Skip to Content

Smartphone Secrets May Be Better Than a Password

Researchers are investigating whether recalling text messages, calls, and Facebook likes could be a useful log-in strategy.
April 28, 2015

Before you read this story, try to answer the following question: Who was the first person to text you today?

Even if you can’t remember, you can keep reading. But a group of researchers think that kind of question could eventually work as a simpler log-in method for some websites and services. The kinds of things you do regularly on your smartphone or computer may be easy for you to recall but difficult for a hacker to guess, they suggest.

In a research project dubbed ActivPass, researchers from the Indian Institute of Technology Kharagpur in West Bengal, India, the University of Texas at Austin, and the University of Illinois Urbana-Champaign studied how well participants could answer questions based on a log of activity, including Facebook posts, websites visited, songs downloaded, and people called and texted.

In a recent paper, the researchers report that asking questions about recent, infrequent events (such as a phone call yesterday from a friend you haven’t spoken to in a while) worked 95 percent of the time in testing.

Eventually, this kind of authentication may replace the growing list of usernames and passwords most of us have, or at least serve as a new kind of backup for when you forget a password. Researchers also believe it could cut down on sharing of passwords for services like Netflix.

“Whenever there’s something you and your phone share and no one else knows, that’s a secret, and that can be used as a key,” says Romit Roy Choudhury, an associate professor at the University of Illinois at Urbana-Champaign and a coauthor of the paper.

In their study, the researchers used an app to collect data from participants’ smartphones and also gathered some data from their computers. In addition, they quizzed participants to figure out what they could remember.

The team used an algorithm to find suitably infrequent events to use as the basis for questions. On average, users succeeded in answering three questions about themselves correctly 95 percent of the time, and they were able to answer questions about other people less than 6 percent of the time.

Now, Roy Choudhury says, the researchers are speaking with companies like Yahoo and Intel to figure out if what they’re doing could be useful for enterprise users and, if so, what needs to be done to make the system work well.

One issue would be figuring out what kinds of activity data users would be comfortable sharing. Another is how such a system would work if you haven’t used your phone recently or can’t remember who texted you last night at 8:05.

Jason Hong, an associate professor at Carnegie Mellon University, has conducted similar research. He says that the reported percentage of users correctly answering questions about other people is low, but the number is still large when a service is used by millions of people.

This makes him think that activity-based authentication might work best as part of a more complicated authentication process. If your phone determines you’re logging in to a service from a new place, it might ask you a few questions about your activities to help ensure you are who you say you are. Some websites already do some form of this—your bank, for instance, may ask you to authenticate yourself if you try to log on to your account from a new computer.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

Google DeepMind’s new generative model makes Super Mario–like games from scratch

Genie learns how to control games by watching hours and hours of video. It could help train next-gen robots too.

How scientists traced a mysterious covid case back to six toilets

When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.