It's a question of execution, scalability, and fear of change, some experts say. But as the traditional username and password legacy grows outmoded, a new set of innovators hope to address these issues and leverage the human brain's capacity for image recall to refashion the authentication space. The idea is to bring a new category of image-based solutions that can be used either as one-time password options or eventually to replace text login credentials altogether.
The studies in favor of image-based memory recall and its applications for authentication have actually been adding up for some years now. For example, back in 2003 one study found that when researchers asked users to establish both image-based passwords and text passwords, 100 percent of the users were able to correctly authenticate their image passwords within three tries after 16 weeks of account inactivity, while only 40 percent could do the same for text passwords.
"There are a number of different reasons for that, and you can kind of intuitively understand why that is from a developmental or evolutionary perspective," says Roman Yudkin, CTO of Confident Technologies, a San Diego-based authentication upstart. "The visual cortex in people develops before the auditory cortex does. If you think about evolution, we had to be able to recognize threatening animals or events around them and recognize them quickly." But even with the research showing how that vestige of survival instinct affects the way our memory holds onto images, security researchers up until this point have failed to really find a commercially viable way to take advantage of this tendency to improve authentication practices.
Sure, there is CAPTCHA, which authenticates to a machine that it's human by looking at an image of a text code. And there are also solutions geared toward anti-phishing, such as the type of solution Bank of America uses to match images it preselects during registration to give users the peace of mind that they're entering username and passwords into a legitimate site. But authentication of the users themselves through images has remained purely experimental, coming out of research universities somewhat unpolished and often counterintuitive to use.
"What has seemed to happen is that there have been a number of different attempts to implement graphical passwords, but these laboratory-based or university-based attempts were never really commercialized because you can usually find issues with their schemes in that they aren't really based on our ability to recognize or remember images," Yudkin says. "There are a number of different radical authentication schemes where you are asked, for example, to connect the dots or identify parts in an image that would represent your password. Or you're presented with an image of a city or a building, and you must click in a number of locations in a picture that you're asked to recall later in the same sequence."
Another example, says Michalis Faloutsos, professor of computer sciences and a security researcher at the University of California Riverside, are forms of authentication that have users contextualizing a picture they're given to enter in an appropriate code.
"One thing I've seen in the past is a system that will give you a picture and have you describe it, or find where James Bond is sitting in the picture, or to see the hero of a movie and enter in the name of that movie," Faloutsos says. "But this kind of picture-based system becomes very tricky because there has to be a human constructing a clever question or mechanism to analyze it." Yudkin and his firm hope to change that. Just coming out of stealth mode, Confident Technologies leverages that innate human affinity for remembering images. "Our approach is probably the first approach that combines both recognition and recall," he says, explaining that the company has spent the past months refining a portfolio of patents it acquired from now-defunct password management company Vidoob to create a software-as-a-service solution that would work for both enterprise and SMB applications.
The solution is relatively simple, requiring users during registration to set up a normal set of login credentials and then select several concrete categories of images, such as dogs, flowers, or boats, upon which their future logins will rest. Then in the future, they're presented with a randomly generated grid of images that is fueled by a database of tens of thousands of images. Each image of the grid is overlaid with a letter or number. The user picks out the images that fit in their categories and uses the overlaid character associated with each to build a one-time passcode.
Faloutsos, who also owns a Web security business called StoptheHacker.com, says he'd be happy to see his bank using a solution such as this, not to mention all the other types of Web-based businesses that need to offer secure logins.
"With our experience as a company lately, we've been looking at the security of websites. We've identified time after time that people do not select good passwords, and we've identified companies who don't enforce good policies in maintaining passwords," he says. "I wouldn't be surprised if down the road anybody would put in these kinds of controls because I see an added layer of security without taking away anything. On the contrary, I think it makes it easier to remember your password."
Confident Technologies is, in fact, already working with one large bank on a way to augment the log-in process during risk escalation in lieu of challenge questions, which are growing ever weaker in light of how easily available the type of information sought by these questions can be found online on someone's Facebook page or through a Google search. The firm is developing options to offer future clients out-of-band authentication as well.
But the end goal could be something even more sweeping if Confident has its way. Yudkin and his cohorts, many of whom used to work together at Internet security juggernaut Websense, see this as a way to improve all Web-based authentication and potentially replace traditional text-based passwords altogether. It's just a matter of taking one step at a time, he says.
"While ultimately that may be the goal to replace alphanumeric passwords with an image-based password, one needs to consider the natural tendency of people to adapt to new technology fairly slowly," he says. "If we introduce it into an authentication but not necessarily head-first, say by substituting for challenge questions, that's a much easier shift. It gets people used to it, helps them understand it's secure, and it's easier to use without the need for so many resets. So the way the technology is introduced into the marketplace plays a key role in the discussion."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.