by Claude Castelluccia, Markus Duermuth and Fatma Imamoglu
This project, which is a collaboration between Inria, Ruhr-University Bochum, and UC Berkeley, operates at the boundaries of Neuroscience and Internet Security with the goal of improving the security and usability of user authentication on the Internet.
Most existing security systems are not user friendly and impose a strong cognitive burden on users. Such systems usually require users to adapt to machines, whereas we think that machines should be adjusted to users. There is often a trade-off between security and usability: in current applications security tends to decrease usability. A prime example for this trade-off can be observed in user authentication, which is an essential requirement for many web sites that need to secure access to stored data. Most Internet services use password-authentication based schemes for user authentication.
Password-authentication based schemes are knowledge-based, since they require users to memorize secrets, such as passwords. In password-based authentication schemes, higher security means using long, random combination of characters as passwords, which are usually very difficult to remember. In addition, users are asked to provide different passwords for different web-sites, which have their own specific policy. These trade-offs are not well understood, and password-based authentication is often unpopular among users . Despite substantial research focusing on improving the state-of-the-art, very few alternatives are in use.
This project explores a new type of knowledge-based authentication scheme that eases the high cognitive load of passwords. Password-based schemes, as well as other existing knowledge-based authentication schemes, use explicit memory. We propose a new scheme, MooneyAuth, which is based on implicit memory. In our scheme, users can reproduce an authentication secret by answering a series of questions or performing a task that affects their subconscious memory. This has the potential to offer usable, deployable, and secure user authentication. Implicit memory is effortlessly utilized for every-day activities like riding a bicycle or driving a car. These tasks do not require explicit recall of previously memorized information.
The authentication scheme we propose is a graphical authentication scheme, which requires users to recognize Mooney images, degraded two-tone images that contain a hidden object . In contrast to existing schemes, this scheme is based on visual implicit memory. The hidden object is usually hard to recognize at first sight but is easy to recognize if the original image is presented beforehand (see Figure 1). This technique is named after Craig Mooney, who used similar images of face drawings as early as 1957 to study the perception of incomplete pictures in children .
Figure 1: Left is the modified gray-scale version of the image, right is the Mooney version of the gray-scale image . Copyright for the original image by Alex Pepperhill (CC by 2.0, source: https://www.flickr.com/photos/56278705@N05/ 8854256691/in/photostream/).
Our authentication scheme is composed of two phases: In the priming phase, the user is ‘primed’ with a set of images, their Mooney versions and corresponding labels. During the authentication phase, a larger set of Mooney images, including the primed images from the priming phase, is displayed to the user. The user is then asked to label the Mooney images that she was able to recognize. Finally, the system computes an authentication score from the correct and incorrect labels and decides to grant or deny access accordingly. A prototype of our proposed authentication scheme can be found online (see link below). We tested the viability of the scheme in a user study with 230 participants. Based on the participants from the authentication phase we measured the performance of our scheme. Results show that our scheme is close to being practical for applications where timing is not overly critical (e.g., fallback authentication).
We believe that this line of research, at the frontier of cognitive neuroscience and Internet security, is very promising and requires further research. In order to improve the usability of authentication schemes, security researchers must achieve a better understanding of human cognition.
 A. Adams and M. A. Sasse: “Users are not the enemy”, Commun. ACM, 42(12):40-46, Dec. 1999
 F. Imamoglu, T. Kahnt, C. Koch and J.-D. Haynes: “Changes in functional connectivity support conscious object recognition”, NeuroImage, 63(4):1909-1917, Dec. 2012
 C. M. Mooney: “Age in the development of closure ability in children”. Canadian Journal of Psychology, 11(4):219-226, Dec. 1957.
Ruhr-University Bochum, Germany
UC Berkeley, U.S.A.