Tuesday, September 11, 2012

The password is dead! Long live the password!


Some of may remember Bill Gates saying (in 2004) that the password is dead.  This was way before we had to start using 14 character passwords.
More recently (like yesterday), Carnegie Mellon came up with an improvement on voice recognition, developing a voice-verification technology that can transform your voice into a series of password-like data strings, in a process that can be handled on the average smart phone. Your actual voice never leaves your phone, during enrollment or later authentication. 
So hackers need to steal the data strings instead.  I don't see that as much of an improvement.
The proliferation of passwords has been identified as a serious problem--if you give people too many passwords, then they will start repeating them--or simplify their system of coming up with new ones (cognitive loading and all that). So I wonder what we could come up with that would do that?
The answer, of course, is to make password-obsoleting technology dependent on something immutable and unique about you.
Hint:  If you called your friend from home, and a minute later called from work, they would become suspicous, right?  Even if they could recognize your voice.
As the real estate people say, Location, Location, Location.  You can only be in one place, and it takes a non-finite time to move from one place to the other.
But if Apple/Google/FB always know where you are, the privacy advocates will go ballistic.
OTOH, as David Brin pointed out in Tranparent Society, people will need to bite the bitter pill, and just make sure that the information goes in both direction (so you can see who is looking at your information).  Besides, most people sell their privacy every day at the local grocery store for a few dollars.
The only other possible alternative is to use a humanized private/public trap that takes advantage of things only you and your friends know.  You would need to share some tidbits of information, plus a voice record of 40-some phonemes with the institution you trust. For example, after confirming the phone ID to match all the possible numbers Paul could call from, it asks positive and trap questions (while matching phonemes to the bank's record):
Machine:  Where does Jennifer work?
Fake Paul: G2.
Real Paul:  The Urban Teacher Center
Machine:  What did TIffany say about the diamond bracelet you got her for your 10th wedding anniversary?
Fake Paul: Wonderful.
Real Paul: Umm, TIffany who?
The next time you call, it asks different, machine-generated questions (like prime numbers: easy to generate, difficult to decode):
Machine:  Who works at The Urban Teacher Center?
Fake Paul: Umm, Sheila Brown
Real Paul:  Jennifer
Machine:  When are you and Jennifer driving to Lockheed together tomorrow? <<if your trusted machine has access to your clendar, it could ask intelligently misleading questions here>>
Fake Paul: 8 AM.
Real Paul: Umm... to where? With whom?
Other easily machine-generated positive questions could include:
What is the next number after your zip code?
What age will you be after your next birthday?
What is the number before you street address?
Is X street close to the one you live on? <<needs googlemaps app>>
I wonder if trap questions could be based on the work DARPA is doing on "online personalities" (DARPA-BAA-12-06: Active Authentication)?
I'm also wondering if we could abstract public/private key encryption to a human level...

No comments:

Post a Comment