{"628444":{"#nid":"628444","#data":{"type":"news","title":"Keep Forgetting Your Password? Try This Novel Virtual Authentication Technique","body":[{"value":"\u003Ch3\u003E\u003Cem\u003EFirst-person Virtual Maze Offers More Memorable, Harder-to Break Passwords for Infrequent Authentication\u003C\/em\u003E\u003C\/h3\u003E\r\n\r\n\u003Cp\u003EWe\u0026rsquo;ve all been there. For the first time in months, you\u0026rsquo;ve been logged out of your social media account and need to log back in. The problem is it\u0026rsquo;s been so long since your last log in that you don\u0026rsquo;t remember your password. You try every combination of baby and pet name, sister\u0026rsquo;s birthday, childhood street address \u0026ndash; nothing works, and now you\u0026rsquo;re locked out.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EIf only there was a better way to remember these passwords after extended periods of disuse.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ELuckily, researchers at \u003Ca href=\u0022http:\/\/gatech.edu\u0022 target=\u0022_blank\u0022\u003EGeorgia Tech\u003C\/a\u003E have come up with a novel solution to this longstanding problem, applying an old memory technique to new technology to offer users a more effective authentication method. Known as \u0026lsquo;the Memory Palace, the new tool is a three-dimensional virtual labyrinth navigated in the first-person perspective.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EIn cases of infrequent authentication, the Memory Palace works in place of an account\u0026rsquo;s password. Users create their own personal path with multiple left or right turns through a maze that must then be recreated to log in to their account. If the user makes it through the maze, similar to the one found in the old Windows three-dimensional labyrinth screensaver, they gain access.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EStudies evaluating the technique showed that visual-spatial secrets were most memorable if navigated in the three-dimensional first-person perspective. They also showed that, in comparison to Android\u0026rsquo;s 9-dot pattern lock, the Memory Palace was significantly more memorable after one week, was harder to break through shoulder surfing (capturing passwords by looking over someone\u0026rsquo;s shoulders), and were not significantly slower to enter.\u003C\/p\u003E\r\n\r\n\u003Ch3\u003E\u003Cstrong\u003E\u003Ca href=\u0022https:\/\/www.youtube.com\/watch?v=I02XDR7Mg0\u0022\u003EVIDEO: Explore \u0026#39;The Memory Palace\u0026#39;\u003C\/a\u003E\u003C\/strong\u003E\u003C\/h3\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Humans have evolved with remarkably persistent and fast-imprinting spatial memories, owing in no small part to our nomadic history,\u0026rdquo; said \u003Ca href=\u0022http:\/\/ic.gatech.edu\u0022 target=\u0022_blank\u0022\u003ESchool of Interactive Computing\u003C\/a\u003E Assistant Professor \u003Cstrong\u003ESauvik Das\u003C\/strong\u003E, the lead researcher on the project. \u0026ldquo;Many people can, for example, clearly visualize and mentally walk through their childhood homes, even if they haven\u0026rsquo;t stepped foot in it for decades. They may only need to be shown once or twice how to drive to a new part of a familiar city.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Our key insight was simple: Why not co-opt this incredibly strong spatial memory system for infrequent authentication?\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThis visual-spacial authentication is based upon an old memory technique of the same name, also called the \u0026ldquo;method of loci.\u0026rdquo; That approach uses visualizations with the use of spatial memory, familiar information about one\u0026rsquo;s environment, to quickly and efficiently recall information. World Memory champions have applied this technique in competition for years, associating vivid images along a specific path with digits, letters, or playing cards they are required to memorize. In fact, the technique dates all the way back to ancient Greeks and Romans.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EWhen developing their program, researchers focused on a few keys to their method. In addition to security against common attacks like random guessing or shoulder surfing, they needed the authentication secret to be memorable without much practice or reinforcement and they needed it to be deployable to the public.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Users are unlikely to accept a solution that requires significant upfront training or effort,\u0026rdquo; said Das, an expert in a field dubbed social cybersecurity that examines social norms that impact the adoption or rejection of security techniques. \u0026ldquo;Also, the solution should be cost-effective and not require specialized hardware. Many authentication solutions have been proposed, but most fail to be widely adopted for these reasons.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EExisting solutions fall short in these requirements. Biometrics, like a thumb print or facial recognition, require specialized hardware that can be expensive for infrequent use cases. PINs and graphical passwords have problems in long-term memorability without frequent reinforcement, or are otherwise vulnerable to shoulder surfing.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;The Memory Palace addresses each of these concerns with a proven memory technique that can hold up over time but is not easily stolen,\u0026rdquo; Das said.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EDas provided a handful of potential instances of infrequent authentication. Perhaps a session persists for a long period of time, like social media accounts, or a user must log in on a different device than normal, like a Netflix account on a web browser versus a smart TV. Other situations include occasionally-accessed resources, like a conference room secured with a smart lock, or as a fallback authentication method where a secondary secret is needed to recover access to an account where the primary secret has been compromised.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ETo deploy to the public, an app could implement the Memory Palace as a means of authenticating users. Alternatively, an operating system like Android could implement it as a means of authenticating into a device and automatically handle authenticating into any existing apps on the device.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThis work was presented in a paper, titled \u003Cem\u003ET\u003Ca href=\u0022https:\/\/sauvikdas.com\/uploads\/paper\/pdf\/22\/file.pdf\u0022 target=\u0022_blank\u0022\u003Ehe Memory Palace: Exploring Visual-Spatial Paths for Strong, Memorable, Infrequent Authentication\u003C\/a\u003E\u003C\/em\u003E (Sauvik Das, David Lu, Taehoon Lee, Joanne Lo, Jason I. Hong), at the \u003Ca href=\u0022https:\/\/uist.acm.org\/uist2019\/\u0022 target=\u0022_blank\u0022\u003EACM Symposium on User Interface Software and Technology\u003C\/a\u003E (UIST 2019), which was held\u0026nbsp;Oct. 20-23 in New Orleans.\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"This first-person virtual maze offers more memorable, harder-to-break passwords for infrequent authentication."}],"uid":"33939","created_gmt":"2019-10-31 18:40:16","changed_gmt":"2019-10-31 18:40:16","author":"David Mitchell","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2019-10-31T00:00:00-04:00","iso_date":"2019-10-31T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"628443":{"id":"628443","type":"image","title":"The Memory Palace","body":null,"created":"1572547175","gmt_created":"2019-10-31 18:39:35","changed":"1572547175","gmt_changed":"2019-10-31 18:39:35","alt":"The Memory Palace - A person navigates a virtual maze on a smartphone","file":{"fid":"239338","name":"Screen Shot 2019-10-31 at 2.38.07 PM.png","image_path":"\/sites\/default\/files\/images\/Screen%20Shot%202019-10-31%20at%202.38.07%20PM.png","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/Screen%20Shot%202019-10-31%20at%202.38.07%20PM.png","mime":"image\/png","size":434428,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/Screen%20Shot%202019-10-31%20at%202.38.07%20PM.png?itok=c5cuJDvG"}}},"media_ids":["628443"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"1299","name":"GVU Center"},{"id":"431631","name":"OMS"},{"id":"50876","name":"School of Interactive Computing"}],"categories":[],"keywords":[{"id":"182941","name":"cc-research; ic-cybersecurity; ic-hcc"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"},{"id":"39501","name":"People and Technology"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EDavid Mitchell\u003C\/p\u003E\r\n\r\n\u003Cp\u003ECommunications Officer\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Ca href=\u0022mailto:david.mitchell@cc.gatech.edu\u0022\u003Edavid.mitchell@cc.gatech.edu\u003C\/a\u003E\u003C\/p\u003E\r\n","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}