Passwords have been the canonical method of authenticating a user’s identity. It has been immensely successful, allowing an effective balance of security and simplicity. Unfortunately, passwords are failing to scale to the changing landscape of computing. For instance: (1) With an exploding number of apps and online services, the burden of remembering site-specific passwords is almost prohibitive. Using common passwords across sites alleviates the burden but at the cost of diminished security. (2) With cloud based services, such as Netflix, users are now able to share passwords among friends — password based authentication is not fundamentally designed to thwart such behaviors. (3) The possibility of password getting stolen is increasing alarmingly, specifically with password databases being leaked from large organizations.
This work develops an authentication scheme that is less secure than passwords, but is simpler to use and resistant to sharing. Our core idea is to observe users’ activities from the recent past and extract questions from them that, ideally, only the user can answer but others cannot. Example questions could be “from whom did you get the first call this morning?” or a multiple-choice format that does not require much typing – “which news site did you NOT browse this morning: CNN, NYT, Slashdot, Wired”. Given that today’s users perform various activities jointly with their computing de-vices, we believe that adequate “secrets” can be extracted, enabling this alternative form of authentication.
This work employs the core idea that outliers in the user’s activities (rare activities) offer opportunities for generating passwords. Intuitively, outlier events are easy to remember and difficult to guess. This intuition is tested and substantiated by this study.
This study developed ActivPass, a dynamic authentication system that mines the user’s daily activities to extract passwords. While ActivPass may not apply to services that re-quire strict authentication, it is candidate for alleviating the problem of password shar-ing. Even though users might share their passwords once, they are generally unwilling to continuously share their daily (atypical) activities with others. This can prevent Bob from perennially reusing Alice’s (Netflix) password, just because she shared the pass-word once. Experiment results from a large set of university volunteers demonstrate promising results with the system achieving up to 95% success rate. Notably, while being able to distinguish between real and impersonating users, our system was suc-cessful in identifying volunteer users and did not penalize them for failing to recall their past activities. In reality, however, a user has a stronger incentive to recall her past to be able to answer the password question correctly — in such situations, the performance could improve further.