Incident Response, TDR

An academic creates a password-authentication model for the real world

Unless you boast a photographic memory or very good record keeping, it's a Herculean task to remember all of your passwords without some assistance. This even goes for a respected computer scientist like Chris Mitchell, who is a professor at Royal Holloway, University of London.

“We all have many, many logins, and we can't possibly remember good strong passwords for all these applications,” Mitchell says. “So, we either use the same password for everything, or write them all down – or both. And that's me included. It's not possible to remember 50 strong passwords.”

This year, Mitchell, with postgraduate researcher Haitham Al-Sinani, set out to address the weakness in the conventional password-based model. Their creation, called Uni-IDM (universal identity management), is a software-based tool that helps users manage the authentication process. Installed on a desktop, smartphone or tablet, Uni-IDM  opens up a window any time a user attempts to log into a website and seeks to verify any site to which a user is sending an identity.

“This same window will show up every time you log into a site – you'd recognize it as your software intervening on your behalf – and this software will kind of take charge of the process that would normally involve browser redirects,” he says.

Mitchell introduced a working prototype in August and the commercial division of Royal Holloway is in discussions with several major technology companies over licensing it. Uni-IDM builds on what's been tried already – for example, it picks up some of the elements of Microsoft's failed CardSpace. It doesn't invent new methods of authentication, but instead provides the user a way of managing all of the authentication tactics already out there, such as Facebook's OAuth or Google's OpenID or regular passwords.

Chris Mitchell 

Age: 60 

Occupation: Professor of Computer Science College: Royal Holloway, University of London

Accomplishments: Co-founded the Royal 
Holloway Information Security Group in 1990 and the M.Sc. in Information Security in 1992. Has written more than 200 refereed articles, edited more than 20 international standards, and successfully supervised nearly 30 Ph.D. students.

Mitchell offers a clarifying metaphor: “It's the Swiss pocket knife of the identity management world, with little gadgets for every identity management system.”

There is a populism to his undertaking. He sees authentication not as a technological problem but a business one. Sophisticated technology already exists, but save for financial institutions and the occasional employer, authentication tokens are not offered to users. Workers are instead left to their own security devices with dozens of passwords to remember.

Mitchell is well suited to work on this issue. In 1990, he arrived at Royal Holloway from HP Labs and helped create its Information Security Group. The college launched an M.Sc. in information security in 1992, which Mitchell believes was the first of its kind in the world. He began focusing on identity management systems and authentication 10 years ago. Uni-IDM came out of a newfound belief that computer scientists should find a way of delivering authentication protocols to end users in a single interface.

Mitchell admits that this is not exactly “headlines news” in academia. Instead of radical departures or new technologies, it arises from a kind of old-fashioned problem-solving. “The student who worked on it with me did a huge amount of the legwork in figuring out how to make it work,” he says. “But I had to convince him that this was even something worth looking at, because it wasn't as attractive as starting with a blank sheet of paper.”

Uni-IDM also cuts down the effectiveness of phishing attacks. The software recognizes the websites the user has already visited and catalogs a kind of electronic ID card for each one. It flags any change in the credentials of those sites. The software must first “learn” which sites are real, however. If its first visit to a website is a fake, it will remember that.

Rick Chandler, a consultant in the wireless and mobile security industry, is working with Royal Holloway and Mitchell on commercializing the prototype. “It won't authenticate anything other than the appropriate site, so it provides extra protection against phishing,” he says. “I haven't seen anything that can do all that it does so simply.”

Chandler says two or three major technology companies are interested. Trials should get under way before year's end, with a projected spring launch. Where it might prove most beneficial is on smartphones, as more activity gravitates there, he says. After all, security and ease of use on these are just as important on a computer – maybe even more so, since carrying around a notebook of passwords in your pocket is not realistic.

Mitchell is eager for Uni-IDM to reach a commercial audience instead of it fading into the academic graveyard of good ideas. He thinks those in the academic world should be thinking about how to devise technological solutions which are easier to adopt. “I'm not expecting the whole of academia to turn around and start thinking about products,” he says. “Nevertheless, if we in academia want our work to have a chance of affecting the real world, we have to think about how our ideas could be made into something people could use.” 

He pauses for a moment. “Maybe it comes around because I'm 60. I've seen things come and go.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.