The Science of Security for Mobile User Authentication

Goal: to solve transformative questions in the security and usability of user authentication

This project blends a multifaceted research agenda, which will integrate statistical theory with empirical studies to advance the science of authentication. This is an interdisciplinary project that requires computational knowledge from signal processing and machine learning, information about threats from security engineering, and the understanding of usability from human factors and human-computer interaction.

The project is motivated by the following observations:

  1. People are switching from desktops to smartphones as their main computing and Internet platform
  2. Mobile platforms provide opportunities for ingenious authentication methods
  3. Although the scientific and engineering community is producing many solutions to mobile authentication, the underlying trade-offs and science behind mobile authentication are not well understood 

This project will develop a unified approach towards evaluating user authentication systems. It is expected that the findings from this project will also illuminate new methods to improve lightweight mobile-friendly authentication. This work is funded by an NSF CAREER award titled, "CAREER: Science of Security for Mobile User Authentication." This is a 5-year $507,568.00 award.

RESULTS

Why and how people forget passwords?

There are several theories in psychology on human memory. The ecological theory of memory suggests that long-term memory evolved to help survival by anticipating organismically important events. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. Our results so far support the ecological hypothesis and the suggestion that forgetting is a major limiting factor leading to poor password practices and compromising of systems security. Our model enables system designers and security engineers to predict the probability of password forgetting given a level of system usage and potentially impose appropriate memory practice for users to mitigate forgetting.

Examples of forgetting curves. With more practice, people are able to login faster to their accounts. Please see the publication below for details.

Examples of forgetting curves. With more practice, people are able to login faster to their accounts. Please see the publication below for details.

Publications

Xianyi Gao, Yulong Yang, Can Liu, Christos Mitropoulos, Janne Lindqvist, and Antti Oulasvirta. Forgetting of Passwords: Ecological Theory and Data. In Proceedings of the 27th USENIX Security Symposium, August 15-17 2018, Baltimore, MD, USA.

acknowledgments 

This material is based upon work supported by the National Science Foundation under Grant Number 1750987. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.