Making Authentication Easier and More Secure

Subscription Options

One of the fundamental tensions in providing access to any system is finding the right balance of security and accessibility: A system needs to be sufficiently difficult to access in order to restrict access only to authorized users, while at the same time it needs to be easy enough to access so that people will actually be able to get in. The problem is particularly important to solve for those who are focused on transactions or some other revenue-generating activity in a competitive environment—make access too hard and customers will simply go away or to another provider.

There are a number of useful authentication schemes that can help to solve the problem: simple usernames and passwords for basic access where risk is low, two-factor authentication schemes using a physical token or similar device, out-of-band authentication using mobile devices, challenge questions, etc. Risk-based authentication using these and other techniques can also be used to more appropriately balance the risk of the transaction and the potential risk of the user.

Confident Technologies has developed an authentication scheme that studies have shown is actually quite secure despite its seeming simplicity. Instead of users entering passwords, they identify images within categories that they have memorized previously. For example, when setting up access to a system, users will select three categories of images, such as cars, boats and dogs—perhaps things they would see when they walk into their garage. When attempting to authenticate themselves, users will then be presented with a grid of images from which they will select the images that correspond to their predetermined categories. The images will change each time they attempt access, but will always be consistent with their predetermined choices.

Studies have demonstrated that image-based authentication is easier to remember than password-based authentication and is more resistant to brute force attacks and dictionary attacks. In one study, users were asked to set up text-based passwords and image passwords. After 16 weeks, only 40% of users could remember the former, but 100% could remember the latter. When asked to change their passwords and images, 75% could remember their text-based passwords, but all of the subjects could remember the changed images. Moreover, image-based systems like this are also more resistant to keystroke loggers, such as Zeus (which has successfully been used to defeat out-of-band authentication using mobile phones).

Confident will soon be introducing a “kill switch” technology that will make access even more secure. Using this approach, if a user clicks on a predetermined image in, for example, a 3×4 grid of images, he or she will be automatically locked out from access. Using a 3×4 grid of images with the kill switch option, the chances of an unauthorized user correctly guessing the three images required to gain access to a system on the first try are one in 1,760. Assuming this user continues to try to gain access using different images each time, the second attempt will have only a one in 5,187 chance of success and the third try will be successful only once every 30,000 attempts. Security can be further increased by having more images presented to the user or by having the user select four images instead of just three.

This approach can be used as part of a two-factor authentication scheme—for example, after entering a username into a banking Web site and having the image-identification request sent by email or text message to the user—or as a single point of authentication.

Anyone interested in making access more secure and easier for users should take a close look at this approach. You can run a demo of the technology here.

Published August 4, 2011