Internet authentication based on personal history - a feasibility test

A. Nosseir, R. Connor, M.D. Dunlop, J. Hjelm (Editor), A. Hayrynen (Editor), N. Wei (Editor), R. Jana (Editor)

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms. An easy three-part classification is: 'something you know' (e.g. password); 'something you hold' (e.g. device holding digital certificate), and 'who you are' (e.g. biometric assessment) [9]. Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users. We have investigated a novel strategy of querying the user based on their personal history (a 'Rip van Winkle' approach.) The sum of this information is large and well-known only to the individual. The volume is too large for impostors to learn; our observation is that, in the emerging environment, it is possible to collate and automatically query such information as an authentication test. We report a proof of concept study based on the automatic generation of questions from electronic 'calendar' information. While users were, surprisingly, unable to answer randomly generated questions any better than impostors, if questions are categorized according to appropriate psychological parameters then significant results can be obtained. We thus demonstrate the potential viability of this concept.
LanguageEnglish
Title of host publicationProceedings of Customer Focused Mobile Services Workshop at WWW2005
Number of pages6
Publication statusPublished - 2005

Fingerprint

Biometrics
Authentication
Internet
Assays

Keywords

  • internet security
  • password
  • human memory
  • user studies
  • security
  • usability
  • identity theft
  • personal electronic data
  • user mobility

Cite this

Nosseir, A., Connor, R., Dunlop, M. D., Hjelm, J. (Ed.), Hayrynen, A. (Ed.), Wei, N. (Ed.), & Jana, R. (Ed.) (2005). Internet authentication based on personal history - a feasibility test. In Proceedings of Customer Focused Mobile Services Workshop at WWW2005
Nosseir, A. ; Connor, R. ; Dunlop, M.D. ; Hjelm, J. (Editor) ; Hayrynen, A. (Editor) ; Wei, N. (Editor) ; Jana, R. (Editor). / Internet authentication based on personal history - a feasibility test. Proceedings of Customer Focused Mobile Services Workshop at WWW2005. 2005.
@inbook{662fa585e5294353b6ff92ebe1d53508,
title = "Internet authentication based on personal history - a feasibility test",
abstract = "On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms. An easy three-part classification is: 'something you know' (e.g. password); 'something you hold' (e.g. device holding digital certificate), and 'who you are' (e.g. biometric assessment) [9]. Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users. We have investigated a novel strategy of querying the user based on their personal history (a 'Rip van Winkle' approach.) The sum of this information is large and well-known only to the individual. The volume is too large for impostors to learn; our observation is that, in the emerging environment, it is possible to collate and automatically query such information as an authentication test. We report a proof of concept study based on the automatic generation of questions from electronic 'calendar' information. While users were, surprisingly, unable to answer randomly generated questions any better than impostors, if questions are categorized according to appropriate psychological parameters then significant results can be obtained. We thus demonstrate the potential viability of this concept.",
keywords = "internet security, password, human memory, user studies, security, usability, identity theft, personal electronic data, user mobility",
author = "A. Nosseir and R. Connor and M.D. Dunlop and J. Hjelm and A. Hayrynen and N. Wei and R. Jana",
year = "2005",
language = "English",
isbn = "1-59593-046-9",
booktitle = "Proceedings of Customer Focused Mobile Services Workshop at WWW2005",

}

Nosseir, A, Connor, R, Dunlop, MD, Hjelm, J (ed.), Hayrynen, A (ed.), Wei, N (ed.) & Jana, R (ed.) 2005, Internet authentication based on personal history - a feasibility test. in Proceedings of Customer Focused Mobile Services Workshop at WWW2005.

Internet authentication based on personal history - a feasibility test. / Nosseir, A.; Connor, R.; Dunlop, M.D.; Hjelm, J. (Editor); Hayrynen, A. (Editor); Wei, N. (Editor); Jana, R. (Editor).

Proceedings of Customer Focused Mobile Services Workshop at WWW2005. 2005.

Research output: Chapter in Book/Report/Conference proceedingChapter

TY - CHAP

T1 - Internet authentication based on personal history - a feasibility test

AU - Nosseir, A.

AU - Connor, R.

AU - Dunlop, M.D.

A2 - Hjelm, J.

A2 - Hayrynen, A.

A2 - Wei, N.

A2 - Jana, R.

PY - 2005

Y1 - 2005

N2 - On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms. An easy three-part classification is: 'something you know' (e.g. password); 'something you hold' (e.g. device holding digital certificate), and 'who you are' (e.g. biometric assessment) [9]. Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users. We have investigated a novel strategy of querying the user based on their personal history (a 'Rip van Winkle' approach.) The sum of this information is large and well-known only to the individual. The volume is too large for impostors to learn; our observation is that, in the emerging environment, it is possible to collate and automatically query such information as an authentication test. We report a proof of concept study based on the automatic generation of questions from electronic 'calendar' information. While users were, surprisingly, unable to answer randomly generated questions any better than impostors, if questions are categorized according to appropriate psychological parameters then significant results can be obtained. We thus demonstrate the potential viability of this concept.

AB - On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms. An easy three-part classification is: 'something you know' (e.g. password); 'something you hold' (e.g. device holding digital certificate), and 'who you are' (e.g. biometric assessment) [9]. Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users. We have investigated a novel strategy of querying the user based on their personal history (a 'Rip van Winkle' approach.) The sum of this information is large and well-known only to the individual. The volume is too large for impostors to learn; our observation is that, in the emerging environment, it is possible to collate and automatically query such information as an authentication test. We report a proof of concept study based on the automatic generation of questions from electronic 'calendar' information. While users were, surprisingly, unable to answer randomly generated questions any better than impostors, if questions are categorized according to appropriate psychological parameters then significant results can be obtained. We thus demonstrate the potential viability of this concept.

KW - internet security

KW - password

KW - human memory

KW - user studies

KW - security

KW - usability

KW - identity theft

KW - personal electronic data

KW - user mobility

UR - http://www.cis.strath.ac.uk/~mdd/research/publications/05nosseirconnordunlop.pdf

M3 - Chapter

SN - 1-59593-046-9

BT - Proceedings of Customer Focused Mobile Services Workshop at WWW2005

ER -

Nosseir A, Connor R, Dunlop MD, Hjelm J, (ed.), Hayrynen A, (ed.), Wei N, (ed.) et al. Internet authentication based on personal history - a feasibility test. In Proceedings of Customer Focused Mobile Services Workshop at WWW2005. 2005