Who was the first person to text you this morning? What song did you listen to during dinner last night? Which of the following news sites did you not browse this morning? These types of questions could act as superior forms of user authentication to the traditional passwords people use today when they log in to apps and websites, according to five researchers.
In a paper titled “ActivPass: Your Daily Activity is Your Password,” a group of researchers located in universities in Texas, Illinois, and India lay out a novel approach to improving the security of login activity. The main thrust of ActivPass is to observe a user’s recent Facebook, browser, phone, and SMS activities and ask them questions based on those activities, which in an ideal world only the users themselves would be able to answer. For example, “From whom did you get your first call this morning?” could be a question posed to a user when they try logging in to a website.
The ActivPass project aims to address areas where traditional passwords are failing, including the increasing burden on users to remember a growing number of passwords (or to ease that burden by choosing common passwords that diminish security), sharing of passwords for cloud-based services like Netflix, and the increasing vulnerability of passwords being stolen.
Users would be able to configure the system to determine how many questions must be answered for successful authentication, whether multiple-choice questions can be asked, and permissions to activity logs.
After an experiment involving 70 participants and their smartphone activity logs (tracked with an app), the researchers say their end-to-end ActivPass system was successful (i.e., authenticated legitimate users) 95 percent of the time. However, it was also compromised (i.e., authenticated impostors) 5.5 percent of the time.
“While this level of security is obviously inadequate for serious authentication systems, certain practices such as password sharing can immediately be thwarted from the dynamic nature of passwords,” according to the paper. While someone may be willing to share a password for their Netflix account with a friend, they may not be as willing to share their personal activities.
The researchers are speaking with companies like Yahoo and Intel to gauge how useful this approach to passwords could be for enterprise users and what could be done to make it work, said Romit Roy Choudhury, an associate professor at University of Illinois at Urbana-Champaign and a co-author of the paper, in an interview with MIT Technology Review.