Abstract
Over the last few years, there has been emerging interest in authenticating users through the medium of music. Historically, developers of alternate modality systems have focused on image- and haptic-based techniques, instinctively shying away from music. This might be due to the inherently temporal nature of the listening task and the belief that this would be impractical and frustrating for users. In this chapter, the authors discuss and present new research in this field that, to the contrary, indicates that the “enjoyability factor” means users may be more willing to spend additional time authenticating with music than they would with other techniques. Although undeniably not the optimal solution in time-critical contexts, for many other pursuits music-based authentication could feasibly replace passwords, easing the number of secure strings the average user is expected to remember. Music may also offer a better solution for those suffering memory or cognitive impairments. This chapter incorporates discussion on recent advances in the field of authentication research within the context of a changing threat landscape. A prototype musical password system is presented and a summary of results from online user testing and a lab-based controlled experiment are presented which further reinforce the importance of accounting for “enjoyability” in the assessment of recognition-based authentication schemes.
Top2. Background
There are two reasons that we forget; either the information no longer exists (“trace-dependent forgetting”); or it exists, but cannot be retrieved (“cue-dependent forgetting”) (Tulving, 1974). Trace-dependent forgetting happens when an item is not imprinted strongly enough, if the item has not been successfully consolidated or has become corrupted by other memory items (“interference”). Cue-dependent forgetting occurs when a retrieval trigger (“cue”) is not associated with the item.
Key Terms in this Chapter
Password Alphabet: The set of letters that can be included to form passwords.
Low and Slow Attack: Similar to a brute force attack, although attacker distributes guesses over a number of accounts to avoid detection.
Single-Sign-On (SSO): A system which allows access to numerous accounts once authenticated to a single session – reduces the number of passwords requiring memorization.
Brute Force Attack: Attacker sequentially works through all possible passwords until a valid one is obtained. Can be “offline” where attacker obtains a file containing hashed passwords, subsequently encodes possibilities and compares to file or, “online” where guesses are made directly at interface. Will find all passwords given sufficient time and space.
Dictionary Attack: Attacker uses a dictionary of common passwords and uses these in an attempt to gain access. Can also be implemented on or off-line. Saves time compared to brute force, though not guaranteed to find every password.
Entropy: In this context, the randomness or lack of predictability of a password's distribution throughout the available space.
Musical Password: A password which utilizes music as the alphabet.
Password Space: The number of unique passwords that can be created from an alphabet.