Home
Project concepts
Initial survey
Select attributes
Generate questions
Intrusion detection
Prototype
QID software
Usability survey
Documents
Student projects
Current team
 
Search
Login/register

Initial project concepts

Background

 A common ritual of universities and other large organisations is the dilemma of creating, saving, using and forgetting multiple account names and passwords. As the number of students and computer systems increase, this anecdotal burden will reach a tipping point at which the security problems will no longer be manageable or acceptable. This software aims to provide a modular solution that gradually replaces the current dependency on passwords with the use of questions about individual activities or profile as the basis of authentication. The degree of interchangeability with existing password based systems provides usability value to current users and preserves the financial value of existing authentication systems.

Research into security often focuses on total or absolute security instead of practical value. Despite the introduction of new security methods and products, the use of name and password in a challenge response protocol is still dominant and in some cases gaining ground (such as for Internet and mobile applications). Although more government (e.g. Inland Revenue) and retail (e.g. banking) applications are using knowledge-based authentication, they use proprietary solutions that are expensive and not publicly accessible. The premise of this project is that many security solutions have poor usability and high implementation costs, especially if it requires removal of existing password based systems. This software aims to provide a cost effective improvement in security for educational and commercial organisations that currently use password based authentication. First, the project uses open source licensing to reduce the cost of implementation. Second, the software focuses only on authentication functionality since that is the area most prone to low technology attacks such as manipulating or deceiving the user. Third, the solution preserves the usability and financial value of existing password systems by providing an interchangeable alternative.

This project aims to contribute directly to the development of new teaching units as well as providing a practical opportunity for students to interact with current research that has an observable link to their studies. Indeed, it would be beneficial for the project to have students participate as test users of the software and possibly inspire related final year student projects.


Initial objectives

 The shared context at a university provides a wide variety of questions about such topics as enrolment year, degree course, tuition payments and parking permits for cars or bicycles. Authentication questions based on these topics would be convenient, more secure and less predictable than static passwords. This method of authentication has been commercially used by the consumer credit industry for more than 10 years. Currently, knowledge-based authentication software is typically bundled with the reference consumer credit data provided by the vendor. As such, there is a lack of affordable and robust solutions. The research will investigate the following issues required to design and implement a strong knowledge-based authentication software package:
  • Selection of configurable authentication parameters including number of attempts, number of attempts within period, number of questions and threshold success level.
  • Strategy to fine-tune tolerance range for authentication answers.
  • Algorithm to randomise order and selection of questions.
  • Strategy for selecting suitable static and dynamic user data that has sufficient coverage of target user population.
  • Identify and cope with potential problems due to language comprehension.
  • Strategy for coping with rate of change in user population and corresponding user data (especially students).
  • Designs that minimise time to generate questions.
  • Metrics to measure confidence level and quality of authentication results.
  • Metrics to measure system performance.
  • Designs to detect and defend against known attack methods such as automated bots, store-n-replay and denial of service.
  • Methods to protect personal information at both server and remote computers.
  • Strategy for managing privacy and discrimination issues.

Knowledge-based authentication could be useful to other organisations that have sufficient contact with their user population to develop a suitable set of authentication questions.


Category of methods

 The project aims to use a fact based cognitive password authentication method, which is less common than the standard recall password authentication widely used today.
Categories of authentication methods
Categories of password authentication methods


Problem definition

 The following charts highlight problems with commonly used recall password systems:
Problems with recall password systems

This diagram compares the differences between recall password systems and the proposed QID system:
Comparison of QID with recall password systems


Back to top of page.
Page updated 2008-09-07 15:53:26   •   Privacy policy   •   ©2009 University of Portsmouth