Before you read this story, try to answer the following question: Who was the first person to text you today?
Even if you can’t remember, you can keep reading. But a group of researchers think that kind of question could eventually work as a simpler log-in method for some websites and services. The kinds of things you do regularly on your smartphone or computer may be easy for you to recall but difficult for a hacker to guess, they suggest.
In a research project dubbed ActivPass, researchers from the Indian Institute of Technology Kharagpur in West Bengal, India, the University of Texas at Austin, and the University of Illinois Urbana-Champaign studied how well participants could answer questions based on a log of activity, including Facebook posts, websites visited, songs downloaded, and people called and texted.
In a recent paper, the researchers report that asking questions about recent, infrequent events (such as a phone call yesterday from a friend you haven’t spoken to in a while) worked 95 percent of the time in testing.
Eventually, this kind of authentication may replace the growing list of usernames and passwords most of us have, or at least serve as a new kind of backup for when you forget a password. Researchers also believe it could cut down on sharing of passwords for services like Netflix.
“Whenever there’s something you and your phone share and no one else knows, that’s a secret, and that can be used as a key,” says Romit Roy Choudhury, an associate professor at the University of Illinois at Urbana-Champaign and a coauthor of the paper.
In their study, the researchers used an app to collect data from participants’ smartphones and also gathered some data from their computers. In addition, they quizzed participants to figure out what they could remember.
The team used an algorithm to find suitably infrequent events to use as the basis for questions. On average, users succeeded in answering three questions about themselves correctly 95 percent of the time, and they were able to answer questions about other people less than 6 percent of the time.
Now, Roy Choudhury says, the researchers are speaking with companies like Yahoo and Intel to figure out if what they’re doing could be useful for enterprise users and, if so, what needs to be done to make the system work well.
One issue would be figuring out what kinds of activity data users would be comfortable sharing. Another is how such a system would work if you haven’t used your phone recently or can’t remember who texted you last night at 8:05.
Jason Hong, an associate professor at Carnegie Mellon University, has conducted similar research. He says that the reported percentage of users correctly answering questions about other people is low, but the number is still large when a service is used by millions of people.
This makes him think that activity-based authentication might work best as part of a more complicated authentication process. If your phone determines you’re logging in to a service from a new place, it might ask you a few questions about your activities to help ensure you are who you say you are. Some websites already do some form of this—your bank, for instance, may ask you to authenticate yourself if you try to log on to your account from a new computer.