Enhancing Authentication: Towards Password Memorability Meters, and Leveraging Implicit Learning for System-Assigned Passwords

增强身份验证：走向密码记忆仪，并利用系统分配密码的隐式学习

• 批准号: RGPIN-2018-05919
• 负责人: VargasMartin, Miguel
• 金额: $ 2.04万
• 依托单位: University of Ontario Institute of Technology
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=713946
• 关键词: Enhancing; Authentication; Towards; Password; Memorability

Text passwords remain as one of the most widespread authentication mechanisms in computer systems. The strength of a password is thus of paramount importance to security. As such, a number of password strengthening techniques have been proposed in the literature and deployed in the real world. Nevertheless, there exists a trade-off between password strength and memorability, and while password strength meters are common, according to the related literature and to the best of my knowledge, no reliable memorability meter has been published or deployed. The proposed research program will endeavour to analyze memorability of system-assigned passwords at the time of creation, by studying the brain waves generated while seeing a password for the first time. This work will lead to a password meter that can help users to choose a system-assigned password that has higher probability of being remembered, by predicting its recall chances at the time of assigning the password to a user. So far, together with my team of students, I have been able to establish that passwords can be classified based on the electroencephalogram (EEG) signals they elicit. This was found through a series of experiments that used consumer-grade brain-computer interface (BCI) devices to compare EEG differences between random and common passwords (i.e., most common passwords as exposed by popular password leaks). In light of these experiments it became evident that a password meter could be built by measuring short- and long-term password recall. For example, when the user is given a choice of two system-assigned passwords, there are statistically significant correlations between the EEG signals and the chosen password, recalling the password from short- and long-term memory, and the number of attempts to remember the password correctly. To address password usability from a different angle, the proposed research program will investigate authentication techniques that leverage implicit learning phenomena from the psychology field. Some of the most important advantages of implicitly learnt passwords are that the user is not imposed with a conscious cognitive burden, can't retrieve them at will, and therefore to a certain extent implicitly learnt passwords are coercion- and insider-attack resistant. During the past years, my research team and I have designed and tested an authentication technique based on two branches of implicit learning, namely, contextual cueing and semantic priming, which have shown promise not only in terms of accuracy but in training time compared to the most cited recent related works available in the literature. The proposed research program will continue this line of research to improve accuracy as well as training and authentication time. Over 10 highly qualified personnel will be trained in authentication with strong theoretical foundations, benefitting the research community and Canadians in general.

文本密码仍然是计算机系统中最普遍的身份验证机制之一。因此，密码的强度对安全性至关重要。因此，文献中已经提出了许多密码增强技术，并在现实世界中得到了应用。然而，密码强度和可记忆性之间存在权衡，虽然密码强度测量仪很常见，但根据相关文献和我所知，还没有发布或部署可靠的可记忆性测量仪。拟议的研究计划将通过研究第一次看到密码时产生的脑电波，努力分析系统分配的密码在创建时的可记忆性。这项工作将导致一个密码计，可以帮助用户选择一个系统分配的密码，有更高的被记住的可能性，通过预测它的回忆机会，在分配密码给用户。