Chris
Harrison

Thumprint: Socially-Inclusive Group Authentication Through Secret Knocks

Authentication is important for any secure system, but is typically designed for individuals with privately owned resources and a strong desire to protect them (e.g., bank statements, emails). This focus, while important, has resulted in authentication tools (e.g., PINs, biometrics) that are often inappropriate for a large spectrum of small, local groups who have relaxed security needs and collectively share accounts, devices and/or spaces, for example, families who share tablets with children. Shared passwords and PINs do not allow for parental controls, whereas requiring individual passwords for each family member is unwieldy and often subverted.

Another example is interest-based organizations that share equipment (e.g., a tennis club). Each group member should have access to this shared equipment, but group members often change so using a shared password or key can make it difficult to revoke access from old members. Conversely, use of individual secrets to access group resources can be socially inappropriate or rude. Similar situations arise with, for example, employees who share kitchenettes, waitstaff who share access to employee-only areas, and roommates who share a Netflix account. While these group-owned resources should only be accessible by members, individuals in the group trust each other and only need enough security to discourage casual outsiders. Thus, these diverse groups could benefit from a new form of socially-inclusive authentication that provides reasonable outsider rejection and can identify group members without individual secrets.

To that end, we introduce Thumprint: group authentication through shared secret knocks. Secret knocks were famously used by Prohibition-era speakeasies to authenticate prospective bar patrons when sale of alcohol was prohibited in the United States. As they are secrets shared through trusted social channels, they not only authenticate, but also promote group cohesion. Our idea with Thumprint (a portmanteau of “thump” and “print”) was to leverage advancements in sensing to realize a secret knock authenticator.

In brief, Thumprint authenticates groups based on group members’ expression of a shared, three-second knock on a surface instrumented with (or containing) an accelerometer and microphone. As the secret knock is shared, group members need not maintain their own individual secrets. However, because individual expressions of the knock are variable, Thumprint can still identify individuals. Current members can safely share the secret with new members, but as individuals are identifiable, previous members can have their access revoked or limited. Notably, Thumprint is not designed to provide perfect security—it is designed to be lightweight and inclusive.

Download

Reference

Das, S., Laput, G., Harrison, C. and Hong, J. 2017. Thumprint: Socially-Inclusive Local Group Authentication Through Shared Secret Knocks. In Proceedings of the 35th Annual SIGCHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA, May 6 - 11, 2017). CHI '17. ACM, New York, NY. 3764-3774.

© Chris Harrison