1. Field
The present invention relates generally to computer security and, more specifically, to recognition-based authentication.
2. Description
User authentication is a central component of currently deployed computer security infrastructures. User authentication involves determining if the person attempting to gain access to a system is indeed a person authorized for such access. There are three main techniques for user authentication: 1) knowledge-based systems, which involve allowing access according to what a user knows; 2) token-based systems, which involve allowing access according to what a user possesses; and 3) biometrics-based systems, which involve allowing access according to what the user is. Although biometrics can be useful for user identification, one problem with these systems is the difficult tradeoff between imposter pass rate and false alarm rate. In addition, many biometric systems require specialized devices, which may be expensive. Token-based schemes are problematic if the token is misplaced or stolen. Most token-based authentication systems also use knowledge-based authentication to prevent impersonation through theft or loss of the token. An example is automated teller machine (ATM) authentication, which requires a combination of a token (e.g., a bank card) and secret knowledge (e.g., a personal identification number (PIN)). For these and other reasons, in today's computer systems knowledge-based techniques are predominantly used for user authentication.
Despite their wide usage, textual passwords and PINs have a number of shortcomings. Many users forget their passwords and PINs. Simple or meaningful passwords are easier to remember, but are vulnerable to attack. Passwords that are complex and arbitrary are more secure, but are difficult to remember. Since users can only remember a limited number of passwords, they tend to write them down or will use similar or even identical passwords for different purposes. This of course weakens the security of systems used with the passwords. In addition, some systems may be vulnerable to a keystroke-saving program or device. Such a technique may be used surreptitiously to capture the inputting of the password by the authorized user in order to facilitate subsequent unauthorized access by another.
One approach to improve user authentication systems is to replace the precise recall of a password or PIN with the recognition of a previously seen image, a skill at which humans are remarkably proficient. In general, it is much easier to recognize something than to recall the same information from memory without help. Experiments show that humans can remember and recognize hundreds to thousands of pictures in fractions of a second of perception. By replacing precise recall of the password with image recognition, the cognitive load on the user during authentication can be lessened, helping the user to make fewer mistakes.
Existing techniques use recognition of graphical images as an authentication mechanism. One system called “Passface”, available from Real User Corporation, provides authentication through the recognition of human faces. In another system described in “Déjà vu: A User Study Using Images for Authentication” by Rachna Dhamija and Adrian Perrig, Proceedings of the 9th Usenix Security Symposium, August, 2000, authentication is performed through the ability of a user to recognize previously seen images. In this system, the images are randomly generated artwork. However, both of these systems have at least several disadvantages. The systems require a portfolio creation phase to generate and/or select the images to be used as the “correct” answers in a challenge-response scenario during authentication. The systems also require a training phase wherein the user studies the images (either human faces or random art) selected to be the user's “correct” images. The user is required to memorize the images so as to be able to recognize them later during an authentication session. The portfolio creation phase and the training phase may be difficult to implement in some usage scenarios. Furthermore, these systems are likely susceptible to capture-and-replay attacks, just like traditional text passwords.
New techniques are needed which overcome the deficiencies of the prior art to provide an easy to use, secure authentication system based on recognition of images. Such techniques should allow for recognition-based authentication without lengthy, prior training sessions by the user.