Having read the paper, there seems to be a glaring problem: Even though the user can’t tell an attacker the password, nothing is stopping them from demonstrating the password. It doesn’t matter if it’s an interactive sequence – the user is going to remember enough detail to describe the “prompts”.
A rubber hose and a little time will get enough information to make a “close enough” mock-up of the password entry interface the trusted user can use to reveal the password.
Having read the paper, there seems to be a glaring problem: Even though the user can’t tell an attacker the password, nothing is stopping them from demonstrating the password. It doesn’t matter if it’s an interactive sequence – the user is going to remember enough detail to describe the “prompts”.
A rubber hose and a little time will get enough information to make a “close enough” mock-up of the password entry interface the trusted user can use to reveal the password.