Contemplating Skill-Based Authentication

Renaud, K., Maguire, J. , van Niekerk, J. and Kennes, D. (2014) Contemplating Skill-Based Authentication. Africa Research Journal, 105(2), pp. 48-60.

Full text not currently available from Enlighten.

Publisher's URL:


Humans develop skills as they go through their lives: some are fairly common, such as reading, but others are developed to maximise employment opportunities. These skills develop over a long period of time and are much rarer. Here we consider whether we can exploit this reality in the security arena, specifically to achieve a stronger form of authentication. Authentication has traditionally been performed based on what users know, hold or are. The first is the most popular, in the form of the password. This is often referred to as “knowledge-based” authentication. Yet, rigorously following guidelines for password creation produces forgettable gibberish and nonsense strings, not knowledge. Nonsense is hard to remember and users engage in a number of coping strategies to ameliorate this, and these tend to weaken the authenticator. It would be beneficial to find a way of reducing this memorial load, to identify a more usable mechanism. This is hard: usually reducing the memorial load also makes the secret easier to guess. The challenge is in finding a way to reduce memory load while holding the line as far as strength is concerned. Here we contemplate exploiting recognition of artefacts resulting from experts practicing their craft: “skill-based” authentication. This should reduce the memorial load and effort, but also, crucially, make it harder for a random intruder to replicate. We report on how we trialled SNIPPET, a prototype of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets from successive challenge sets. We found that our participants were all able to identify their own code snippets and that other participants were unable to guess these, even when they observed the legitimate person authenticating beforehand. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing. We conclude by returning to the three NIST-identified forms of authentication and consider how SNIPPET can be positioned within the general authentication arena.

Item Type:Articles
Glasgow Author(s) Enlighten ID:Renaud, Professor Karen and Maguire, Dr Joseph
Authors: Renaud, K., Maguire, J., van Niekerk, J., and Kennes, D.
College/School:College of Science and Engineering > School of Computing Science
Research Group:Human-centred Security Research Group
Journal Name:Africa Research Journal
Publisher:South African Institute of Electrical Engineers

University Staff: Request a correction | Enlighten Editors: Update this record