Cognitive authentication schemes safe against spyware (short paper)

Daphna Weinshall*

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

122 Scopus citations


Can we secure user authentication against eavesdropping adversaries, relying on human cognitive functions alone, unassisted by any external computational device ? To accomplish this goal, we propose challenge response protocols that rely on a shared secret set of pictures. Under the considered brute-force attack the protocols are safe against eavesdropping, in that a modestly powered adversary who fully records a series of successful interactions cannot compute the user's secret. Moreover, the protocols can be tuned to any desired level of security against random guessing, where security can be traded-off with authentication time. The proposed protocols have two drawbacks: First, training is required to familiarize the user with the secret set of pictures. Second, depending on the level of security required, entry time can be significantly longer than with alternative methods. We describe user studies showing that people can use these protocols successfully, and quantify the time it takes for training and for successful authentication. We show evidence that the secret can be maintained for a long time (up to a year) with relatively low loss.

Original languageAmerican English
Title of host publicationProceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006
Number of pages6
StatePublished - 2006
Event2006 IEEE Symposium on Security and Privacy, S and P 2006 - Berkeley, United States
Duration: 21 May 200624 May 2006

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011


Conference2006 IEEE Symposium on Security and Privacy, S and P 2006
Country/TerritoryUnited States


Dive into the research topics of 'Cognitive authentication schemes safe against spyware (short paper)'. Together they form a unique fingerprint.

Cite this