“Narrative” authentication is meant to be easier to remember and deeply personal – unlike, say, an ATM PIN.
“The insight here is that secure text passwords are ‘boring’ and, hence, are hard to remember,” the paper reads, authored by Anil Somayaji and David Mould at Carleton University, along with Carson Brown of Shopify Inc. “Narrative is, in contrast, extremely memorable, forming the basis of much of human communication. We present a simple, implementable scheme for narrative authentication using text adventures. We then also examine other strategies for generating and testing knowledge of narrative.”
In other words, don’t we all just want to be entertained? Even when logging into a secure banking site?
The paper noted that maximum security for accounts is generally achieved through long, randomly generated passwords. Yet, we as people detest this. Not only are they hard to remember, most often prompting a person to write the code down on a sticky note affixed to the computer, but in the case of two-factor authentication they take time and effort. As a result, users are much more likely to use shorter and fixed passwords, and they tend to use the same one across multiple sites. In other words, it’s a hacker’s dream.
“This tendency to minimize the memorization effort involved with passwords would, on its own, imply that human memory was a scarce resource. Yet we have ample evidence to the contrary. Even setting aside the fact that our brains have billions of neurons, our personal experience points to the vast capacities of our memories", wrote the researchers.
So, we can remember things from our childhood with crystal-clear recall; or cringe at details of a particularly bad weekend 10 years ago. But only if we actually like what we’re trying to recall, or in some way find it interesting.
So, “What if we had a form of memory that was optimized for memorability?”, the paper postulates. “This form would also need to be easy to store, communicate, and, most importantly, verify. While it is probably unrealistic to achieve a zero-knowledge property with a human-machine protocol, eavesdropping on the verification process should not permit trivial replay attacks.”
The researchers have proposed that authentication measures that take their cues from gaming and interactive storytelling (along the lines of those “Choose your Own Adventure” books from the 1970s and 80s) would be much more effective in satisfying the need for hacker-thwarting complexity and the ability for humans to remember it.
“Stories could be created by the user (in the form of a text adventure or other interactive system), could be generated using records of user behavior, or could be semi-automatically created through automated selection of narrative elements that are then refined by the user,” the paper explained. So, users would go through a dialogue or series of questions about the narrative to prove their identity. Trapdoors would be built in to foil unauthorized users, too.
The research is fascinating but, the writers were quick to note, also very nascent. “While simple schemes based upon existing text adventure technology can be implemented today, the most promising strategies will require significant research into extracting narrative elements from records of user behavior and transforming those elements into appropriate challenges for the user,” they concluded.