Enhancing Authentication: Towards Password Memorability Meters, and Leveraging Implicit Learning for System-Assigned Passwords

增强身份验证：走向密码记忆仪，并利用系统分配密码的隐式学习

• 批准号: RGPIN-2018-05919
• 负责人: VargasMartin, Miguel
• 金额: $ 2.04万
• 依托单位: University of Ontario Institute of Technology
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2018
• 资助国家: 加拿大
• 起止时间: 2018-01-01 至 2019-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=667628
• 关键词: Enhancing; Authentication; Towards; Password; Memorability

Text passwords remain as one of the most widespread authentication mechanisms in computer systems. The strength of a password is thus of paramount importance to security. As such, a number of password strengthening techniques have been proposed in the literature and deployed in the real world. Nevertheless, there exists a trade-off between password strength and memorability, and while password strength meters are common, according to the related literature and to the best of my knowledge, no reliable memorability meter has been published or deployed. The proposed research program will endeavour to analyze memorability of system-assigned passwords at the time of creation, by studying the brain waves generated while seeing a password for the first time. This work will lead to a password meter that can help users to choose a system-assigned password that has higher probability of being remembered, by predicting its recall chances at the time of assigning the password to a user.******So far, together with my team of students, I have been able to establish that passwords can be classified based on the electroencephalogram (EEG) signals they elicit. This was found through a series of experiments that used consumer-grade brain-computer interface (BCI) devices to compare EEG differences between random and common passwords (i.e., most common passwords as exposed by popular password leaks). In light of these experiments it became evident that a password meter could be built by measuring short- and long-term password recall. For example, when the user is given a choice of two system-assigned passwords, there are statistically significant correlations between the EEG signals and the chosen password, recalling the password from short- and long-term memory, and the number of attempts to remember the password correctly.******To address password usability from a different angle, the proposed research program will investigate authentication techniques that leverage implicit learning phenomena from the psychology field. Some of the most important advantages of implicitly learnt passwords are that the user is not imposed with a conscious cognitive burden, can't retrieve them at will, and therefore to a certain extent implicitly learnt passwords are coercion- and insider-attack resistant. During the past years, my research team and I have designed and tested an authentication technique based on two branches of implicit learning, namely, contextual cueing and semantic priming, which have shown promise not only in terms of accuracy but in training time compared to the most cited recent related works available in the literature. The proposed research program will continue this line of research to improve accuracy as well as training and authentication time.******Over 10 highly qualified personnel will be trained in authentication with strong theoretical foundations, benefitting the research community and Canadians in general.

文本密码仍然是计算机系统中最广泛的身份验证机制之一。因此，密码的强度对于安全至关重要。因此，文献中提出了许多密码强化技术并在现实世界中部署。然而，密码强度和记忆性之间存在权衡，虽然密码强度测量很常见，但根据相关文献和据我所知，尚未发布或部署可靠的记忆测量。拟议的研究计划将致力于通过研究第一次看到密码时产生的脑电波来分析系统分配的密码在创建时的可记忆性。这项工作将催生出一种密码计量器，通过预测在将密码分配给用户时的回忆机会，可以帮助用户选择更容易被记住的系统分配的密码。******到目前为止，与我的学生团队一起，我已经能够根据密码引发的脑电图 (EEG) 信号对密码进行分类。这是通过一系列实验发现的，这些实验使用消费级脑机接口 (BCI) 设备来比较随机密码和常见密码（即流行密码泄露所暴露的最常见密码）之间的脑电图差异。根据这些实验，很明显可以通过测量短期和长期密码回忆来构建密码计量器。例如，当用户选择两个系统分配的密码时，脑电图信号与所选密码、从短期和长期记忆中回忆密码以及尝试正确记住密码的次数之间存在统计上显着的相关性。为了从不同角度解决密码可用性问题，拟议的研究计划将研究利用心理学领域内隐学习现象的身份验证技术。隐式学习密码的一些最重要的优点是，用户不会被强加有意识的认知负担，无法随意检索它们，因此在一定程度上隐式学习的密码可以抵抗强制和内部攻击。在过去的几年里，我和我的研究团队设计并测试了一种基于内隐学习的两个分支（即上下文提示和语义启动）的身份验证技术，与文献中引用最多的最新相关作品相比，该技术不仅在准确性方面而且在训练时间方面都显示出了希望。拟议的研究计划将继续这一研究方向，以提高准确性以及培训和认证时间。******将有超过 10 名高素质人员接受具有坚实理论基础的认证培训，使研究界和整个加拿大人受益。