"While the planted secret can be used for authentication, the participant cannot be coerced into revealing it since he or she has no conscious knowledge of it." Quite interesting idea. But don't we now move from "rubber hose" to "Please sit down and authenticate here." territory?

Not this paper again. It can't be used for cryptographic usage and the title(which is the original title of the paper) is completely misleeading.

The device you're authenticating must have the secret you're authenticating with in it in a retrievable format. So it can't be used for e.g. disk encryption, etc, because the attacker can just get the secret from the device and decrypt.

All it can be used for is authentication, and for that they require a human security guard to ensure it's actually a human playing the authentication game. If you were to attach a computer, its likely it could impersonate you. So almost completely useless (except for getting people's hopes up).

More discussion here : https://news.ycombinator.com/item?id=4266115

This paper is from a few years ago, but I think that for folks who aren't quite as in to the net/info security side of things, it's better to think of "rubber hose attacks" as a polite way to say "having to fight too many subpoenas from a more wealthy adversary".

Hopefully doesn't apply to your businesses, but it sure delayed a lot of things in the 80s and 90s before the EFF/CDT/and so on helped settle a lot of the law that we take for granted now.

(No I do not work for the EFF, CDT, or any other TLA. I just think that programmers and painters both need to be cognizant of copyright)

I think that the finger-prick scanners from Gattaca are the future. We already have them in the form of diabetes scanners. They could look for matching genetic material to identify the user, and generate a hash based on the average amounts of hormones in the body, for example. It would only produce the correct hash if you felt 'normal', so a flood of fear hormones or an abundance of drugs would make it throw an invalid hash.

This really has nothing to do with crypto primitives, but is all about memory. One would still use exactly the same crypto primitives and protocols as we have already, just the method of memorising secrets would be different.

It would be interesting to see how their approach does against attacks against subconscious reactions that can nevertheless be measured by more sophisticated devices.

Hmm, training 30-40 min, authentication 5 min. That's a huge inconvenience. It's very interesting research but I don't see this being used in real life.

This might be useful for password recovery in some scenarios.

yeah I fail to see how this actually defends against the `I'm going to hit you with this rubber hose until you login` attack