| dc.description.abstract | People tend to choose predictable passwords which are vulnerable to guessing attacks. To combat the security issue, system-assigned authentication keys were proposed, but coming at a cost to memorability. In this thesis, I explore two different approaches to improve memorability of system-assigned keys through implicit learning: one that directly uses implicit memory alone, and another that indirectly uses implicit memory to reinforce explicit memory.
I first explore the feasibility of direct implicit learning-based authentication secrets, Tacit Secrets: system-assigned passwords that you can remember, but cannot write down or otherwise communicate. I design an approach to creating Tacit Secrets based on Contextual Cueing, an implicit learning method previously studied in the cognitive psychology literature. My feasibility study involving 30 participants indicates that my approach has strong security properties: resistance to brute-force attacks, online attacks, classical phishing attacks, and some coercion attacks. It also offers protection against leaks from other verifiers as the secrets are system-assigned. My approach also has a high login success rate and low false positive rates. I explore the trade-offs of different configurations of my design and provide insight into directions for future work.
In light of the promising results of Tacit Secrets, I propose a novel idea for training users system-assigned passphrases using implicit learning indirectly. Unfortunately, people's propensity is to choose predictable natural language patterns in passphrases, again resulting in vulnerability to guessing attacks. Making them system-assigned would improve security, but at a cost to memorability. To improve usability of system-assigned passphrases, I propose a new approach for reinforcing system-assigned passphrases by involving implicit memory. I design, implement, and test a system that employs this approach using two implicit learning techniques: contextual cueing and semantic priming. In an 880-participant online study, I explored the usability of 4-word system-assigned passphrases using the proposed approach compared to a set of control conditions. My results showed that the proposed approach improves usability of system-assigned passphrases, both in terms of recall rates and login time. This work sheds light into the potential of implicit learning for system-assigned authentication, suggesting it can improve its usability and therefore its feasibility. | en |
