Dustin Decker

Cognitive Passwords – What Are They?

These have become extremely common, especially in e-commerce and online banking.  Typically, a site asks you a question such as “What is your mother’s maiden name?” and records your answer.  At a later point in time, if you need to change your password or if you are accessing its system from a computer it doesn’t recognize, it asks the questions again. You must provide the correct answer.

The problem with cognitive passwords is that other people know the answers to these types of questions.  For many people, there is only one person they don’t want in their bank account but who can answer every cognitive password correctly – specifically their ex-spouse.  In another example, if you stand on your back porch and call your dog do you think your neighbor knows your pet’s name?

The answers you provide to cognitive passwords do not have to be accurate.  You just have to remember them.  And boy howdy if you haven’t suffered the agony of forgetting the correct answers for an account you can no longer access, you’re doing it right. For a number of years, I’ve used characters from favorite childhood cartoons (and no, I don’t answer random questions about my favorite childhood cartoons on social media polls or quizzes) that would otherwise have absolutely no known association with me, the individual human being, being identified and authenticated or reauthenticated.

Another really simple analogy for these cognitive passwords is the classic “Safe Word”.  Settle down now, I’m talking about that conversation you have with your children when they reach an appropriate age, wherein you agree upon a safe word or phrase that any stranger the child has never met must repeat if they are to be trusted on behalf of the parent in an emergency situation.

A Deeper Technical Examination:

Cognitive passwords are a type of authentication method that relies on the use of cognitive tasks or challenges to verify a user’s identity. Unlike traditional alphanumeric passwords, which are based on a combination of characters, cognitive passwords tap into a user’s unique cognitive abilities, such as memory, pattern recognition, and problem-solving skills, to authenticate their identity.

The concept behind cognitive passwords stems from the recognition that traditional passwords have several limitations. Alphanumeric passwords are often weak and susceptible to various security threats, including brute-force attacks, dictionary attacks, and password guessing. Moreover, users tend to create weak passwords or reuse the same passwords across multiple accounts, further compromising security. Cognitive passwords aim to address these limitations by introducing a more secure and user-friendly authentication mechanism.

In cognitive password systems, users are presented with a series of cognitive tasks or challenges that they must successfully complete to gain access to their accounts. These tasks can vary widely and are designed to be difficult for automated systems or attackers to solve but relatively straightforward for legitimate users.

Some common examples of cognitive tasks used in cognitive password systems include:

  1. Image Recognition: Users are presented with a set of images and asked to identify specific objects, patterns, or characters within them. For instance, they might be shown a grid of images and asked to select all the images containing cars or traffic signs.
  2. Sequence Recall: Users are given a sequence of numbers, letters, or symbols and asked to recall and reproduce the sequence accurately. The length and complexity of the sequence can be adjusted to suit the desired security level.
  3. Pattern Completion: Users are presented with a partial pattern or sequence and asked to identify the missing elements or complete the pattern based on provided clues. This task tests a user’s pattern recognition and problem-solving abilities.
  4. Spatial Reasoning: Users are given a spatial arrangement of objects or shapes and asked to identify specific properties, relationships, or transformations within the arrangement. This task assesses a user’s spatial reasoning skills.

The cognitive password system evaluates the user’s responses to these challenges and compares them to the expected answers stored during the enrollment process. If the user’s responses match the expected answers within an acceptable tolerance level, access is granted.

One of the advantages of cognitive passwords is their resistance to common password attacks. Since the challenges are unique and based on cognitive abilities, they are difficult for automated systems to solve without human-like intelligence. Additionally, cognitive passwords can be more user-friendly than traditional passwords since they leverage innate cognitive skills and do not require the memorization of complex character combinations.

However, cognitive passwords also have their limitations. Some users may find certain cognitive tasks challenging, leading to frustration or difficulties in accessing their accounts. Moreover, the system’s accuracy heavily relies on the design of the cognitive challenges and the robustness of the underlying algorithms. If the challenges are too easy or predictable, they may be vulnerable to attacks. Conversely, if the challenges are too difficult, legitimate users may struggle to pass them.

To enhance security, cognitive passwords can be combined with other authentication factors such as biometrics (e.g., fingerprint or facial recognition) or traditional passwords to create multi-factor authentication systems, further increasing the overall security and reliability of the authentication process.

In conclusion, cognitive passwords provide an alternative approach to traditional alphanumeric passwords by leveraging cognitive tasks or challenges to authenticate users. While they offer increased security and user-friendliness, the design and implementation of cognitive password systems require careful consideration to strike a balance between usability and robustness against attacks.