June 6, 2013
Some efforts to replace traditional letter-and-number passwords rely on gestures, wearable devices, or biometrics. An approach in the works from research-and-development company SRI International and Stanford and Northwestern takes a different tack: passwords that you know but don’t know you know.
Patrick Lincoln, director of SRI’s computer science laboratory and a researcher on the project, calls this “rubber-hose resistant authentication” in reference to rubber-hose cryptanalysis, in which a user is coerced or physically forced to give up, say, the passcode to a secure building. Lincoln says the approach relies on implicit learning—the sort of learning that occurs through sheer repetition, such as learning to ride a bike, that the learner can’t verbally explain—to prevent passwords from being compromised.
So far, the project has used a game interface, resembling a rudimentary version of Guitar Hero, that trains the user to enter a unique pattern. Users press a key, corresponding to a column, each time a falling ball hits the bottom of one of the columns, but because the sequence of falling balls changes each time, users can’t consciously determine what is their unique sequence, and what is simply added noise. Later, the user is authenticated by playing the game, which contains parts of the learned pattern, and the user’s superior skill at this task proves his or her identity.