Technical Field
Embodiments disclosed herein are related to systems and methods for automatically identifying and removing weak stimuli used in stimulus-based authentication systems. In particular, systems and methods disclosed herein may identify weak and/or insecure stimuli used in stimulus-based authentication systems by monitoring how often a user correctly identifies the stimulus but fails the authentication.
Related Art
Stimulus-based authentication systems are common for protecting against attackers. Stimulus-based authentication systems include the well-known CAPTCHA system, which places a word, or a series of numbers or letters on the screen, and asks a user to enter the string that is displayed. While such systems have proved to be useful in protecting against attacks, users occasionally have difficulties in deciphering the strings of letters or numbers being displayed, often resulting in failed authentications and user frustration. These difficulties are magnified when users are attempting to authenticate on a mobile device. One solution would be to use less random strings, or strings that are easily identified by users. However, these strings are not as strong and may be easily exploited by attackers.
A system and method that has been developed to improve the authentication process for users on mobile devices relies on presenting stimuli to the user, asking the user to identify the stimulus, and then asking the user to perform one or more actions with the identified stimulus. Such a system and method is described in U.S. patent application Ser. No. 13/174,394, filed Jun. 30, 2011, which is assigned to the same assignee that this application is subject to an assignment to, and the entire contents of which is hereby incorporated by reference in its entirety. A possible problem with this approach is that attackers may be able to capture all of the possible stimuli and be able to develop software that automatically detects the stimuli based on recognition of certain features associated with the stimuli. Moreover, because there may be only a limited number of actions that can be performed with the stimuli, an attacker could theoretically be able to develop a system that is able to succeed at the authentication process a statistically large enough times once all of the images have been captured that it may be a concern.
In the drawings, elements having the same designation have the same or similar functions.