ProjectProposal-SutheeChaidaroon
From CS160 User Interfaces Fa06
Drawing Recognition System as an alternative identity management system
Contents |
Summary
A password is a standard personal identity verification technique that causes a major burden on users and service providers both times and resources. I found that using a form of secret drawing data, called passsign (pass + sign), as an alternative personal identification can be more secure and convenient for users and service providers. I purpose to use an Anoto pen and digital paper as the input devices for a passsign from a user, and develop a drawing recognition system to validate a user identity based on a given passsign. This suggested system can decrease a rate at which an attacker can try-out guessed users' digital identity, while their passsigns are unique and easy to memorize.
Problem Description
A password is a series of characters, which can typically include letters, numbers, and most symbols. The most secure passwords use a combination of letters and numbers and do not contain actual words; however, in practice, most people tend to choose a password that is easy to remember. So that an attacker can easily guess a password by using a brute force or dictionary attack. Although a strong password is hardly guessed, users frequently forget and tend to write their passwords down, which is inconvenient for users who try to reset or retreive their passwords. These two problems can be solved if we can have passwords or other kind of personal identifications that are easy to remember and hard for an attacker to guess or break.
Target User Group
Internet users who are using internet to access their resources and information are the target user group. They can be either users who submit a password as their personal identity, or service providers who validate passwords and authorize an access control for each user.
Problems Context and Forces
Problem: Using a password has no proper balance between security and convenience
Analysis:
A password must be short enough to be memorized and not easily guessed. A long and non-word password is hard for an attacker to guess, but is inconvenient for users to memorize, while an easily memorized password is insecure and has a high rate of being guessed. The tradeoff between security and convenience can causes a great burden for both users and service providers that require a user identification. For users, they are responsible on their password selection and memorization. For service providers, they are responsible on their authentical systems selection and maintenance.
Aspects of the situation that influence the problem solutions:
- Easily memorized passwords (users)
- visual information
- personalization
- Hardly guessed passwords (users)
- more search spaces
- more combinations
- Secure password reset systems (providers)
- hardly guess secret questions/answers
- Secure form of stored passwords on servers (providers)
- complex password format
Related or complementary solutions:
- A user can use browsers to store their passwords.
- Some security systems can force users to frequently change their passwords.
- In some online payment applications, personal identity can be obtained by using the last three digit of a personal credit card.
Solution Sketch
According to the problem analysis section, I found that:
- Using a password which has more combinations rather than charaters can be hard for an attack to guess or break.
- Using a visual information such as signatures or images can be easily memorized.
- An Anoto pen has a timestamp in which we can use to trace a drawing stroke.
I propose to use a signature as a personal identification by using an Anoto pen and digital paper to capture the user's signature. Then, use a drawing recognition system to map the given signature with a user's identification.
First soltuion: The solution assumes that we will only develop a software on user's personal computer. This software will recieve a user's signature data transmitted by an Anoto pen, and then convert it into a secure file format. The software will try to match up this file with an original signature. If they are identical, this software will automatically fill out a password form for you. For example, if you are trying to access your email account, you input your signature. This software will verify your input and fill out the password input box with an appropriate password for you.
Second solution: This solution assume that service providers are agree to implement their passsign input form. Thus, after an Anoto pen transmitted a user's signature to her personal computer, an appropriate software will take this data and transmit to a service provider's server via bluetooth, or just convert it into a passphrase and send through the web. On server side, they have to implement a passsign receiver module and database to match up a user with her passsign.
