CuedR: A Secure and Usable Authentication Scheme

What makes the solution innovative:

Our system-assigned password scheme makes use of humans’ cognitive strengths, and accommodate users with different learning styles. To this end, we draw upon several prominent theories of cognitive psychology to design CuedR, which offers various memory cues to help users to memorize (at registration) and recognize (at login) the system-assigned keywords. Our scheme would be tailored to the culture, context, and language of targeted population (e.g., people in Bangladesh) through using graphical and verbal cues that Bangladeshis are familiar with, and using 'Bangla' (native language in Bangladesh) to present the keywords, verbal and audio cues.

How the solution demonstrates 'privacy by design':

In most systems, users are tasked with creating a password that should be both secure and memorable. For many users, this is a lot of work. So, they compromise with security, and create a weak but memorable password, which is more of a concern for the people with low literacy, who typically lack information on creating strong passwords. We thus, argue that the burden of password creation should be borne by a system, especially for the high-security accounts of users. In our proposed scheme, passwords are randomly assigned by the system, offering security and privacy to users' sensitive information stored in their accounts. With system-assigned passwords, users do not have to guess whether a password is secure, and the system can ensure that all passwords offer the desired level of security. While password reuse could pose a serious security threat, using system-assigned passwords ensures that users do not reuse a password (or modification thereof) already used on another account. Variant response feature in CuedR offers higher resilience to shoulder-surfing attack and keystroke loggers, compared to traditional text-based password scheme. In this way, security and privacy are incorporated into the design of our authentication system, demonstrating 'security and privacy by design'.

How the solution can be incorporated into digital identification systems:

CuedR would be incorporated into the digital identification system through our Server-side Class Package, CuedR Library (database of keywords, graphical, verbal, and audio cues), and User Interface (client). Memory cues corresponding to the system-assigned keywords would be presented at the client-end to help users with successful authentication. At the server-end, to ensure the secure storage of users’ authentication secrets, the system-assigned keywords for a user would be concatenated together with a salt and hashed using a slow hash function like bcrypt or PBKDF2. Previously, CuedR was implemented in a real-life setting for the purpose of months-long field studies in USA, and successfully recorded several thousands login instances during the entire period of our studies without any technical difficulty at the server end, where users reported high satisfaction with using the system in the exit survey, and did not mention about any technical issues at the client end. The findings from our lab studies were published in the proceedings of CHI 2015 and SOUPS 2015, while the results from our field studies are currently in submission. To note, all of these studies were conducted in USA.

How the solution is 'user-friendly':

CuedR could be incorporated into the digital identification system in a user-friendly way, through leveraging our Server-side Class Package, CuedR Library (for keywords and cues), and User Interface (client). In CuedR, system-assigned keywords for a user are concatenated together with a salt and hashed using a slow hash function; So an existing system using traditional textual password should be able to integrate CuedR without any major upgrade at server end. While many real-life systems store passwords in plaintext, we recommend to use salt and hash while storing users' authentication secrets in CuedR, to protect their credentials against offline guessing attacks.

How the solution ensures interoperability:

Currently, our CuedR prototype does not have an open API. In this regard, CuedR could be integrated to an existing system through our server-side class package, CuedR Library (database of keywords, graphical, verbal, and audio cues), and User Interface (client). In CuedR, system-assigned keywords for a user are concatenated together with a salt and hashed using a slow hash function; So an existing system using traditional textual password should be able to integrate CuedR without any major upgrade at server end.

How the solution accounts for low connectivity environments and for users with low literacy and numeracy levels:

It is a challenging task, especially for the people with low literacy in developing countries, to understand the requirements and strategies of creating strong passwords. To reduce this burden from users, we propose a system-assigned password scheme so that people do not have to worry about the strength of a password to protect their digital information. We implement incremental learning technique during registration to ease the password learning process of low-literate people, and provide them with their culture, context, and language-centric memory cues that they could easily relate and understand, and so on, leverage to memorize the system-assigned passwords.

Vision over the next three to five years to implement or grow the solution to affect the lives of more people:

CuedR is designed for high-security accounts that contain sensitive information of users. We aim to scale our solution to the security and privacy sensitive accounts of users, especially the ones containing financial and identity information. With helping the people in remembering secure passwords, we aim to gain users' trust in protecting their digital information. Consequently, over the period of next three to five years, our proposed scheme should contribute to increase the use of Internet among people in developing countries in a secure and privacy-preserving way, especially among the ones with low literacy and limited technical efficacy.

https://docs.google.com/document/d/1pqUjdgvgoUV0ALQr9bm08wQmrpWCFeCWVpMnI1lT6wo/edit?usp=sharing

https://docs.google.com/document/d/1pqUjdgvgoUV0ALQr9bm08wQmrpWCFeCWVpMnI1lT6wo/edit?usp=sharing

Promotional video of solution:

https://docs.google.com/document/d/18HiYLA23x6-umNgBwF1OZqPNd3rgYLrtA1ZS1d-6mg0/edit?usp=sharing

How the solution team is organized:

Solution lead:

Solution leadership:

N/A

How many people work on the solution:

Solution age:

The organizations applicants are currently working with:

Dr. Al-Ameen and Dr. Ahmed are Assistant Professor at Utah State University and University of Toronto, respectively. Sharifa Sultana is a PhD student at Cornell University. We have partnered with Rural Reconstruction Foundation (RRF) in Bangladesh, a non-governmental, non-profit, non-political and non-sectarian, voluntary development organization, established in 1982 aiming to promote socio-economic emancipation of the underprivileged population. Our project aligns with the broader interest of this NGO, who would support us with resources at the field level for the evaluation and implementation of our proposed authentication scheme, with offering us access to both rural and urban underprivileged population in Bangladesh.

Applicant skills that can attract the different resources needed to succeed and make an impact:

Multi-disciplinary skills and experiences are the strength of this team. Dr. Al-Ameen has specialized in Usable Security and Privacy, who has led the development and evaluation of CuedR scheme in USA. Dr. Ahmed and Sharifa Sultana's works focus on sustainable development and Human-computer Interaction (HCI) in Global South, including Bangladesh. All of the researchers in this team are Bangladeshi, by born, and have access to the users and organizations in Bangladesh to implement and evaluate their scheme. For example, we have already partnered with Rural Reconstruction Foundation (RRF), an NGO in Bangladesh to get access to the underprivileged population.

Revenue model:

Our solution addresses the usability-security tension in user authentication, which remains one of the most challenging research problems for decades, to protect users' digital information. With its proposed design feature to fit in the culture, context, and language of the targeted population, CuedR scheme aims to provide both security and usability for the people in developing countries while protecting their sensitive digital information. In CuedR, system-assigned keywords for a user are concatenated together with a salt and hashed using a slow hash function; So an existing system using traditional textual password should be able to integrate CuedR without any major upgrade at server end. Thus, we strongly believe that CuedR scheme would offer long-term sustainability, and expansion in Bangladesh to protect privacy-sensitive digital information of users, including for the people with low literacy and limited technical efficacy.

Reason for applying to the Mission Billion Challenge:

We aim to improve the security and privacy of digital systems in developing countries, with a particular focus on Bangladesh. We evaluated our proposed authentication scheme in USA, and found high login success rate in lab and field studies. We now, plan to tailor this scheme to the context, culture, and language of Bangladesh, so that local people, especially the ones with low literacy could easily leverage memory cues to memorize strong passwords, and so on, secure their sensitive digital information. We strongly believe, our participation in Mission Billion Challenge would contribute to successfully implement our project plan in Bangladesh.

Key barriers to the solution:

Due to novelty effect, it generally takes a while for users to adopt a new system, which may present a challenge at the initial stage of implementing our solution in Bangladesh. However, with the regular use of a system, people overcome the novelty effect, and their performance in using that system improves over time because of training effect. The findings from our field study in USA confirm the positive impact of training effect on our scheme. Also, the careful implementation of culture, context, and language-centric memory cues should help the people in Bangladesh to overcome their novelty effect with CuedR.