for questions. (The logic is that you’ll be much more likely to remember getting a call from a friend you haven’t spoken with in a while than to recall when you talked with someone you converse with much more frequently.)
In a paper titled “ActivPass: Your Daily Activity is Your Password” (PDF), the researchers report that asking questions about recent and infrequent events worked 95% of the time. This kind of authentication could eventually replace the list of usernames and passwords that most of us memorize, or, Metz notes, serve as a backup for when you forget a password. The researchers also think that it could cut down on the frequency with which users share their passwords for services like Netflix. Romit Roy Choudhury, an associate professor at the University of Illinois Urbana-Champaign and a coauthor on the paper, tells Technology Review, “Whenever there’s something you and your phone share and no one else knows, that’s a secret, and that can be used as a key.”
Choudhury says that the group of researchers is in discussions with companies like Yahoo and Intel to figure out if the research could prove useful for enterprise users, and, if so, to determine exactly how to implement the idea. A potential challenge could be to figure out what kind of activity data users would be comfortable sharing. Another would be figuring out how the system would work if you haven’t used your phone recently or can’t recall the activity it’s asking you about.
Metz reports that Jason Hong, an associate professor at Carnegie Mellon University, has conducted similar research, as laid out in a paper on “Exploring Capturable Everyday Memory for Autobiographical Authentication” (PDF). Hong says that the percentage of users who can correctly answer questions about other people is low, but the number is still unacceptably large when scaled up to the size of a service used by millions of people.
Because of these security concerns, Hong thinks that activity-based authentication might work best as part of a more complex authentication process. For example, if your phone detects that you’re logging in to a service from a new place, it could ask you a few questions to make sure that you’re really who you say you are. Some sites and services already do this, as banks, for example, often ask users to further authenticate themselves when logging in from a different computer.
Researchers and developers alike have been looking for ways to replace passwords — which many users make easy to remember and therefore similarly easy to break — with a more secure solution. Possible password alternatives include biometric authentication, like fingerprint, iris, or facial recognition; logins that use your Facebook or Twitter credentials to grant you access to other sites and services; or authentication methods that use your geolocation, the NFC or Bluetooth transmissions of your smartphone, or even app-based authentication.
Andrew Froehlich recently reported for Information Week that for many of these alternative authentication methods to work, we’ll need to change our philosophy on the levels of security that are necessary. Froehlich writes, “Risk levels need to be determined on a per-application and per-authorization level. If risk levels are low, perhaps a simplified authentication method will suffice. When risk levels are high, by all means lock it down like Fort Knox.”