14 DAY TRIAL // A group of researchers from India and the US came up with a system that does not require users to create and remember strong passwords, access to protected assets being granted via dynamic authentication.
Called ActivPass, the system consists in collecting daily activity logs from multiple resources and creating a password, which is the reply to a security question.
System relies on infrequent but memorable activities
The information can be gathered from activity on social media websites, call or SMS logs, web browsing. The idea is to rely on actions that are not frequent or predictable.
One example provided by the researchers was to give the name of the sender of the first SMS received in the morning, which should be memorable and unpredictable in most cases.
The ActivPass experiment was conducted on 70 individuals and the results showed that 95% of them could answer such question. In 5.5% of the cases, though, the impostors were able to authenticate to a given service.
“While this level of security is obviously inadequate for serious authentication systems, certain practices such as password sharing can immediately be thwarted from the dynamic nature of passwords. With security improvements in the future, activity-based authentication could fill in for the inadequacies in today’s password-based systems,” the researchers say.
Personal details are trawled by a third-party service
According to the details in the research paper (published by University of Illinois at Urbana–Champaign), ActivPass extracts information from user activity at all times and then organizes the associated metadata.
When the user wants to access a protected asset, several questions are generated in the background. If the user provides the correct answer to a certain number of queries, access is granted.
During the experiment, only metadata was collected and all contextual details were skipped, and the questions were in different formats (text-based or multiple-choice). In some cases, hints were provided to help the user out.
Some of the password-related issues identified by the researchers included the difficulty to remember unique strings for different services, password sharing, and cybercriminals stealing the credentials.
While ActivPass may appear to solve all these problems, the fact remains that it collects personal information, which may end up in the hands of a third party.