Mindmetrics: Identifying users without their login IDs

Authentication to a computing system is composed of two parts, identification and verification. Traditionally, login IDs have been used for identification and passwords for verification. Many schemes have been proposed to improve both parts, but they may require specialized devices or they may not be always reliable. We propose a method that can augment the current password-based system by strengthening the identification process. It utilizes personal secret data instead of a login ID to identify a user uniquely, hence mindmetrics. It then asks the user to choose a correct login ID among multiple choices of partially obscured IDs. Since it does not accept a login ID during the authentication process, a stolen or cracked password cannot be used for gaining an access to the computing system unless the attacker provides a correct identification material, i.e., mindmetrics token. This additional step raises the security of an authentication system considerably over single or double password systems. Since the stolen passwords cannot be used immediately by the attackers, account holders can have extra time to change their passwords before the attackers gain an access. This scheme does not require any specialized hardware and can be implemented easily. It may be used where biometrics schemes cannot be used cost-effectively, e.g., on public e-commerce web sites. Mindmetrics scheme separates the identification server and the verification server, thus it is scalable to a large system. We implemented a proof-of-concept system and evaluated it with test users. The survey indicates that the system is not as intrusive as other schemes, users feel better protected, and they are willing to use the scheme on public web sites.