Towards In-Band Non-Cryptographic Authentication.

Robust, secure authentication is essential in online interactions. Current best practice is to combine factors communicated using different channels; however, in some contexts multi-factor authentication may not be feasible or appropriate. Thus there is a need for authentication strategies that do not rely on classic multiple factors. While people normally rely upon multiple factors to authenticate each other, there is anecdotal evidence that such factors are not needed to authenticate close relationships, and that in fact they can recognize each other over an extremely low-bandwidth channel: texting. In this work we examine whether people who know each other well can, in fact, authenticate each other while texting in an adversarial context. We present results from a "friend imitation" game that has many similarities to Turing's Imitation Game. Results from this user study indicate that people use a variety of syntactic and semantic techniques to authenticate each other when texting. While some of the observed techniques are not secure against adversaries with access to social media and other data sources, others leverage sophisticated mental models of the other person's expected behaviour that can quickly be used to detect impersonation attempts. We also explore to what extent these insights could inform mechanisms for in-band non-cryptographic authentication in computer-to-human, human-to-computer, and computer-to-computer communication contexts.