|
A recent study found that the widely-used secret questions for web authentication can easily be guessed by both outsiders and those close to the user. The study focused on making secret questions easier to remember for the user and harder to break by others. Our approach is authentication through the use of the user's personal and dynamic Internet activities using a nonintrusive system.
We hypothesize that frequently-changing secret questions will be hard for attackers to guess. We propose three major categories of questions that are based off of user activities: network activities (e.g., browsing history, emails); physical events (e.g., planned meetings, calendar items); conceptual opinions (e.g., opinions as derived from browsing, emails). Our preliminary results are encouraging and show that this new direction is promising. To improve the usability, in particular nonintrusiveness, of such a dynamic secret-question system, we describe concrete stand-alone or client-server architectures and security models for automating our authentication systems, through utilizing existing artificial intelligent techniques. An important application of our automatic authentication system is in host-based bot detection, where a series of questions are used to identify the user from an invisible bot intruder or malicious user.
Presentation 1 (ppt)
Final Presentation (ppt)
|