Thursday, December 3, 2015

Help Me Gather Research for my University Project by Answering Three Simple Questions! Music Based Authentication


TAKE SURVEY

UPDATE:

We're most interested in your thoughts about a music based password, more than a specific implementation. Our current implementation includes but hypothetically isn't limited to taking in input from a physical MIDI keyboard, and a computer program that maps keystrokes to musical notes. (See the first iteration of our interface below!)

Description

I'm working on a team project for my Network Security class at the University of Utah. We are creating a music based authentication system. When creating a password, you not only want something that is strong and secure, but also easy to remember. Many current password methods enforce it's users to create strong passwords that are hard to remember. (e.g. You've seen password generators ask you to choose a password that contains at least one-upper case letter, one lower-case letter, one number, be at least 8 characters, have no repeated values and a special character.) We are arguing that remembering a musical melody is easier to remember than a long password string. I always seem to get songs stuck in my head, but I can never remember long and complex passwords.

Our professor has asked us to conduct a small amount of research, to branch out from our anecdotal evidence, to see if people found the idea of using music based authentication instead of regular password authentication useful.

Please take this quick 3-question survey and let us know if you think a music-based password would be useful or interesting!

Thank you for your time and interest!




Other factors to consider

There's other ways of authenticating, which are worth considering when deciding whether a music based authentication would be useful from a user point of view. 
  • Biometrics, such as fingerprint or eye scanners. 
  • Last Pass: a platform that stores all of your passwords
  • Using Facebook or Google Account to log in.

My anecdotal evidence

This idea is more of a cool novelty. I got the idea mostly because of the video game, Resident Evil. Parts of the game require you to play musical melodies on a grand piano to advance to the next part of the level.
Also I think that musical melodies, such as "Ode to Joy" are much simpler to remember than long strings. I can picture the melody quite clearly in my head, even though it has been 3 years since I've heard it or played it. I constantly find myself looking for the Forgot Password? button on many of my online accounts, even though I just reset the password a couple weeks ago.  



Resident Evil, playing Moonlight Sonata to advance in the level.

Is music based authentication actually secure? How secure?

This section is irrelevant to the question we pose in our survey; I only include this if you're interested, or your decision of it's usefulness depends on whether or not the password is strong or not. There's three aspects to consider when answering this question. The second and third aspects being more interesting, and ultimately the focus of our project:

  1.  We are using a TLS 1.2 handshake to set-up a connection between a client and server that will provide key network security features, such as perfect forward secrecy, protection from an eavesdropper, server break-in, person in the middle, and offline dictionary attacks. A shared secret is used to produce session keys that will encrypt correspondence between the server and client.
  2. We are interested in figuring out just how complex a musical password can be, how many bits of entropy does it have? Typing a string password, the only factor is the order of the individual characters. Music not only has to worry about the order of notes, but rhythm, note duration (quarter notes, half notes, eighth notes), note dynamics (ff, f, m, p), etc... We are currently researching and investigating this question. 
  3. Some passwords are easy to guess because they are common, or follow patterns. I imagine the melody of "Twinkle Twinkle Little Star" being a common password. We're interested in how to choose a strong non-predictable melody that is also easy to remember.
Our protocol
revised api complete.png

Current GUI Interface


Notice that notes are mapped to keyboard notes.

No comments:

Post a Comment