Narrative-Based Authentication Latest Proposed Alternative to Passwords

Researchers have conceptualized a narrative-based authentication system based on a user’s recent interaction with their computer.

Remember the age of text-based gaming where natural language phrasing would help you maneuver a character through scenes in a virtual world? In a gaming context, that has long been a dinosaur, replaced by intricate and massive online role-playing games. But researchers from Carleton University in Ottawa, Canada, have proposed a way to borrow from those narrative elements to someday build what they hope will be an alternative to passwords.

Their plan is to combine user- and machine-generated narrative, based on the user’s recent activity on a computer, where the user interacts accordingly as continuous authentication mechanism, authenticating to specialized systems. The researchers’ premise is that users are much more likely to remember a familiar or interesting narrative than a complex password.

“If we’re using systems to figure out who are closest friends are, or to provide us with our favorite restaurants or news updates, why can’t personal items be used for authentication as well,” said Carson Brown, one of the authors along with Anil Somayaji and David Mould of a paper entitled: “Towards Narrative Authentication; or Against Boring Authentication.” “Allow the system to have a dialogue and prove that you are you and tell it things you know. It’s a shared secret, but still part of your identity.”

Rather than relying on the user or computer to exclusively generate the narrative, the researchers believe this should be a collaborative effort, one that is derived from a user’s recent activity on the computer. For example, it could stem from playing new games, interacting with new applications, or check-ins on social media that could indicate a memorable activity such as a vacation that would spawn a new narrative.

“In practice, the dialog would probably involve highly constrained user choices at every stage, at least initially,” the researchers wrote. “Advances in natural language processing, however, might allow for more flexible collaborative story creation.”

Brown wrote in the paper, presented last September at the New Security Paradigms Workshop, that things humans find boring are not retained, while memories that are interesting stay with us. Passwords, in other words, are easily forgettable, and choosing to authenticate from good stories or pleasant memories keeps the user engaged and, the researchers hope, lessens the risk that attackers can steal credentials the way they can with today’s weak authentication schemes.

“Good stories are almost impossible to forget, and even bad stories can be remembered. …” the researchers wrote. “In fact, people often tell stories to verify each other’s identities by verifying that they both share some common set of stories, often using exchanges that are unintelligible to others who do not know those same stories. Further, those exchanges can be remarkably quick and concise.”

While computers’ understanding of narrative is poor, the researchers postulate that elements of a narrative such as places, objects, settings or characters can be converted via software to a form people would remember and computers could verify. This could take on a challenge-response format.

“The remote server should store a complex narrative structure—a story or a set of stories—that is then used to drive a dialogue with the user,” the researchers wrote. “The system sends challenges to the user that require knowledge of the stories to be successfully responded to but can be responded to using information derived from only a small portion of the narrative structure.”

The research paper provides an example of how narrative-based authentication would work from a text-based game called Stackers. In the game, the user is asked to stack a number of objects in a particular order in order to proceed, or in this case, to authenticate themselves. Sizes or colors could be added to the object to ward off brute-force or even replay attacks, the researchers wrote.

Suggested articles