Internet Authentication Based on Personal History – A Feasibility Test Ann Nosseir, Richard Connor, Mark Dunlop University of Strathclyde Computer and Information Sciences

Goal of the Study Is to assess the feasibility of distinguishing the two groups Person & Impostor

Introduction On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms

How we are authenticated? Authentication Scheme Stajano, three-part classification is "something you know" (e.g. password); "something you hold" (e.g. device holding digital certificate), "who you are" (e.g. biometric assessment) Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users.

Context Human Mobility e.g. internet coffee Authentication Characteristics Mobile Lightweight Low in cost " something you know"

Passwords are not without Human Problems Yan and his colleagues 2004 in Cambridge University Computer Laboratory There are trade offs between good non-guessable passwords and the limitations of the human memory. It is hard for users to remember random passwords, but others are guessable; although passwords provide users with mobility, they can be stolen, guessed, or cracked.

Our Solution Light weight Memorable Mobile Low in cost

Electronic Personal History. 1.The personal history.it is not given. 2.It has a characteristic that it is very large so nobody can remember except the person him self. But what are good authentication questions?

Solutions “ Related Work ” Question Based Facts and Opinion Cognitive Passwords –Question Based Zviran 1990 Challenge Response Questions Cartwright 2004 Recognition-Based, rather than Recall-Based Opinion Image Portfolios Dhamija and Perring 2002 Passfaces Brostoff and Sasse 2000

Question Based-Model

Two Pilot Studies Population in both experiments includes the people who have and use electronic calendar either in palm format or Microsoft format Experiment One a. Sample size (Six calendar data of the staff) b. No. of Questions (5) Randomly selected c. Kind of questions (true/ false)

First Experiment Results Surprising results 1.The person can’t remember his calendar 2.Others scored better that the person him self in a few questions.

Sensitivity and Specificity Not the personIs the person First Test (Sensitivity) (True Positive) Correct answer ‘ Positive’ 0.5 (Specificity) (True Negative) 0.47Wrong answer ‘Negative’ 11

Human Memory Long-term memory is divided into episodic, procedural and semantic memory. In our research, we have focused on the long-term memory and in particular the episodic memory which some researchers define it as autobiographical memory. Baddeley, A. 1997

Parameter ( Human Memory ) Psychology Parameters Recent Repetitive Pleasant Experiments Parameters Easy Difficult

Second Experiment a. Sample size (9 calendar data of the staff) b. No. of Questions (8) c. Kind of questions (6 true/ false) (Recent, Repetitive, Pleasant) & (2 Multiple Choice) for each (Easy and Difficult)

Sensitivity and Specificity Second Test Answer GenuineImpostor Correct0.71 ± Wrong ±0.10 Total11

Sensitivity and Specificity Multiple- Choice Questions Answer GenuineImpostor Correct0.75 ± Wrong ±0.18 Total 11

ROC Curve Q1 Pleasant Easy Q2 Pleasant Difficult Q3 Recent Easy, Q4 Recent Difficult Q5 Repeat EasyQ6 Repeated Difficult, Q7 Multiple-ChoiceQ8 Multiple Choice VariablesAUC Q Q Q31 Q Q50.75 Q Q70.75 Q80.75

Conclusions The pilot study showed feasibility of this novel idea. Surprising results that person can’t remember his calendar The recent, repetitive, pleasant question types are better remembered and these types need further investigations in a bigger experiment. In the reality, information will not be shared usually population is random people which gives the idea more creditability.

Future Work Implementation Model Additional Information

Trusted Third Party (TTP) Mitchell, 2004 summarized authentication stages for SSO or certificate into two major : A.the initial authentication stage B.authentication at instant time stage

TTP

Question Based-Model Question /Answer Authentication Electronic Personal History e.g. pay-pal on e-bay

Future Work

The research can go further and use other electronic data such as data stored on mobile phone (E911) legislation, GPS, PC, government or organizations database and, in the future with the smart environment application, there will a huge amount of stored electronic personal data. This large bulk of information can provide better security and, at the same time, will provide users with mobility because it is memorable. more investigation is required to gain more confidence in the results

Thank you