Reviews on related papers

[DevArenaCN]

So, from what I've found, I think we could use Designing Password Policies for Strength and Usability Section 2.3 Understanding How Users Manage Passwords as a start, the study shows password reuse is common, also users' mental models are a crucial driver as well. In this paper, it also included two studies regarding different types of password and how well do people input those passwords.

The other paper is the Compare Password Management Software Toward Usable and Secure Enterprise Authentication one, which gives us a detailed study on the comparison of 4 different password manager software, we could use it to form the user survey of our own.

For implementations, we could use Graphical Passwords: Learning from the First Twelve Years to back our graphic implementation (PNC bank) up. The other one is Advanced smart card based password authentication protocol, which we could use to form our way of doing the master password, or something else, I'm not sure about this implimentation.

[thegreyd]

I was reading some of the papers and online articles. I don't think we've quite nailed the problem yet. From what I understand, we can be tackling these different problems:

• Remembering Passwords : Now this can be done in the ways we discussed. Passphrases consisting of english words, easy to remember. Visualizing that passphrase to an image or sound. Basically creating a mental model, as you said. Implementation would probably be done with browser extension or, desktop app.
  • For passphrase generation there are many existing implementations
    • http://world.std.com/~reinhold/diceware.html
    • https://github.com/ulif/diceware/
    • http://www.useapassphrase.com/
    • https://github.com/cyph/xkcd-passphrase
• Replacing Passwords : There's no password in this case, we authenticate with some other criteria. Implementation would be done with building authentication portal for a mock website.
  • Using Image/QR code with Smartphone :
    • https://getclef.com/
    • Clef demo video
    • http://sqrl.pl/guide/
  • Typing patterns
  • Fingerprint/Face recognition
  • Graphic implementation - PNC bank image
  • Device based - Smart card/USB
• Implementing 2FactorAuthetication methods : The methods that were discussed in password replacement could be used here as well, as the second step. In this case too the implementation would consist of building an authentication portal.
  • Using sound Illiri

[thegreyd]

For literature, we could use this website: http://passwordresearch.com/index.html. It has a big listing of research papers about passwords

[KaustubhG]

I belive the problem we are tackling is making logging-in (authentication) easier to the user

This can be done in the following ways:

Plain Vanilla approach:

• Assume that the user remembers username/password to a bunch of websites and frequently doesn't mind clicking the 'forgot password' link to reset a password if he/she forgets it.
• This will make a user keep same passwords (or atleast very similar) passwords to multiple websites leading to vulerability issues.
• This is kind-of on the extreme end of the spectrum where we forgo vulnerability for maximum ease.

Password replacement

• The user hands-off the policies of a good password to the system and only remembers a self-assigned passkey which is mapped to the actual system generated password.
• A similar approach is proposed in the Passpet Paper

Using a Smartphone as auth ( fingerprint recognition, QR code scan)

• This gets rid of the password all together. Your phone/fingerprint is the key.
• This approach assumes that the user always has his/her phone on him/her when they log-in. (at least most of the times).
• Whatsapp already does this for 'whatsapp web'
• Seems the best approach considering the future ( https://www.android.com/pay/ )
• The UbiKiMa paper gives a really complex way of authentication via an arbitrary phone and laptop into a website, but we could build a simplified and toned down version of this.

Passphrase generation I was searching for some literature on this and found the following paper from CMU.

• The paper 'Correct horse battery staple: exploring the usability of system-assigned passphrases' says that passphrases don't provide a better/effective/easier way of authentication as compared to the vanilla approach.
• They say that passphrases though easier to remember cause hang ups since the user doesn't 'exactly' remember them. Perhaps we could control the threshold of 'similarity' of the passphrase...

[thegreyd]

Hi guys, I recently signed up for medium.com. I was surprised to find out that it doesn't require a password to login. Everytime you want to login, it sends you an email with a link; you open the link and you are logged in. This is really convenient

[DevArenaCN]

Yeah we can do something similar to it, maybe do it in a biometric authentication way

[KaustubhG]

found a blog articles talking about this:

https://thisdata.com/blog/an-introduction-to-passwordless-logins/ https://blog.howdy.ai/it-is-past-time-for-passwordless-login-4f468b812301#.2htz4he8m

[DevArenaCN]

Open a new issue for the January report so I'm closing this one.