Mental Trapdoors for User Authentication on Small Mobile Devices

As small mobile devices such as mobile phones become increas- ingly sophisticated, they are beginning to be used for highly security- sensitive applications such as payment systems, stock trading, and access control systems. The increasing importance of mobile phones exposes the tremendous lack of access control systems that restrict access to the legitimate user. In fact, a lost mobile phone "dele- gates" all rights to its new owner. The main challenges in design- ing a secure user authentication system for small mobile devices are the miniaturization as well as the requirement for usability across a wide range of people. In this paper, we propose and evaluate a novel mechanism for user authentication. The cognitive process we rely on is the human ability to recognize degraded images; degraded images are easily recognized by legitimate users who have been being exposed to the original picture. On the other hand, without knowledge of the orig- inal image, it is difficult to mentally "revert" from the degraded im- age to the original image, which provides a line of defense against guessing attacks. We implement a prototype user authentication system in Nokia N70 cellular phones, and conduct a usability study of our scheme with 54 participants. We find that all users manage to authenticate, even after four weeks, which is a strong indication that the scheme is usable by a wide range of people, even on miniaturized portable devices. We anticipate that this research will revitalize and encourage re- search in the important topic of portable device based user authen- tication.