Pass∞ (Pronouced PassInfinity)
Pass∞ is an innovative (patent-pending) technology developed by researchers at the Department of Computer Science and Surrey Centre for Cyber Security (SCCS), University of Surrey, UK. (Read University of Surrey's press release on 15 February 2017.) It is currently being jointly exploited by the University of Kent and the University of Surrey because the main co-inventor, Shujun Li, has left the University of Surrey to join the University of Kent in November 2017.
Pass∞ goes beyond passwords and multi-factor authentication, enabling all organisations and computing service providers to provide user-centric combinations of diverse authentication actions by adding reconfigurable add-ons without changing their existing systems.
Comparing with other solutions supporting multiple user authentication schemes and factors, Pass∞ is an "all in one", highly reconfigurable and scalable, back-compatible, user-friendly framework for user authentication. All other solutions we know are collections of different user authentication modules working independently possibly with an interface to allow multi-step or multi-channel authentication by merging the independent user authentication results.
Pass∞ allows user-driven free combinations of different user authentication schemes covering all three factors (what you know, what you have, and who you are) and the 4th factor (context e.g. where you are), without requiring any or minimum changes to the server side if the traditional textual password-based user authentication is already supported (which is the case for almost all if not all systems).
No other existing solutions can allow free combinations of more than two completely different user authentication schemes/factors, but Pass∞ allows this to be done for as many schemes/factors by the server and/or by users themselves (in the latter case the server will simply provide what user authentication scheme/factors can be selected by users). Pass∞ allows much more complicated but also more flexible password policies while covering any existing password policies in use.
We have developed two prototype systems (one web-based application and one Android app) to demonstrate how different password systems ("what you know" factor) can be freely combined by users and how Pass∞ can work with traditional textual password system. We have developed methods for incorporating other authentication factors and more authentication schemes, and plan to extend our prototype system to cover more. Currently we are incorporating a biometric module into the prototype systems, and conducting a usability and security evaluation of the prototype systems.
We're currently doing market analysis and product validation for Pass∞. We would love to know
- Your views on passwords
- The problems you and your company's experience with current user authentication systems
- What you view as the key problems occurring with multi-factor authentication today
Pass∞ is being commercialised by the University of Surrey via a partnership with Crossword Cybersecurity plc, a technology transfer company focusing on bringing university research in cyber security to the market.
Dr Shujun Li's work on Pass∞ is partly supported by his research project "COMMANDO-HUMANS: COMputational Modelling and Automatic Non-intrusive Detection Of HUMan behAviour based iNSecurity", funded by the EPSRC (Engineering and Physical Sciences Research Council) (EP/N020111/1). Miss Nouf Aljaffan's work is supported by a PhD scholarship from the King Saud University, Kingdom of Saudi Arabia.
The commercialisation activities are partly funded by the Department for Culture, Media & Sport (DCMS) and the Innovate UK through the SETsquared Partnership's Cyber Security ICURe (Innovation to Commercialisation of University Research) Programme.
The team has secured funding from University of Surrey's EPSRC Impact Acceleration Account (IAA) to develop the technology into the next stage.