Abstract or Summary:
Most security protocols are designed to secure the interaction between computers. User authentication, an interaction between a computer and a human, merits a different approach since human memory is fundamentally associative. We describe here a secure authentication protocol which relies on picture recognition, a skill which people find relatively easy. The human and the computer share a secret, which is a set of 60-100 pictures. Authentication is done via a challenge-response protocol: the computer poses a sequence of challenges to the user, which can only be answered correctly by someone who knows the shared secret. Once the probability of random guessing goes below a fixed threshold, the computer authenticates the user. We report user studies showing that the protocol is feasible for humans to use, with high reliability and for a long period of time. We also describe probabilistic attacks on the protocol, which demonstrate the protocol's computational merits and limitations.

PasswordResearch.com Note: An updated version of this paper (Cognitive Authentication Schemes Safe Against Spyware) is available.