Visual Memory: A New Cyber Security Approach for Insurance and Beyond

A striking characteristic of human memory is that pictures are remembered better than words; it’s time to use this characteristic to implement more secure authentication methods that don’t trade ease-of-use for security.

(Users of visual memory authentication are directed to click on and memorize a point on an image. A sample point is indicated in this instance by the red arrow. See detail below in body of article.)

Technology is an integral part of modern homes and businesses. Most networked personal devices and business systems host sensitive information which acts as a magnet for hackers and cybercriminals. Devices such as smartphones, TV, appliances, iPads, networked PCs, sensors, POS, etc., fall in this category. The majority of large insurance carriers provide some sort of cybersecurity insurance, whether as part of the homeowners’ or business owners insurance policy. The problem is that there has been little advancement in technology to thwart such cyberattacks. There aren’t many affordable, user-friendly tools that can be used by homeowners or small business owners to keep their sensitive information safe. A new approach to authentication based on visual memory is introduced here. This approach, for the first time, blends enhanced security and ease of use together in one seamless authentication experience.

The COVID-19 pandemic has had a huge impact on our society. The frequency and severity of cyber-attacks have gone up in the past year, resulting in increased cyber insurance claims. In 2020, companies moved to remote work for their employees but were not well prepared to monitor and handle cyber threats. Things like insecure remote access, weak passwords, exposed home networks, and misuse of personal devices became common practice. Furthermore, the use of streaming devices, connected appliances, multiple PCs, along with increased e-commerce at home created a perfect recipe for significant cyber exposure. New types and levels of online behavior adopted during the pandemic are predicted to continue long after COVID-19. As a result, the impact on cyber insurance, both personal and commercial will be significant. According to S&P, the cybersecurity insurance market—currently about $5B annually—is expected to grow an average of 20 percent to 30 percent a year for the next several years. The continual development and reliance on technology such as IoT will lead to increased exposure to cyber risk. The cyber insurance industry is starting to see heavier focus on underwriting. It has started adding exclusions and restrictions to mitigate exposures.

Passwords: The Greatest Vulnerability

The problem in the cyber risk space is the lag in innovation in the tools to keep personal information such as passwords, credit cards, and emails secure, especially for homeowners and small businesses. With the advent of the IoT revolution, the problem has been compounded. What was originally a problem of keeping your email password safe has now morphed into how to secure your connected smart TV, refrigerator, various smart locks, speakers, and more. The OWASP (Open Web Application Security Project) IoT project, in its latest report in 2018, identified weak, guessable, or hard-coded passwords as the top threat in its list of top things to avoid when deploying IoT applications.

Most cybersecurity experts advise setting long, difficult passwords to safeguard devices. While this is good advice, most people find it hard to follow. The advice is, of course, harder to follow while keeping track of multiple credentials. Users often choose a single, easy-to-guess and easy-to-type password for all their devices or leave these devices wide open with the vendor’s default passwords.

A better solution is needed to help users manage their credentials. All the vault products available today require a password of their own to operate. Instead of solving the problem, it only makes it worse with yet another credential to secure on top of everything else. Won’t it be better if a vault could be built which did not need another password to access it?

Visual Memory: A New Approach

Detail of main illustration, showing red arrow indicating where user should click. (Click to enlarge.)

All authentication methods today rely on users remembering complex words and symbols. This reliance on words and symbols leads to what we can call “proportional” security. The security afforded to you is proportional to how long and complex a password you can remember and type. So, as the security increases, the ease-of-use decreases. This observation is valid for 2FA (two factor authentication) also. It is with this aspect of security that visual memory can come to our aid. A striking characteristic of human memory is that pictures are remembered better than words (see “Neural correlates of the episodic encoding of pictures and words,” by Cheryl L. Grady, Anthony R. McIntosh, M. Natasha Rajah, and Fergus I. M. Craik, in PNAS). It would be better if an authentication system utilized this aspect of human memory to allow users to authenticate with clicks instead of typing.

This approach could have users remember a set of images and a location on each image. During authentication, the system could present a subset of images to the user and challenge the user to click on the registered locations. The images could be shuffled at each attempt. This changes the password at each attempt saving the user from shoulder surfing attacks. Additionally, the system could also be programmed to present a different number of images at each attempt. This allows the difficulty of authentication to be changed as needed

Stronger AND Easier to Use

An image-protected vault will be more secure and easier to use than a password or 2FA based system. This will not follow the proportional security model as defined earlier. Here, the system will decide how difficult a password is needed to login. In this model, the most difficult password will be effectively unhackable.

Password Entropy is a measure of the unpredictability of a password—which is itself a measure of its strength. Entropy in the range of 35 to 60 is considered reasonably secure. Most companies and networks target this range. An eight-character strong password (containing lower-case and capital letters, numbers, and special characters) has an entropy of 52. By one estimate, a password created with three images (out of a set of 16) would have an entropy of 90. Six images (out of a set of 16) would support an entropy of 141. This is higher than 128—the widely accepted threshold of excessive entropy for passwords. For comparison, 138 is the entropy of a 21-character, long, strong password.

We have seen that the image-based system is highly secure even as it is much easier to use. It removes the need for the user to remember long, complex passwords. Here, the user utilizes his visual memory, which is associated with better and more durable recall. Also, instead of typing, the user simply clicks—which reduces errors that require reentry.

In a 2019 paper titled “Hearing Your Touch: A New Acoustic Side-Channel on Smartphones,” researchers from the U.K. and Sweden designed malware that can exploit a smartphone’s microphone to steal the device’s passwords and codes. They claimed that their attack can detect what users type on their touch-screen devices.

Interestingly, this attack will also not succeed against the new image-based system. The user’s recorded touch or click gestures will be useless for the next attempt.

With the advent of IoT and BYOD (Bring Your Own Device) revolutions, the number of devices operating on behalf of a user is expected to grow. Along with that will grow the need to secure these devices with strong passwords. All the present authentication systems trade ease-of-use for security. That causes the users to cut corners with security, leading to risky and costly hacking incidents. It is time we provided our users with the tools which do not present this trade-off. It is time we moved away from the proportional security model. That is the only practical way to reduce cyber risk.

New Products & Greenfields for Commercial & Specialty Insurance

Rajul Johri // Rajul Johri is a software engineer with wide ranging experience with large financial institutions. He is the author of multiple patents in the visual memory authentication field. He is also the inventor of Newauth, an implementation of the ideas presented earlier. Readers can access Newauth at You can also follow Newauth on twitter @newauth.

Leave a Comment