I petered out of enrolling in the nimbusid demo, partly because it was work, and partly because I did not want to give up private info about myself, or bother inventing reproducible fiction.
Probably the best way to understand it is the video on the main page, "What is NimbusID?" www.nimbusid.com/video/Promo-720.mp4 You basically tell them about parts of your life -- places and people, and things. This creates a tuple: (someone's name, location, relationship, occupation). Login challenge is they present you with a few alternatives one after another. Eg, they present you with a few names. You choose the one you recognize. Then they present you with a few locations. Etc. If you make your way through the tree and nail the original tuple in the cross-product, you are authenticated. At least I think this is what they do. To deal with the limited amount of password space being reused, they say: "the system will periodically collect new information from the user", and "this information if recycled as noise information for other users". A few observations: One notes that being asked periodically for new information could be tedious. Also, the problems with personal information (and also biometrics) are well-known. True stuff about yourself can be learned by someone else, and then used, if it is a credential. The stuff also can be stolen if entrusted to a database somewhere, and unlike a password, can't be changed. To make realistic false data that is hard for an attacker to distinguish from the true data, they recycle other people's data. Presumably they change it a bit... But even so, a small amount of statistical information leaks. There are plenty of knowledge-based authentication systems. These guys seem to have a sequence of questions where each subsequent question depends on the former. Most KBA involves independent Q-A pairs. If I have understood nimbus then they may have indeed taken a new tack. But it's not trivial to put probabilities on attacks. On the one hand, if an attacker guess wrongly on the first question, then she wastes her time on meaningless subsequent questions. On the other, if she has guessed wrongly on the first, then the fake subsequent data might alert her early on and allow her to break each part of the tuple independently. M --------previous posts-------- >> Prior to subsequent logins, the user also predefines the sequence or > pattern criteria for selecting the objects positioned on the GUI, and > sequentially inputting the text associated with each. By employing this > pattern, and visually determining the objects, a number of which > sequentially correspond to the user-known pattern displayed on the GUI, an > authentication password is determined. The password is input by the user > typing the corresponding dynamic word string defined by the users > pre-defined words which are associated with the viewed objects in that > particular sequence. > > From I can surmise the user assigns a password with a picture, so when the > picture shows up, the user inputs the password. I couldn't figure out how their system works just from attempting to login to the demo as "test", but this sounds quite a bit like my favorite password system, which I encountered doing a CUPS Lab study on mechanical turk about four years ago. I've never seen any mention of it since (and have looked a few times) so it may have turned out to not work well with users and they dropped it right away, but it worked like this: the system displays a grid of numbers where the numbers in each position are randomized and the thing you remember is the pattern but the thing you type is the numbers. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
