Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Develop "Narrative Authentication" System

samzenpus posted about 7 months ago | from the tell-me-about-yourself dept.

Security 117

hypnosec writes "Researchers have developed a 'narrative authentication' system that could put an end to the need of remembering complex passwords to logging onto computer systems. The new system has been developed by Carson Brown and his colleagues over at Carleton University in Ottawa, Canada. The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time. Users can interact with the logging software and add their own events in the real world like wedding dates, holidays, travel dates, etc."

cancel ×

117 comments

Sorry! There are no comments related to the filter you selected.

B.S. For funding (5, Insightful)

Great Big Bird (1751616) | about 7 months ago | (#45876761)

Sounds like useless bullshit produced to get funding dollars.

Re: B.S. For funding (5, Insightful)

Anonymous Coward | about 7 months ago | (#45876867)

Cynic. How can you not believe in something that tracks your computer use and then lets you add commonly known dates as additional verification? There's no way a co worker will ever be able to log into your account at work, or a family member at home.

BTW, who wants to play 20 questions when logging in and what company gets to own the data about your computer use?

Re: B.S. For funding (1)

Anonymous Coward | about 7 months ago | (#45876903)

You forgot about stalkers. They'll love this type of thing.

Re: B.S. For funding (1)

buck-yar (164658) | about 7 months ago | (#45876993)

The problem with this is its a weak system. Many accounts are already hacked via the security questions.

Re: B.S. For funding (1)

PvtVoid (1252388) | about 7 months ago | (#45877119)

The problem with this is its a weak system. Many accounts are already hacked via the security questions.

Does anybody seriously answer "security questions" honestly? I always, always, fill them in with a random character string.

Re: B.S. For funding (0)

Anonymous Coward | about 7 months ago | (#45877333)

The problem with this is its a weak system. Many accounts are already hacked via the security questions.

Does anybody seriously answer "security questions" honestly? I always, always, fill them in with a random character string.

Heh. "What is my password?"

Re: B.S. For funding (0)

Anonymous Coward | about 7 months ago | (#45877725)

Pick obscure vegetable for all security questions, like tomato.

Re: B.S. For funding (0)

Anonymous Coward | about 7 months ago | (#45878541)

A tomato is such an obscure vegetable that it's actually a fruit.

Who owns and protects answers to security question (0)

Anonymous Coward | about 7 months ago | (#45880319)

If I have to answer a security question to get into a site, who owns the answer to the security question?
Why should I have to tell them what High School I graduated from, so they can spam me with reunion advertising?
Isn't asking and answering security questions itself a form of phishing?

The problem with giving false answers is having to remember or record what answer was for what question.
I used to give the same answer for all questions too, but sites have started checking for and prohibiting that.

Where do I join the class action lawsuit claiming the requiring answers to security questions is an invasion of my privacy and not required according to previously established relationship and asking security questions is phishing and hence a computer crime itself!

Re: B.S. For funding (1)

dkleinsc (563838) | about 7 months ago | (#45877339)

And of course, there's absolutely no possible way that a Facebook employee would have access to that information.

Re: B.S. For funding (2)

mlts (1038732) | about 7 months ago | (#45877935)

We had this with Facebook in the past. It would pop up a picture and you would match it up with a friend. However, a lot of people use cat pictures, red "=" symbols, just a black picture, or some other cause they are trying to champion. So, choosing between five pictures that are solid black (like Spinal Tap's album) to match up with a friend is pointless.

Of course, challenge/response questions are not great either. Palin can tell one this. Plus, sniff one password, sniff them all.

Recovery of an account is a hard nut to crack, on both the password protection/authentication front, as well as key recovery/escrow.

For key escrow/recovery, in a previous life, a place I worked at (long since bought up by another company) had a no name holding corporation which rented an office. Once past the alarm system (had both duress and holdup alarms), and into a side room, there was a large jewelry safe with glass panels that would fire off relockers if the door was hit with a hammer and a Mas-Hamilton (Now Kaba Mas) X-08 combination lock. The safe had a locked compartment that housed the private keys that were uuencoded and printed out. In the safe were a couple burned CDs with the info as well.

This office (as well as another remote site) provided adequate key recovery for this SMB, although trying to scale up from that would be tough.

Authentication is easier... you don't have to have the exact key, just prove that you are whom you claim to be. For a lot of things, having a website text a person number with a 4-6 digit code, and one inputting that in a website is good enough, especially if the SMS protocol gets augmented by better security a la Apple's iMessage. This isn't 100% though, especially if the number gets cut off by the telco. However, combining this with a scratch off card with some one use numbers might cover more bases, although if one loses everything (phone, scratch off card) in a fire, they are hosed.

Re: B.S. For funding (2)

vlad30 (44644) | about 7 months ago | (#45879051)

ask for wedding date! Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift

Re: B.S. For funding (1)

ShanghaiBill (739463) | about 7 months ago | (#45879473)

Only man I knew who could remember that had it etched on his wedding band and he still missed getting a anniversary gift

Pro-tip: Buy wedding/birthday/whatever gifts in advance, and in bulk, and already professionally gift wrapped. Then hide them someplace your wife/gf will never look, such as your toolbox in the garage. Then we she says "you forgot our anniversary", you can say "no I didn't!" and go fetch a gift. I already have a dozen pre-wrapped swarovski crystals that I bought on eBay, so I am covered for the next few years.

Re: B.S. For funding (3, Funny)

neoritter (3021561) | about 7 months ago | (#45880191)

I tried this and ended up with a closet full of dead puppies...

Re:B.S. For funding (0)

Anonymous Coward | about 7 months ago | (#45877159)

Oh it is more sinister than merely a funding vehicle if you look beneath the surface. Carleton University is a direct feeder into various Government of Canada departments and agencies.

Re:B.S. For funding (2)

MitchDev (2526834) | about 7 months ago | (#45877209)

No kidding, how many people rememb er what they had for lunch yesterday as opposed to a password? That's all this sounds like.

Re: B.S. For funding (0)

Anonymous Coward | about 7 months ago | (#45877243)

Exactly this. Mod parent up!

No, thank you. (5, Insightful)

Parsiuk (2002994) | about 7 months ago | (#45876763)

I'm sick of "intelligent" systems which are making my life more and more complicated.

Re:No, thank you. (-1, Flamebait)

smitty_one_each (243267) | about 7 months ago | (#45876875)

Why do you H8 the government?

Re:No, thank you. (1)

Chrisq (894406) | about 7 months ago | (#45877003)

Why do you H8 the government?

is that a rhetorical question?

Re:No, thank you. (1)

smitty_one_each (243267) | about 7 months ago | (#45877029)

Mostly

Re:No, thank you. (1)

MitchDev (2526834) | about 7 months ago | (#45877213)

More accurately, why wouldn't you hate the government?

Re:No, thank you. (1)

parkinglot777 (2563877) | about 7 months ago | (#45877223)

You shouldn't involve irrelevant topic into this discussion. It is not really funny but rather troll or flame bait.

Back to the topic, I agree with the GP the new system in TFA is actually more complicated than simply memorize a set of passwords. In other words, you will have to remember what you did. If you ever need a log in everyday, it "may" be OK (some people may unintentionally forget what they did because of many reasons). If you required to log in once a week, you are likely to forget what you did last week.

Re: No, thank you. (0)

Anonymous Coward | about 7 months ago | (#45877369)

This is private corporation what makes things more difficult!

i'm drunk and i don't remember my activities (4, Funny)

Anonymous Coward | about 7 months ago | (#45876771)

lemme in ya fukcin piceec of shhhtt!!!!!!

The real problem... (2)

tlambert (566799) | about 7 months ago | (#45876965)

lemme in ya fukcin piceec of shhhtt!!!!!!

The real problem is not when you're drunk; eventually, you'll be sober and be able to log in later. That's almost a feature, like a breathalyzer on your phone to keep you from drunk-dialing old lovers who got married to someone else 5 years ago.

No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?

Re:The real problem... (0)

Anonymous Coward | about 7 months ago | (#45877023)

eventually, you'll be sober

Not a chance! [youtu.be]

Re:The real problem... (1)

Anonymous Coward | about 7 months ago | (#45877037)

"No, the real problem is when you *were* logged in, got drunk, did things, and now can't remember what you did the day after, since it involved StumbleUpon.com and one shot too many. How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?"

Does that mean when you're drunk, you don't remember the color of the 17th cat you watched yesterday?

Re:The real problem... (0)

Anonymous Coward | about 7 months ago | (#45877163)

How in the heck will you ever guess "Namibian Hang Glider Porn" (or whatever) after you sober up?

"Namibian midget Hang Glider Porn"
Now, it's memorable!
Also, several other parties may keep track of it for you.

so, you just have to remember everything (0)

Anonymous Coward | about 7 months ago | (#45876781)

you ever did to be able to log in?

Re:so, you just have to remember everything (0)

Anonymous Coward | about 7 months ago | (#45876863)

Yeah, now not only your wife will sulk if you forget your wedding day, but also your computer. ;-)

Gosh... (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 7 months ago | (#45876791)

An authentication system that combines the fun of 'intelligent' phone-tree voice recognition 'expert' systems with the assumption that biographical trivia are anything other than hilariously public.... Where do I sign up?

Re:Gosh... (1)

Impy the Impiuos Imp (442658) | about 7 months ago | (#45879715)

"log a user's activitieson the system or any other device that he/she may be using and then ask questions about them when they login next time"

"Based on your history, who do you think is sexier, JLaw, Tay Tay, or Bailey Jay?"

"Where's the goddam opt out button on this thing?"

XKCD FTW (5, Insightful)

Gothmolly (148874) | about 7 months ago | (#45876803)

I'll just leave this right here

https://xkcd.com/936/ [xkcd.com]

Re:XKCD FTW (2, Insightful)

Anonymous Coward | about 7 months ago | (#45876889)

Ah, the correct battery staple horse. No, wait, that's wrong. It must be horse battery staple correct. Or was it battery staple horse correct?

Re:XKCD FTW (1)

Mathinker (909784) | about 7 months ago | (#45877219)

Uh, it's still only going to take 24 tries before you get it correct, in the very worst case in the scenario you propose. And the xkcd strip was making a "differential" argument, not an absolute one (e.g., for the same security, are you more likely to forget a password of random characters versus a series of words).

What's actually of greatest importance is how often you use the password. In my experience, complex passwords which are seldom used are a recipe for disaster. When I go on vacation, I sometime take SHA1 hashes of my more problematic passwords with me so I can "practice" them...

Re:XKCD FTW (1)

jfengel (409917) | about 7 months ago | (#45879855)

It gets worse once you have more than one password to remember. The silly image tries to link them all together, so that you don't get your "correct horse battery staple" mixed up with your "blender green lobster carburetor" at your bank and your "mango bookbag tooth bitter" for your work computer, but if you've left any of them alone for more than a few weeks they fade and get mixed up. "Correct horse battery staple" stands out by itself from your eight-letter passwords for being different, but as part of a whole password ecosystem the advantages diminish.

In the end, I think that entropy is entropy. Trying to use visual mnemonics to handle more entropy is an old (and helpful) trick, but the XKCD example isn't a good one: three of the four words appear as words. Only the horse shows up solely as a horse; only the "battery staple" really connects two separate words together visually.

"Memory castles" work because they tell a story, and they're for memorizing stories. But they're not all that good at memorizing them exactly, letter for letter, which is the point of a pass phrase. And when the elements of the story truly are random, they don't evoke each other. To provide real continuity you'd need to turn your four words into a full story, and now you're memorizing lots of extra bits to make them cohere.

This isn't a terrible idea; passwords are hard. But it's not the automatic win that Munroe makes it look like. You simply won't be able to keep hundreds of bits of entropy in your head without flaw unless you practice them over and over. And if you practice over and over, you can do just as well with "Tr0ub4d0r" as anything else.

Re:XKCD FTW (2)

FilmedInNoir (1392323) | about 7 months ago | (#45877857)

How dare you question the humor and wisdom of stick men AC!

Re:XKCD FTW (0)

Anonymous Coward | about 7 months ago | (#45876983)

Long passphrases are more memorable than short passphrases, and if you don't like punctuation, don't use it. Could the comic be any more obvious?

Personally, I like my long passphrases with caps, substitutions, and random junk mixed in.

Re:XKCD FTW (0)

Anonymous Coward | about 7 months ago | (#45877017)

The comic also disregards bigram, trigram, ... and n-gram probabilities. People who quote it should study cryptography or change careers.

Re:XKCD FTW (1)

PvtVoid (1252388) | about 7 months ago | (#45877895)

The comic also disregards bigram, trigram, ... and n-gram probabilities. People who quote it should study cryptography or change careers.

No it doesn't. The entropy in a set of N unique randomly chosen words from a P-word dictionary is P*(P-1)*(P-2)...*(P-N), or approximately P^N. Period. N-gram probabilities from natural language have absolutely fuck all to do with anything here.

Re: XKCD FTW (0)

Anonymous Coward | about 7 months ago | (#45877181)

the problem with very long passwords is that typing them in gets tedious when you have to do it all the time

Re: XKCD FTW (1)

Anonymous Coward | about 7 months ago | (#45878567)

the problem with very long passwords is that typing them in gets tedious when you have to do it all the time

on your phone.

NSA thanks the devs (1)

Anonymous Coward | about 7 months ago | (#45876807)

Yeah, really good idea... I bet the NSA already has some guys rubbing their hands in glee while they wait for this tool to be released and start collecting information for them for free!

Completely unhackable (2)

mwvdlee (775178) | about 7 months ago | (#45876817)

Completely unhackable because there can only ever be one system that can scan all these sources.
A hacker could not possibly create their own system that scans the same public facebook pages and twitter posts.

Re:Completely rehackable (2)

VortexCortex (1117377) | about 7 months ago | (#45876933)

It's not meant to be incompletely unhackable. Think of it as adding another factor of authentication. So, with three factor authentication there will be something you know (your password), something you have (your ID card / token), and something you are (a nerd). This adds a fourth factor: Something you did (forgot what that was and called tech support).

The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long has it been since you logged in? What's your favorite sports team? What kind of accent is that? What's your mother's maiden name? What are you wearing? Etc.

Re:Completely rehackable (1)

Anonymous Coward | about 7 months ago | (#45877043)

The genius of this system is that it relies on the existing proven security of the questions over-seas help desk personnel usually ask you like: How long has it been since you logged in? What's your favorite sports team? What kind of accent is that? What's your mother's maiden name? What are you wearing? Etc.

"Security questions" are a threat to security, as they enable a shortcut past (i.e. easier to guess than) the regular protection of a password. If you demand security questions _in_addition_ to passwords, and never EVER use them without also demanding passwords, then you can create a system that is at least not less secure than a system with only passwords.

In most cases, when I review the security of some system, the existance of security questions is sufficient reason to reject the product altogether and tell the developers to re-think the security aspects from scratch. It's not the programmers' fault, it's their "security" guys' fault, but it is the developers who will suffer for it. Unfortunately.

Re:Completely rehackable (1)

Somebody Is Using My (985418) | about 7 months ago | (#45877649)

Except this isn't an example of the third "something you are" factor; it is just more of "something you know".

Now, if the system analyzed your data, created an accurate profile of you and then postulated a rhetorical situation, asked you how you would respond to same, and gave access based on your response, that might be a better example of a third-factor. This changes it from a recitation of a fact (be it a password or personal data) which anyone can answerto an analysis of attributes unique to the individual (biometric data or psychological traits), which purportedly can only be provided by the authorized person.

Example

Computer: It's Friday night, and your girlfriend wants to go to see %chickflick%, but you want %scifiepic%; what do you do?
Slashdot User: Neither, on Friday nights I play World of Warcraft with my guild!
Computer: Access granted.
(alternately, "what's a girlfriend" would also have sufficed)

Of course, that would require the system to make a 100% accurate /and unique/ profile for each user, and somehow I don't think the proposed system is quite up to the task.

No, what is being suggested is just changing a static password to a collection of facts which supposedly are both easier to remember and only known in full to the authorized user.

Re:Completely rehackable (1)

Electricity Likes Me (1098643) | about 7 months ago | (#45877695)

The problem is all of this information is incredibly public. What did I last buy on ebay? Probably a thing I then told a bunch of people I bought for a great price on ebay.

You could even game this system - do a bunch of fake logins, and use the questions to reverse-engineer the responses.

Re:Completely unhackable (1)

alphatel (1450715) | about 7 months ago | (#45877051)

Completely unhackable because there can only ever be one system that can scan all these sources.

Yes it's called the NSA

OVER AT ?? (-1)

Anonymous Coward | about 7 months ago | (#45876829)

Yeehaaaawww !! Nuttin like a Canadian brokeback cowboy !!

Retarded (4, Insightful)

Hognoxious (631665) | about 7 months ago | (#45876833)

Last time I forgot a gmail password it did this. Something like the last 3 people I'd emailed, and the last three I'd received emails from and some other tripe. I don't mean the magic "first pet dog's name" question or anything like that.

I remembered my password before I even got close to figuring any of that shit out.

Re:Retarded (4, Funny)

Frankie70 (803801) | about 7 months ago | (#45876941)

I remembered my password before I even got close to figuring any of that shit out.

So it worked.

Re:Retarded (0)

Anonymous Coward | about 7 months ago | (#45877085)

last three I'd received emails from and some other tripe.

Seriously? Nine out of ten emails I receive live in the twilight zone between genuine spam and vaguely useless communications. Conference CFPs, mail from various alleged "rewards" programs, irrelevant work emails reminding people not to stick scissors in toasters, facebook telling me I've been porked or some such... and they imagine we remember that crapola? I stand amazed!

A questioner instead of a password? Really? (1)

LostMonk (1839248) | about 7 months ago | (#45876879)

So, instead of a single password I'll need to answer a questioner every time I want to login?? And, of course, they company is happy to save me the trouble and storage space and will gladly store all my activities on their servers. No thanks.

Re:A questioner instead of a password? Really? (2, Funny)

Anonymous Coward | about 7 months ago | (#45876907)

Boss: I need the data for XY.
You: OK, I'll give it to you. Let me just log in.
Computer: This is the narrative authentication system. What have you been doing most of the time yesterday?
You: Working on the report.
Computer: The answer is wrong. Please try again.
You: Programming.
Computer: The answer is wrong. Please try again.
You. Surfing Slashdot.
Computer: Authentication succeeded.
Boss: You're fired.

SCNR ;-)

Consistency (1)

Nerdfest (867930) | about 7 months ago | (#45876893)

I think the big problem with it is that it would tend to be inconsistent in its complexity and might dip to a very low complexity on occasion making it easy to compromise. The algorithm wouldn't have any real idea of when something was easily guessable. Still, probably better in almost all cases than most people's passwords, but not as good as people who use them well.

Re:Consistency (1)

CastrTroy (595695) | about 7 months ago | (#45877511)

I seriously don't know why most people just don't use a program like PasswordSafe of Keepass and just be done with the whole problem. Just 1 password to remember, and you can have complicated, unique passwords for every single system, and not have to remember any of them. You can also get apps that read the encrypted password files for your phone, and tablet, so you don't really have to worry about being without your passwords. Typing in your master password on your phone can be a little cumbersome, but it's not something you'll have to do every day.

Logging into a pron site account (0)

Anonymous Coward | about 7 months ago | (#45876897)

... would become even more weird

Choose your own adventure authentication scheme (1)

ferrisoxide.com (1935296) | about 7 months ago | (#45876909)

I'd prefer an authentication system that forces you to play a variant of Zork.

Re:Choose your own adventure authentication scheme (0)

Anonymous Coward | about 7 months ago | (#45878633)

Invalid login attempt. Your data has been eaten by a grue.

Questions (1)

fazig (2909523) | about 7 months ago | (#45876931)

Imagine this: Your wife wants to log into her gmail account, you didn't remove your account from the account management, she doesn't notice that she tried to login to your account.
Gmail: What kind of porn were you looking up when you used your gmail account the last time?

Sounds like a plan! (4, Insightful)

RenHoek (101570) | about 7 months ago | (#45876955)

Yes, because a site breach wasn't annoying enough yet when they take all of the passwords. Let's give them more information which to do spearphising with.

Re:Sounds like a plan! (0)

Anonymous Coward | about 7 months ago | (#45877247)

"Hello, you surely remember me from Harvard 1983. I was in your math class. Do you remember the fun we had? I hope you can help me now. I urgently need 1000 dollars, or I'll be in big trouble."

"Wait a moment ... Harvard 1983, you said? Ah, I see, you've hacked my eBay account."

"Why do you think so?"

"Well, if it had been my Amazon account, it would have been MIT 1995. And on Google it's Stanford 1977."

Looks like a great oppoortunity for criminals... (1)

Keyboard Rage (3448471) | about 7 months ago | (#45876963)

Have these people never heard of microphones?

It also sounds like a really great way to obtain a lot of extremely interesting metadata for nefarious purposes. Personal information that may be also used for things like bank accounts + travel dates? Yay, break in + plundering of all the victim's money!

And then the bank will say "You did this yourself, only you know all this sensitive information. Say bye bye to your money."

Sneakers? (2)

wbr1 (2538558) | about 7 months ago | (#45877015)

Hi, my name is Werner Brandes. My voice is my passport. Verify Me. My wife's birthday is 8/1/67, and I like puppy posts on Facebook.

Re:Sneakers? (0)

Anonymous Coward | about 7 months ago | (#45877111)

Picard-Epsilon-7-9-3

Re:Sneakers? (1)

Joe_Dragon (2206452) | about 7 months ago | (#45877587)

please speak more slowly

Re:Sneakers? (1)

Vitriol+Angst (458300) | about 7 months ago | (#45880297)

I'ts way more exacting in detecting patterns;
"Candy Crush, twitter feed, Facebook, Pr0n, CHECKS EMAIL, Candy Crush, twitter feed Facebook, Pr0n, ,..."

NEW SECURITY SYSTEM:
"Yup, that's user 210072B all right!"

Lot's of code in the heuristics to add the "Yup" on that challenge response.

Re:Sneakers? (0)

Anonymous Coward | about 7 months ago | (#45880339)

Sneakers predates Facebook by over a decade. Hell, it predates the Web by a couple of years. For that matter, "voiceprint identification" was used in the movie 2001: A Space Odyssey which was released in 1968.

Simple (2)

The Cat (19816) | about 7 months ago | (#45877021)

There's nothing wrong with passwords. Use a good password and everything will be fine.

Can we start working on something important for a change instead of obsessively re-inventing the wheel?

Re:Simple (1)

MitchDev (2526834) | about 7 months ago | (#45877231)

But then how would eggheads steal, I mean waste, I mean get more money?

Let's see... (2)

Anonymous Coward | about 7 months ago | (#45877047)

A system that's inconvenient when it works, is insecure, and get increases the chance of you getting locked out of your own account.

I really can't see a use case for this.

Tell my NSA tapped cell phone ALL my secrets (0)

Anonymous Coward | about 7 months ago | (#45877157)

Can't lose!

Last activity? (1)

hcs_$reboot (1536101) | about 7 months ago | (#45877175)

The main idea is to log a user's activities on the system and then ask questions about them when they login next time

it'll be interesting when the system asks "what was that porn site you visited a lot last time?"

I'm beginning to think that (2)

LookIntoTheFuture (3480731) | about 7 months ago | (#45877179)

giving up privacy is the solution to everything! What could possibly go wrong?!

Re:I'm beginning to think that (1)

LookIntoTheFuture (3480731) | about 7 months ago | (#45877505)

The guy with herpes forgot his password. Log him in!

Blizzard solved this ages ago! (1)

hoborg1 (1977356) | about 7 months ago | (#45877187)

Why doesn't every website just let me use my Blizzard authenticator?! Problem solved!

Re:Blizzard solved this ages ago! (0)

Anonymous Coward | about 7 months ago | (#45877205)

Why doesn't every website just recognize I'm me? Problem solved!

It's all spin! (0)

Anonymous Coward | about 7 months ago | (#45877197)

So now "they" are trying to spin tracking online activities as a "security feature"?

Come the revolution....

WHAT is your favorite color? (0)

Anonymous Coward | about 7 months ago | (#45877215)

Blue... I mean red... AHHHHHHHHH

Kindly accept this here blood sample (1)

Tristao (2562287) | about 7 months ago | (#45877277)

After all, They (tm) wouldn't really get a complete view without getting our DNA as well.
Let me just check here real quick what They (tm) have been know to ask for a simple login:
Name - check
Favourite food / first pet /mother's maiden head (or name) - check
Fingerprints - check and IOScheck
All kinds of other details rendered irrelevant after having our name - check
What we've been up to - check
Rectal probe with RFID - check (wait, I think I dreamt that one, better patent it)
Complete DNA profile - to-do

novel authentication (0)

Anonymous Coward | about 7 months ago | (#45877411)

This particular one isn't so clever, but there are a lot of interesting schemes that rely on keep track of how you type or use the mouse, or what length words and sentences you use, etc.

None of them are super accurate for the general population, but for some subset they're very, very good, and the subset changes depending on what the mechanism is. That is, some people have very unique writing styles, others have unique keystroke timing. So a combination of these techniques might be very powerful.

The comments in this thread all fall into the "we can only use *one true best method*" fallacy. That may be what you're forced to do if you're implementing it in little pieces of metal (key/lock) or on an Intel 4004 or using TTL MSI parts, but with modern computational horsepower and good analysis, using multiple modalities is an appropriate and wise thing to do.

Laugh (1)

koan (80826) | about 7 months ago | (#45877423)

"The main idea behind the system is to log a user's activities on the system or any other device that he/she may be using and then ask questions about them when they login next time."

Cloud security?
I think I'll stick with pass phrases.

Do you really want this? (2)

stinkydog (191778) | about 7 months ago | (#45877455)

Computer: Last time you were on, you watched a video. In that video a _____ was having sex with a ____. Respond?

End of Line

Re:Do you really want this? (0)

Anonymous Coward | about 7 months ago | (#45879651)

In that video a _____ was having sex with a ____.

What is this "having sex" thing of which you speak. Please tell me more. I am interested in investing in your project.

Can you say, "I want a GRANT"? WORTHLESS SHIT (0)

Anonymous Coward | about 7 months ago | (#45877533)

So, how many of you want all of this personal information in a system that will be hacked and stolen? 100% guarantee that hackers would target this
information and than you are REALLY screwed if you're dumb enough to use real anniversary dates, birthdates, etc.

And what is the system going to ask you, "What were you last running on your machine before you shutdown?" Don't remember, Oh shit. That wasn't me but
my wife that was logged on.

Just plain stupid and someone looking to get money from fools.

Prior Art (2)

joshuao3 (776721) | about 7 months ago | (#45877603)

Narrative authentication has been used by the military for years to authenticate the identity of soldiers found in the battlefield who are able to communicate but don't have any form of identification.

foiled.... (1)

smash (1351) | about 7 months ago | (#45877679)

... by twitter, facebook, etc.

Really, Again?????? (1)

Otaku-GenX (3414253) | about 7 months ago | (#45877689)

And how many times have we heard "an end to passwords". UGH Please stop blaring that unless you have it up and running in real life on many different environments.

Actually, this could be useful (1)

davide marney (231845) | about 7 months ago | (#45877859)

As a basis for the knowledge factor component ("something only the user knows") of a multi-factor authentication scheme, this could be very useful, indeed, because it changes every time the user does something. Other forms of knowledge factors such as passwords are vulnerable to spying or code-breaking. The benefit here is it could seriously raise the bar for spoofing the user, since now the attacker would need access to the entire log of activity rather than just a single knowledge factor, and be able to infer the answer to a question rather than just crack an encryption scheme.

Of course, details matter, but I suspect there is a lot of value here. You want to try and eliminate entire categories of attack vectors, and this sounds pretty interesting in that regard.

Seriously Stupid (1)

wcrowe (94389) | about 7 months ago | (#45877929)

Nobody is going to want to go through an interrogation every time they log in.

dates (0)

Anonymous Coward | about 7 months ago | (#45878313)

Like I can remember my anniversary? A pharmacist used my sons birthday as a check before handing me a prescription (one dose antibiotic... whew). She finally said "is it ...". Yes, yes it is.

User activities (2)

PPH (736903) | about 7 months ago | (#45878319)

Computer: "What did you do the last time you logged on?"
Me: "Surfed for porn and posted snotty comments on Slashdot."

Who woulda' guessed that?

Re:User activities (1)

Vitriol+Angst (458300) | about 7 months ago | (#45880309)

That means only 20 million people could potentially log in as you or me.

A co-author's thoughts (5, Informative)

soma (20246) | about 7 months ago | (#45878651)

Hello. I'm one of the co-authors of the workshop paper that inspired this article. I say "inspired" because the article is completely misleading.

First off, the paper was a position paper. It was primarily speculation about how we could do authentication in the future. The idea behind it was that humans are bad at remembering very specific facts but are very good at remembering stories - narratives. What would it mean to authenticate using stories? Think about how you'd verify the identity of a friend communicating via text message from an unknown phone number or account. Make a computer do that.

And yes, fully developed such a system would be AI-complete. But I think there are lesser incarnations that might be usable and secure. But that is just educated speculation on my part.

Now the paper did present a simple example of how you could do something kinda-narrative-like using text adventures (yes, think Zork). Such a system isn't discussed in more detail because there are many usability challenges. But it can be done. Carson Brown got his Master's thesis [carleton.ca] in fact by by building such a system. (Yes, I was his advisor.)

If anyone wants to build a PAM module based on Inform 7 [inform7.com] drop me a line. Could be fun! But it won't be practical.

If you want to learn more, the paper is "Towards narrative authentication, or, against boring authentication." [nspw.org] . The workshop in question is the New Security Paradigms Workshop [nspw.org] .

And in case you were wondering, none of us are doing any follow-up work on this right now. But I'm always open to collaboration opportunities. :-)

    --Anil Somayaji

I have terrible experiences with this (2)

remoteshell (1299843) | about 7 months ago | (#45878897)

I was in a national disaster, and FEMA required this type of narrative 20 questions system with data that was culled from public records. Since I have a common name, and have moved several times, I was never able to disambiguate myself from others with my name. I ended up having to correspond with FEMA via US Mail, which seems more secure and accurate. I can only speculate on the authentication problems that this methodology is causing in the healthcare.gov site. The term 'doomed to failure' immediately comes to mind

in the words of J. Jonah Jameson... (0)

Anonymous Coward | about 7 months ago | (#45879675)

crap, crap, mega-crap

This is a horrible idea. (1)

Arancaytar (966377) | about 7 months ago | (#45879841)

The NSA monitors everything everybody ever does. They would know the answer to every single one of those questions, and they could use them to break into your accounts and read all your emai----

oh wait.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>