Remembering passwords across various utilities is a challenge that many face. There are security breaches that happen in password-driven systems of entry as well. Now, a system developed by a collaboration of researchers provides a welcome relief.
Based on the user’s social activity through the day, questions are asked to which only the user and the system know the answers and these form the substitute for password-driven access to the utilities. The study, supported by Complex Network Research Group, IIT Kharagpur, has also tested this on 70 users and found a good rate of success. While storing and remembering different passwords for all the applications one uses can turn out to be difficult, using the same password across utilities can simplify the task but would end up endangering security.
To get around this problem researchers from IIT Kharagpur, University of Texas, Austin, and University of Illinois, Urbana-Champaign, have developed an end-to-end system, ActivPass, which will determine whether the user is granted entry or not based on the answers posed by the system. For instance a smart phone may ask its user, “From whom did you receive an SMS this morning?”
The users can set the number of questions they need to be asked. Questions from infrequent activities, being more memorable than the routine ones, were used for this purpose.
The same system can be attached to a PC also, by either linking it to a social media account or, alternatively, making the browser capture several activities that the user does everyday.
A majority of the users did not mind the device storing information about their activities as they felt that social media such as Facebook and Twitter and even Gmail do that anyway.
“The greatest challenge was running and testing it and refining it on real people — understanding what features people tend to remember. People can remember very well if a little hint is given and this hint must not make it obvious for others to guess,” says Dr Niloy Ganguly of IIT, Kharagpur, an author of the paper on this study which was published in the conference ACM SIG – Computer-Human Interface, this year. The system achieved a success rate of 95 per cent in authenticating genuine users and compromised in 5.5 per cent of the cases by authenticating imposters. So, while it is not yet ready to be used commercially, it has proved that it is worth developing further.