Skip the password

In the days of prohibition in the United States, thirsty men and women entered speakeasies with a secret knock at the door. In some unwanted cases, onlookers who were prohibited from entering the speakeasy studied the secret knock from afar, and used it to enter the building.

Thanks to new CyLab research, “secret knocks” may be on their way to your shared online accounts, but now, systems can detect if someone is trying to use the secret knock that shouldn’t be, using machine learning.

“You can imagine having a shared smart refrigerator, or a shared iPad,” says Sauvik Das, a researcher in the Human-Computer Interaction Institute (HCII). “If you’re using a shared password, the system’s security doesn’t know whether a person accessing the system should be, or if a person somehow stole the password from someone associated with the account.”

Thanks to new CyLab research, “secret knocks” may be on their way to your shared online accounts. pic.twitter.com/Kxp7tcvG5G

— CyLab (@cylab) June 26, 2017

In a recent study, Das introduced “Thumprint,” a group authentication system through shared secret knocks (and a play on “thump” and “print”). Das recently presented the study at the ACM CHI conference in Denver.

“You can’t just give a random person your secret knock,” Das explains. “You have to be registered, and the system must know each person’s unique expression of the knock.”

When two or more people want to share a device (which must have a built-in accelerometer to detect the knock), first they must agree on a secret knock that is no longer than 3 seconds. Then, each member of the group must administer the knock 10 times on the device so the device can learn how each specific person expresses the knock.

Unlike the prohibition scenario, someone who studies the secret knock from afar cannot gain access to the system because the person’s expression of the knock will not match any of the registered members.

You have to be registered, and the system must know each person’s unique expression of the knock.

Sauvik Das, Researcher, Human-Computer Interaction Institute, Carnegie Mellon University

Das says that Thumprint was not designed to protect anything high-stakes (e.g. a bank account); very dedicated adversaries may still be able to fool the system. Nevertheless, as group members use Thumprint for longer and longer periods of time, the system could obtain enough training data to use more sophisticated models and strengthen its ability to reject outsiders. 

“This study was proof-of-concept,” Das says. “Thumprint is the first exploration into the design space of what I call social cybersecurity systems. As we move towards an era of physically-embodied computing—IoT—security is increasingly starting to interfere with our social lives.”

Other authors on the study included HCII Ph.D. student Gierad Laput, HCII assistant professor Chris Harrison and HCII associate professor Jason Hong.