It seems like something out of a Robert Ludlum spy novel. Someone tries to coerce you into revealing your computer security passwords. You might be tempted to give in, but it is impossible for you to reveal your authentication credentials. You do not actually know them because they are safely buried deep within your subconscious.

Sounds a bit extreme just to make sure no one can log on to your laptop or smartphone, but a team of researchers from Stanford and Northwestern universities as well as SRI International is nonetheless experimenting at the computer-, cognitive- and neuroscience intersection to combat identity theft and shore up cyber security—by taking advantage of the human brain’s innate abilities to learn and recognize patterns.

The researchers are studying ways to covertly create and store secret data within the brain's corticostriatal memory system, which is responsible for reminding us how to do things (pdf). When a person needs to access a computer, network or some other secure system, they would use special authentication software designed to tease out that secret data.

To test this concept, the researchers devised a computer game requiring players to tap buttons on a keyboard as large black dots descending down their screen cross a horizontal line—very similar in concept to the video game Guitar Hero. During an initial training session lasting from 30 minutes to an hour, the dots fall at different speeds and in various locations, forming patterns that repeat until participants become adept at hitting the appropriate buttons at the right time. In effect, users' corticostriatal memory becomes adept at repeating a particular pattern over time, such as dialing a phone number or typing a word on a keyboard without looking at one's fingers.

Brain training
The researchers refer to this as "serial interception sequence learning" training, during which a person unwittingly learns a specific sequence of keystrokes that can later be used to confirm that person's identity. To log on to, for example, a Web site, the user would play the game the same each time that pattern of dots appears, proving his identity and allowing him access.

"While the planted secret can be used for authentication, the participant cannot be coerced into revealing it since he or she has no conscious knowledge of it," according to the researchers in a study they presented August 8 at the USENIX Security Symposium in Bellevue, Wash. (pdf) As currently conceived, the implicit learning approach being studied might protect against someone either forcing or tricking you to reveal a password, says lead author Hristo Bojinov, a Stanford University Ph.D. computer science candidate. Such coercion could take the form of physical or verbal threats demanding your password or other security credentials, or it could be a seemingly legitimate phone call or e-mail designed to coax out this information.

The researchers say they have tested their approach on 370 players so far and continue to add new participants to their study. The test currently requires at least 30 minutes of training to get reliable results. "It is unlikely that training time can be shrunk much because this type of brain memory takes time to get trained," Bojinov says. "It may be possible to reduce the authentication time [that follows training], but it is yet to be seen how much."

Gaming the system
Whether this approach is practical depends upon the system being defended. It is unlikely, for example, that Yahoo or Google would implement this approach to security for their free e-mail services. Would someone want to play a game for several minutes every time they want to log onto their e-mail? A government facility housing nuclear weapons, however, could better justify the time commitment required to log in using the sequence learning method, particularly if users log in once each day and such an approach promises to improve security, says Nicolas Christin, associate director of Carnegie Mellon University's Information Networking Institute.

This implicit learning approach would not necessarily be effective against network hacks. Just as hackers can break into databases where passwords are stored, they could likewise steal information about a user's authentication pattern created during the training process. "Somewhere, the authentication sequence has to be stored so it can be verified, and that may be vulnerable to attack as well," Christin says.

Bojinov responds that the technique he and his colleagues are developing specifically targets the problem of coercion. "Most likely this mechanism will be used in conjunction with others," he says, adding that he and his colleagues are now planning to design a similar game for mobile device security that would create patterns using a broader number of actions, such as rotating or moving their gadgets in addition to pressing buttons on the keypad.

Password persistence
Despite years of predictions that passwords would eventually be phased out in favor of more secure approaches to authentication, they persist because "they are, to date, one of the better—or less bad—compromises between security and usability," Christin says. "They are cheap to implement, work pretty much in any situation, and everybody knows and understands them."

Yet as the number of passwords multiplies, the security technique become less effective because they strain the user's ability to remember them all, particularly if managing a plethora of passwords requires a user to request password resets to replace those that have been forgotten. Hackers have come to rely on password-reset features to hijack people's e-mail and other online services, locking those users out of their own accounts in the process. Scientific American described this process—which was at the heart of the recent cyber attack against Wired journalist Mat Honan—in a 2008 article written by computer security consultant Herbert Thompson.

Although the approach proposed by Bojinov and his colleagues requires a lot more work to be practical, it represents a welcome shift in how researchers approach security. The method that Bojinov and his colleagues pose turns the problem of usable security technology on its head, Christin says. "We may see more and more research in the space of understanding how certain human aptitudes can be used to improve security," he adds.

The most important thing to take from the research of Bojinov and his colleagues is not that this particular mechanism is the right one for embedding secrets or not, "but rather that the researchers are exploring neuro- and cognitive science as a means of engineering computer security interfaces," agrees Stefan Savage, a professor of computer science and engineering at the University of California, San Diego.

"They have found a way to shove a piece of information into your brain without your knowledge and then take it out," Savage says. "They have turned you into a DRAM, only you have no knowledge of what is stored there. This is Jason Bourne stuff."

7 Comments

1. 1. RickDS 06:50 AM 9/5/12

   Great idea!

   Reply | Report Abuse | Link to this

2. 2. sjamar 09:43 AM 9/5/12

   I've long used geometric patterns on keypads and even keyboards as passwords -- until they started making me include caps and numeral as well as lower case letters on the keyboard. I still use geometric patterns on 3x3 keypads as opposed to numerals -- i remember them better.

   Reply | Report Abuse | Link to this

3. 3. Lavanya 10:20 AM 9/5/12

   Hyperbole, much?
   I must protest against this statement by Savage: "They have found a way to shove a piece of information into your brain without your knowledge and then take it out," Savage says. "They have turned you into a DRAM, only you have no knowledge of what is stored there. This is Jason Bourne stuff.
   You're NOT turned into DRAM or Jason Bourne, it's the same as learning to ride a bicycle.. learning a sequence of actions and implementing them without being able to verbalize those actions. That's basal-ganglia based learning. The same process underlies learning to use a skate-board! In fact, a lot of action sequences that we learn 'consciously' such as driving, become automated using the same brain circuits so that performance becomes far more efficient and frees up the 'conscious workspace' for other stuff. Jason Bourne indeed!
   
   

   Reply | Report Abuse | Link to this

4. 4. uconnron 12:06 PM 9/5/12

   Whatever happened to biological identifiers like fingerprints and retinal patterns? Someday, a method of quickly identifying our DNA could be used.

   Reply | Report Abuse | Link to this

5. 5. JRWermuth 05:21 PM 9/9/12

   Strangely, I have done this since a child. I'm dyslexic and perhaps my brain works better with patterns than numbers or letters.

   Reply | Report Abuse | Link to this

6. 6. ADDworks! 04:39 AM 10/17/12

   @uconnron ... "Whatever happened to biological identifiers like fingerprints and retinal patterns? Someday, a method of quickly identifying our DNA could be used."
   
   Do not underestimate the ruthlessness and resourcefulness of a potential adversary. A fingerprint can be lifted from a sensor and duplicated; voice prints can be duplicated from surreptitious recordings; an adversary with a gun might be able to "convince" you to 'smile for the (retinal) camera' and collecting DNA is relatively easy so it wouldn't be long before some bright spark found a way to spoof it.
   
   Possibly an EEG might be used as the final answer in a challenge / response system ... I dunno -- not sure if an EEG could be run without the paste. Might be worth looking into, though.
   
   A user name + pass phrase might tell the computer what pattern of lights to flash on the screen and what response to expect back. If the person was under stress (gun to head), the EEG patterns would not match and access would be denied ... moreover, doors would be locked and security forces would be summoned.

   Reply | Report Abuse | Link to this

7. 7. ADDworks! in reply to sjamar 04:35 PM 10/17/12

   I use a pronounceable "non-word" with extended characters (DAS for "pronounceable password) sites) and so on for my "money" logins and a shorter, simpler, password for the "low risk" logins. (for instance, SA got neither the high security login nor the 'important stuff' e-mail address - they don't need it, so they didn't get it) That gave me ONE long-butt (14 chars) password to memorize. It is too long for some sites (shame on them!) so I just shave off the number of characters I need to in order to make the password fit. This results in a distinct password without additional memorization. For that rare login that allows for a pass phrase, well, I standardized on that, too, years ago and use one of three pre-selected phrases. Most sites will allow two failed attempts before a 'do or die' account lock, so limiting myself to no more than three 'secure' passwords and the same number of pass phrases keeps the list short enough to login even if I cannot, for a moment, recall which login I previously used.
   
   Every year or so, I change at least part of the login pair ... usually the user name, sometimes the password.
   
   If I was engaged in cloak & dagger stuff or anything else that required a higher than normal level of security, I'd make bigger changes far more often. I -DO- use TOR ... and I'd recommend that each person who read this far do the same. I am also flogging away at GPG for my e-mail. That is hampered by the lack of concern for personal internet security shown by those I correspond with.
   
   Use a strong username / [password / passphrase] pair for logging in, TOR (or IP2Go) for browsing, GPG for encryption of communications, Truecrypt for encryption of files and whole drives and Duck Duck Go or similar for searching.
   
   There is no such thing as complete security on the internet ... but you can come gosh-awful close (for free!).
   
   The only way to preserve your freedom of speech tomorrow is by defending it today.

   Reply | Report Abuse | Link to this