The University of Surrey has developed an ‘all in one’ password system that will allow users to use their face, eyes or fingerprints – alongside or instead of word-based systems – on their work or home computers.
The researchers say this will allow users to generate much more complicated but still easy-to-remember passwords. This means that passwords will be harder to crack, because hackers will not only have to break the password, they will also have to work out the format and composition of the password itself. The new technology, named Pass∞ (pronouced PassInfinity), can be completely backward-compatible with computer systems, meaning it could be added to systems, according to the researchers.
Pass∞ has been invented by the Department of Computer Science’s Dr Shujun Li and his PhD student Miss Nouf Aljaffan. Their aim; to make it easier for organisations and service providers to make and maintain user authentication systems, and let users combine many authentication actions for proving their identities.
It will do so while preserving the overall user experience with text-based passwords, biometrics-based user authentication systems (such as face, iris, fingerprint based systems) and multi-factor user authentication systems.
One of the many features the product can offer, the researchers say, is user-friendly free combinations of multiple authentications such as entering normal passwords, styling some characters, selecting a picture, clicking some points on a picture, drawing something on a picture, showing your face in front of a webcam, and even adding the user’s current geo-locations.
Dr Shujun Li, a Deputy Director of Surrey Centre for Cyber Security (SCCS) and co-inventor of Pass∞, said: “This is definitely among the biggest ideas and the most exciting research work I have been working on at the University of Surrey for over five years. What makes the idea unique is the big contrast between the simplicity of the solution and how it solves many hard problems around passwords and user authentication in general. The new technology, which is in its final stages of development, will give both end users and organisations a simple and easy to use system that has great flexibility and agility to incorporate all known user authentication factors and many (if not all) known systems in a single framework and user interface.”
The inventors believe that Pass∞ has potential to increase security and the usability of passwords; as a much longer password can be generated from a shorter sequence of authentication actions which are easy to remember.
Pass∞ can be deployed at either server or client side. When implemented at the client side, for instance on users’ mobile phones or personal computers, it can be developed as a “password manager” and/or a web browser extension, thus allowing it to work with any remote servers. When it is deployed at the server side, the server can provide more options to end users, eg., allow them to decide what biometric authentication actions (face, fingerprints, speech, iris, etc) to choose and how to combine them.
The University of Surrey has filed a patent application. The Pass∞ team at the University of Surrey, with tech transfer specialists Crossword Cybersecurity plc, is conducting some market research and keen to hear about the public’s feedback on the project; visit www.passinfinity.com. The market research is funded by the Department for Culture, Media & Sport (DCMS) and the Innovate UK through the SETsquared Partnership’s Cyber Security ICURe (Innovation to Commercialisation of University Research) Programme.