Enhanced Tacit Secrets


We explore the feasibility of Tacit Secrets: system-assigned pass- words that you can remember, but cannot write down or otherwise commu- nicate. We design an approach to creating Tacit Secrets based on Contextual Cueing, an implicit learning method previously studied in the cognitive psy- chology literature. Our feasibility study indicates that our approach has strong security properties: resistance to brute-force attacks, online attacks, phishing attacks, some coercion attacks, and targeted impersonation attacks. It also offers protection against leaks from other verifers as the secrets are system- assigned. Our approach also has some interesting usability properties, a high login success rate, and low false positive rates. We explore enhancements to our approach and find that incorporating eye tracking data offers substantial improvements. We also explore the trade-offs of different confgurations of our design and provide insight into valuable directions for future work.

International Journal of Information Security