Cryptanalysis of a Cognitive Authentication Scheme

Abstract:
We present attacks against two cognitive authentication schemes [W06] recently proposed at the 2006 IEEE Symposium on Security and Privacy. These authentication schemes are designed to be secure against eavesdropping attacks while relying only on human cognitive skills. They achieve authentication via challenge response protocols based on a shared secret set of pictures. Our attacks use a SAT solver to recover a user's key in a few seconds, after observing only a small number of successful logins. These attacks demonstrate that the authentication schemes of [W06] are not secure against an eavesdropping adversary.