Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

How to Make Passwords That Cannot Be Compromised by Torture or Coercion

Your state of mind can reveal whether you are being forced to give up your password. So researchers are using this to build a coercion-resistant system of authentication.

Protecting information has become one of the most important and significant tasks in modern society. Many people have become used to memorizing passwords and PIN numbers, sometimes of bewildering complexity. Others use biometric indicators for protection: fingerprints, irises, and the like can all help identify individuals.

But these systems are not perfect. One significant problem is the threat of coercion—being forced to reveal a password or place a finger in the fingerprint scanner.

Today, Max Wolotsky at Cal Poly Pomona and a couple of pals have come up with a solution that can determine whether an individual is being coerced and deny authentication as a result.

The system is simple in concept. Wolotsky and co’s idea is to use the body’s stress levels to determine whether they are being coerced in any way. And they do this by measuring the individual’s response to “chill” music they previously identified as relaxing.

Chill music is so-called because it provokes a shiver down the spine, a response that is similar to being cold. It is the physiological effects of this shiver that Wolotsky and co set out to measure by monitoring heartbeat and brain-wave patterns.

Their hypothesis is that these signals are impossible to fake and only possible to measure when the subject is relaxed. Any duress would result in a different signal.

To find out whether this is the case, the team asked five test subjects to choose their favorite piece of chill music and then monitored their heartbeat and brain waves while they listened.

In particular, the team focused on the moments within the music that trigger the “chill” response on the assumption that this always occurs at the same point in the score. This section of the music—less than a minute or so—then becomes the key to the authentication process.

The idea is that if the subject is relaxed, he or she can experience the “chill” in the future and reproduce the physiological signals associated with this.

Indeed, the team carried out a number of tests and found that their subjects were able to pass the test with a 90 percent success rate.

There are some caveats, of course. The team was unable to test its subjects’ response under any kind of stress to simulate the kind of coercion that this test is designed to foil. ”One reason we did not do this is because it is unethical to threaten test subjects in order to verify that our system is fully coercion-resistant, as it could leave subjects with permanent physical or psychological damage,” they say.

That’s a significant limitation. If the team hasn’t checked that it works in the conditions it is designed to operate under, how can it be sure it is secure? There are other potential problems, too. The information that might benefit from this kind of increased protection is likely to be hugely valuable, things like the launch codes for nuclear weapons, perhaps. (One of the authors works at Sandia National Laboratories, which is responsible for nuclear stockpile management.)

But urgent access to this kind of information might only be necessary in times of high stress, and this could invalidate the test. The thought of somebody trying to access the launch codes as World War III unfolds, but having to chill out beforehand, has something of a black comedy about it.

Nevertheless, developing coercion-resistant passwords is an important goal. Wolotsky and co have taken some tentative steps that others can build on.

Ref: http://arxiv.org/abs/1605.01072: Chill-Pass: Using Neuro-Physiological Responses to Chill Music to Defeat Coercion Attacks

 

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.