Memory as a Password
How do we know someone is who they say they are? We rely on three factors to tell us about identity. The first is a physical trait. In some ways this is the most true indicator. It could be a fingerprint, an iris pattern, your gait or DNA. These biometrics are often discussed in computer security, but they have drawbacks. Another factor is a token or key that somebody possesses. This could be a metal key, a computer chip, an identification card or any other token. Finally, there is the password. The most maligned and least liked of the three.
The drawbacks and benefits of each of these three mean that certain situations will favor certain authentication approaches. It would be hard to imagine whispering the waiter your password instead of handing them a credit card. Other scenarios are not so far fetched. Gait analysis to log into your email on your smart phone? Chip and pin to log in to a work computer? Most smart phone have finger print sensors already, whether they are safe or not is another argument.
One nice thing going for inherence is it gets close to what we actually mean by identity; The unique arrangement of atoms the constitutes a person’s presence in the world.
A drawback with measuring a quality of inherence is that it must be statistically implemented. Think of each authentication as a sample drawn from a population of infinite potential samples of youness along a number of dimensions. If you gathered a few of them, you’d be relatively confident that the person is who they claim to be. On the other hand, there will always be some amount of false positives. I have seen fingerprint scanners fail when people’s fingerprints have been dulled by years of chemical use.
Once a biometric password gets loose there is less you can do to recover from the breach. You cannot change your fingerprint, DNA or the way you walk without great trouble.
If we tie our identities to a thing we have, whether it is a key to our house or a string of characters we run the risk that it will fall into the wrong hands. Any key, physical or cyber, can be copied.
One thing people haaate about keys is that they are difficult to reset. This is a feature, not a bug, but it is also a failure of the security community to realize that anything that is an inconvenience will create security holes. Good user experience leads to well behaved users. When I had to send folks home because they left their smart card on the night stand, they were not happy. On the other hand, keys can be reset, unlike biometrics.
My biggest problem with the possession solution is a more intellectual one. What does it mean to be who I am? Are we really defined by the things we own? As a practical matter, possession is a great way to define identity, but philosophically I find it repulsive.
People like passwords because for the same reason they like biometrics, they carry the proof with them. Maybe even more significant than the convenience for the user is the convenience of implementation. You don’t need any physical interface to put a password in place.
Passwords do have one big advantage over biometrics; They are robust to breaches. As much as it is a problem when a service you use gets hacked, you can reset your password. This ability to bounce back is underrated.
Another big advantage of passwords is that they are precise. We often think of authentication as being about accuracy. How sure are we that you are who you say you are? Precision is also important! How sure are we that you are exactly who you say you are. Identical twins notwithstanding, we don’t worry much about people having similar (but not the same!) fingerprints. Still, when you’re managing a large workforce, high maintanace or time sensative roles, and especially elderly people or others with worn down fingerprints, you see a lot of weird things happen. Some people have such weak fingerprint signaling that nearly can be considered a match. Sometimes you have to scan 10+ times. This never happens with a password.
Everybody can identify with the frustration of forgetting a password or having to manage various complicated (and no more secure) passwords. Some smart researchers at Carnagie Mellon University have proposed a Person - Action - Object schema in a Scientific American article. This research draws on some cool findings in psychology about memory. Anybody who has read Moonwalking with Einstein will recognize this sort of memory palace technique. The problem is, it’s artificial. You have no context and are essentially just memorizing, albeit a slightly less difficult kind of memorization.
I propose to take this method a step further. Why not use the memories you already have? Remember that salient vacation or when you had to take your dog to the vet? Creating a story out of memories already seared into our minds is way easier than the Person - Action - Object schema. For example, using a phrase like “boating on the potomac in winter” returned exactly 0 results on google. Even after this post, the exact phrase without spaces is unique. What is more, this hypothetical memory of chilling wind cutting through your fleece as you sail alongside monuments is pretty unforgettable, and it’s more secure than using your pet’s name and the year you were born.