Endpoint
11/3/2010
10:20 PM
Connect Directly
RSS
E-Mail
50%
50%

Images Could Change The Authentication Picture

New technologies leveraging brain's ability to recognize, remember images could propel image-based authentication commercially

Memories of images stick with people far longer than words. So why is it that the security world is still so set on relying on the recall of traditional text-based passwords when pictures could be more effective?

It's a question of execution, scalability, and fear of change, some experts say. But as the traditional username and password legacy grows outmoded, a new set of innovators hope to address these issues and leverage the human brain's capacity for image recall to refashion the authentication space. The idea is to bring a new category of image-based solutions that can be used either as one-time password options or eventually to replace text login credentials altogether.

The studies in favor of image-based memory recall and its applications for authentication have actually been adding up for some years now. For example, back in 2003 one study found that when researchers asked users to establish both image-based passwords and text passwords, 100 percent of the users were able to correctly authenticate their image passwords within three tries after 16 weeks of account inactivity, while only 40 percent could do the same for text passwords.

"There are a number of different reasons for that, and you can kind of intuitively understand why that is from a developmental or evolutionary perspective," says Roman Yudkin, CTO of Confident Technologies, a San Diego-based authentication upstart. "The visual cortex in people develops before the auditory cortex does. If you think about evolution, we had to be able to recognize threatening animals or events around them and recognize them quickly." But even with the research showing how that vestige of survival instinct affects the way our memory holds onto images, security researchers up until this point have failed to really find a commercially viable way to take advantage of this tendency to improve authentication practices.

Sure, there is CAPTCHA, which authenticates to a machine that it's human by looking at an image of a text code. And there are also solutions geared toward anti-phishing, such as the type of solution Bank of America uses to match images it preselects during registration to give users the peace of mind that they're entering username and passwords into a legitimate site. But authentication of the users themselves through images has remained purely experimental, coming out of research universities somewhat unpolished and often counterintuitive to use.

"What has seemed to happen is that there have been a number of different attempts to implement graphical passwords, but these laboratory-based or university-based attempts were never really commercialized because you can usually find issues with their schemes in that they aren't really based on our ability to recognize or remember images," Yudkin says. "There are a number of different radical authentication schemes where you are asked, for example, to connect the dots or identify parts in an image that would represent your password. Or you're presented with an image of a city or a building, and you must click in a number of locations in a picture that you're asked to recall later in the same sequence."

Another example, says Michalis Faloutsos, professor of computer sciences and a security researcher at the University of California Riverside, are forms of authentication that have users contextualizing a picture they're given to enter in an appropriate code.

"One thing I've seen in the past is a system that will give you a picture and have you describe it, or find where James Bond is sitting in the picture, or to see the hero of a movie and enter in the name of that movie," Faloutsos says. "But this kind of picture-based system becomes very tricky because there has to be a human constructing a clever question or mechanism to analyze it." Yudkin and his firm hope to change that. Just coming out of stealth mode, Confident Technologies leverages that innate human affinity for remembering images. "Our approach is probably the first approach that combines both recognition and recall," he says, explaining that the company has spent the past months refining a portfolio of patents it acquired from now-defunct password management company Vidoob to create a software-as-a-service solution that would work for both enterprise and SMB applications.

The solution is relatively simple, requiring users during registration to set up a normal set of login credentials and then select several concrete categories of images, such as dogs, flowers, or boats, upon which their future logins will rest. Then in the future, they're presented with a randomly generated grid of images that is fueled by a database of tens of thousands of images. Each image of the grid is overlaid with a letter or number. The user picks out the images that fit in their categories and uses the overlaid character associated with each to build a one-time passcode.

Faloutsos, who also owns a Web security business called StoptheHacker.com, says he'd be happy to see his bank using a solution such as this, not to mention all the other types of Web-based businesses that need to offer secure logins.

"With our experience as a company lately, we've been looking at the security of websites. We've identified time after time that people do not select good passwords, and we've identified companies who don't enforce good policies in maintaining passwords," he says. "I wouldn't be surprised if down the road anybody would put in these kinds of controls because I see an added layer of security without taking away anything. On the contrary, I think it makes it easier to remember your password."

Confident Technologies is, in fact, already working with one large bank on a way to augment the log-in process during risk escalation in lieu of challenge questions, which are growing ever weaker in light of how easily available the type of information sought by these questions can be found online on someone's Facebook page or through a Google search. The firm is developing options to offer future clients out-of-band authentication as well.

But the end goal could be something even more sweeping if Confident has its way. Yudkin and his cohorts, many of whom used to work together at Internet security juggernaut Websense, see this as a way to improve all Web-based authentication and potentially replace traditional text-based passwords altogether. It's just a matter of taking one step at a time, he says.

"While ultimately that may be the goal to replace alphanumeric passwords with an image-based password, one needs to consider the natural tendency of people to adapt to new technology fairly slowly," he says. "If we introduce it into an authentication but not necessarily head-first, say by substituting for challenge questions, that's a much easier shift. It gets people used to it, helps them understand it's secure, and it's easier to use without the need for so many resets. So the way the technology is introduced into the marketplace plays a key role in the discussion."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.