Skip the Password, Use "Secret Knock" Instead

Daniel TkacikMonday, June 26, 2017

In a recent study, a team of CMU researchers introduced "Thumprint," an authentication system that uses secret knocks to secure shared devices.

In the days of Prohibition, thirsty men and women used a secret knock to enter speakeasies. Occasionally, a nefarious sort who'd been rejected from the club would study the secret knock from afar and use it to gain admission.

Thanks to new research from Carnegie Mellon University's CyLab, secret knocks may be on their way to your shared online accounts. But this time around, machine learning will ensure that no unwanted onlookers use that knock to gain access to your information.

"You can imagine having a shared smart refrigerator, or a shared iPad," says Sauvik Das, a researcher in the Human-Computer Interaction Institute (HCII). "If you're using a shared password, the system's security doesn't know whether a person accessing the system should be, or if they somehow stole the password from someone associated with the account."

In a recent study, Das introduced "Thumprint," a group authentication system that uses shared secret knocks (and a play on "thump" and "print"). Das presented his work in May at the ACM Conference on Computer-Human Interaction (CHI) in Denver.

"You can't just give a random person your secret knock," Das said. "You have to be registered, and the system must know each person's unique expression of the knock."

When two or more people want to share a device — which must have a built-in accelerometer to detect the knock — they first have to agree on a secret knock that is no longer than three seconds. Then, each member of the group must administer the knock on the device 10 times so it can learn how each individual expresses the knock.

Unlike the Prohibition scenario, someone who studies the secret knock from afar cannot gain access to the system because the person's expression of the knock will not match any of the registered members.

Das says that Thumprint was not designed to protect anything with high stakes (e.g., a bank account), and that very dedicated adversaries could still fool the system. Nevertheless, as group members increasingly use Thumprint, the system could obtain enough training data to employ more sophisticated models and strengthen its ability to reject outsiders. 

"This study was proof-of-concept," Das said. "Thumprint is the first exploration into the design space of what I call social cybersecurity systems. As we move toward an era of physically embodied computing, security is increasingly starting to interfere with our social lives."

Other authors on the study included Ph.D. student Gierad Laput, assistant professor Chris Harrison and associate professor Jason Hong — all of the HCII.

For More Information

Byron Spice | 412-268-9068 | bspice@cs.cmu.edu