cognitive identification

Cognitive Identification: The Solution to Weaknesses in Passwords, Biometrics and Two-Factor Models

The title may have caught your attention. After all, I’m implying that passwords, biometrics and two- factor (2F) security models are inherently flawed. Well, they are.


The Problem with Static Credentials

The key is to understand WHAT passwords and 2F actually verify. Basically, all passwords are static credentials that provide ACCESS assurance, not IDENTITY assurance. Understand the difference.

Anyone with your password can access whatever that password protects. Anyone looking over your shoulder, active keyloggers, and even well-meaning colleagues can put holes in your security environment in seconds.

2F strategies, contrary to many vendors’ marketing claims, are also based on static credentials, and therefore only assure ACCESS, not identity. Anyone in possession of a keycard and your password/PIN will be granted access, without actually verifying their identity.

As an example, take your ATM card. Technically, it is 2F, because at the ATM you need both the physical card and the PIN. As long as I have both of those “static credentials” I have access, regardless of who I am.

Biometrics was supposed to solve these issues by limiting access to individuals based on difficult-to-copy credentials tied to complex physical traits like fingerprints and iris scans. However, despite their complexity, these supposedly “identifying” traits are easily copied in a digital world as they are simply static credentials.

Once again, passwords, biometrics, and 2F do not GUARANTEE identity. They just grant access. Access is granted based on “what you possess” not “who you are.”


What is Cognitive Identification?

Cognitive Identification (CogID) solves this problem by eliminating static credentials. CogID operates on HOW we think, not what we KNOW. It taps into the complex relationships we create between seemingly unrelated events, people, and things in our life.

As an example, let’s take an imaginary, yet possible experience in my life:

“I took a cruise to Jamaica last year. On the cruise, my cabin steward was named Yuri. He folded our towels into cute animal shapes. My favorite was the elephant. While on the cruise, we had an amazing chocolate buffet one night. One chef had carved a beautiful mermaid out of chocolate. I got a piece of the fin LOL!”

That story has all the ingredients I need to implement a cognitive identification test. Step 1 is to pick out some “recognition objects.” In the cognitive ID world, a recognition object is a combination of a focus object and an attribute. For example, a focus object might be “cruise.” Because of my memories, I have linked numerous attributes to this focus object.

When I think of “cruise,” I now automatically think of Yuri, mermaids, chocolate, Jamaica, and elephants. Someone without my experiences will not have made those mental links between those attributes and the focus object.

A good cognitive system will parse a paragraph (like the cruise story above) and create these focus objects and their attributes automatically. I would then enter quite a few more recognition objects comprising multiple focus objects having multiple attributes.


The Cognitive ID Login Process

When it is time to log in, the CogID system will randomly pick one of my focus objects. The system will surround it in a number of fake or false focus objects. Below, the system will list a number of attributes. Only ONE of them will connect with only ONE of the focus objects.

A user scans the four or five recognition objects and immediately spots the legitimate one. They then look at the list of possible attributes and click the only one that is linked to their focus object.

To illustrate, during my login, the system might present me with the following focus objects: Bed, Arkansas, Cruise, Lemonade.

Below, it might give me the following attributes: December, Lathe, Bumblebee, Red, Chocolate, Squirrel.

I would immediately recognize that “cruise” is my focus object, and “chocolate” is my attribute. I would click on Chocolate. Notice, I did not click on “cruise.” That’s how cognitive ID thwarts those spying over your shoulder. While they may see which attribute you choose, they will have no idea which focus object it goes with, preserving the security of the link.

Cognitive Identification Example 2

With enough recognition objects, no two logins will ever be the same. Gone are the days when you could write your password on a sticky note! A network administrator could decide how many recognition objects would have to be verified to confirm a user’s identity.

And, if someone clicks the wrong attribute, the system does not give an error. It just keeps listing recognition objects until the success threshold has been crossed. A hacker “guessing” at these attributes will have no idea which guesses were correct and which were not.

With CogID, the weaknesses of passwords, biometrics, and 2F are eliminated. True Security is Identity-based. True Security is NimbusID.

For more information, please watch our video and visit our website, To learn how you can implement a CogID solution for your network, give us a call at 844.968.7143.

About the author: Eric Spellman