Skip to main content
SpringerLink
Log in

Understanding users’ perceptions to improve fallback authentication

  • Original Paper
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

Despite receiving a lot of scrutiny and criticism, security questions are still widely adopted. Although new techniques are continuously being proposed to improve fallback authentication (i.e. security questions design), little research investigated users’ security and memorability perceptions. Previous research found that users’ perceptions are important because they can impact the adoption of security techniques. Hence, this research contributes to security questions research by investigating (with a study of n = 30) how users select security questions, what strategies are used to memorize answers, how users perceive the security and memorability of their answers and how a technique which addresses key security weaknesses (but makes them less memorable) impacts users’ perceptions. Our key findings reveal that despite asking participants to select security questions for an online banking scenario, participants who answered security questions with their own answers did not consider security factors. Instead, they selected easy, truthful and certain answers. Memorization strategies were ignored by most participants (even those who used unfamiliar answers). We also found that a technique designed to address key security weaknesses seemed to inspire some kind of security awareness (but would still not be enough). Based on these findings this paper provides recommendations to improve the design of security questions, strengthening fallback authentication mechanisms secure and usable.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. https://www.fakenamegenerator.com/

  2. https://irp-cdn.multiscreensite.com/535ef142/files/uploaded/Sensis_Social_Media_Report_2016.pdf

  3. https://www.acma.gov.au/publications/2016-02/report/snapshot-aussie-teens-and-kids-online

  4. http://6abc.com/archive/6398817/

  5. http://au.pcmag.com/software/23957/news/apple-no-icloud-find-my-iphone%2Dbreach-in-celeb-photo-hack

References

  1. Bonneau J, Bursztein E, Caron I, Jackson R, Williamson M (2015) Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at google. In: Proceedings of the 24th international conference on world wide web, pp 141–150

  2. Han J K, Bi X, Kim H, Woo S S (2020) Passtag: A graphical-textual hybrid fallback authentication system. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp 60–72

  3. Dhekane R (2020) Towards a usable fallback authentication mechanism

  4. Schechter S, Reeder R W (2009) 1 + 1= you: measuring the comprehensibility of metaphors for configuring backup authentication. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp 1–31

  5. Xu S, Chan A, Lorber M F, Chase J P (2020) Using security questions to link participants in longitudinal data collection. Prev Sci 21(2):194–202

    Article  Google Scholar 

  6. Schechter S, Egelman S, Reeder R W (2009) It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proceedings of the sigchi conference on human factors in computing systems, pp 1983–1992

  7. Stavova V, Matyas V, Just M (2016) Codes v. people: A comparative usability study of two password recovery mechanisms. In: IFIP International Conference on Information Security Theory and Practice. Springer, pp 35–50

  8. Anvari A, Pan L, Zheng X (2020) Generating security questions for better protection of user privacy. Int J Comput Appl 42(4): 329–350

    Google Scholar 

  9. Albayram Y, Khan M M H (2016) Evaluating smartphone-based dynamic security questions for fallback authentication: a field study. Hum-Centric Comput Inf Sci 6(1):16

    Article  Google Scholar 

  10. Hang A, De Luca A, Hussmann H (2015) I know what you did last week! do you? dynamic security questions for fallback authentication on smartphones. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 1383–1392

  11. Ur B, Bees J, Segreti S M, Bauer L, Christin N, Cranor L F (2016) Do users’ perceptions of password security match reality? In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, pp 3748–3760

  12. Wash R (2010) Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, pp 1–16

  13. Ur B, Noma F, Bees J, Segreti S M, Shay R, Bauer L, Christin N, Cranor L F (2015) ”i added’!’at the end to make it secure”: Observing password creation in the lab. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 123–140

  14. Sun S-T, Pospisil E, Muslukhov I, Dindar N, Hawkey K, Beznosov K (2011) What makes users refuse web single sign-on? an empirical investigation of openid. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, pp 1–20

  15. Ion I, Langheinrich M, Kumaraguru P, Čapkun S (2010) Influence of user perception, security needs, and social factors on device pairing method choices. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, pp 1–13

  16. De Luca A, Hang A, Von Zezschwitz E, Hussmann H (2015) I feel like i’m taking selfies all day! towards understanding biometric authentication on smartphones. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 1411–1414

  17. Bhagavatula R, Ur B, Iacovino K, Kywe S M, Cranor L F, Savvides M (2015) Biometric authentication on iphone and android: Usability, perceptions, and influences on adoption

  18. Micallef N, Just M, Baillie L, Halvey M, Kayacik H G (2015) Why aren’t users using protection? investigating the usability of smartphone locking. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, pp 284–294

  19. Rabkin A (2008) Personal knowledge questions for fallback authentication: Security questions in the era of facebook. In: Proceedings of the 4th symposium on Usable privacy and security, pp 13–23

  20. Zhao P, Bian K, Zhao T, Song X, Li X, Ye F, Yan W, et al. (2016) Understanding smartphone sensor and app data for enhancing the security of secret questions. IEEE Trans Mob Comput 16(2): 552–565

    Article  Google Scholar 

  21. Hang A, De Luca A, Von Zezschwitz E, Demmler M, Hussmann H (2015) Locked your phone? buy a new one? from tales of fallback authentication on smartphones to actual concepts. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, pp 295–305

  22. Anvari A, Pan L, Zheng X (2020) Generating security questions for better protection of user privacy. Int J Comput Appl 42(4): 329–350

    Google Scholar 

  23. Micallef N, Just M (2011) Using avatars for improved authentication with challenge questions. In: Proc. of the The Fifth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2011)

  24. Gupta P, Gottipati S, Jiang J, Gao D (2013) Your love is public now: Questioning the use of personal information in authentication. In: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pp 49–60

  25. Javed A, Bletgen D, Kohlar F, Dürmuth M, Schwenk J (2014) Secure fallback authentication and the trusted friend attack. In: 2014 IEEE 34th International Conference on Distributed Computing Systems Workshops (ICDCSW). IEEE, pp 22–28

  26. Schechter S, Brush AJ Bernheim, Egelman S (2009) It’s no secret. measuring the security and reliability of authentication via “secret” questions. In: 2009 30th IEEE Symposium on Security and Privacy. IEEE, pp 375–390

  27. Bonneau J, Just M, Matthews G (2010) Wha’s in a name? In: International Conference on Financial Cryptography and Data Security. Springer, pp 98–113

  28. Zviran M, Haga W J (1990) User authentication by cognitive passwords: an empirical assessment. In: Proceedings of the 5th Jerusalem Conference on Information Technology, 1990.’Next Decade in Information Technology’. IEEE, pp 137–144

  29. Podd J, Bunnell J, Henderson R (1996) Cost-effective computer security: Cognitive and associative passwords. In: Proceedings Sixth Australian Conference on Computer-Human Interaction. IEEE, pp 304–305

  30. Just M, Aspinall D (2009) Personal choice and challenge questions: a security and usability assessment. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp 1–11

  31. Just M, Aspinall D (2010) Challenging challenge questions: an experimental analysis of authentication technologies and user behaviour. Policy Internet 2(1):99–115

    Article  Google Scholar 

  32. Micallef N, Arachchilage N A G (2017) A gamified approach to improve users’ memorability of fall-back authentication. arXiv:1707.08073

  33. Volkamer M, Renaud K (2013) Mental models–general introduction and review of their application to human-centred security. In: Number Theory and Cryptography. Springer, pp 255–280

  34. Asgharpour F, Liu D, Camp L J (2007) Mental models of security risks. In: International Conference on Financial Cryptography and Data Security. Springer, pp 367–377

  35. Rader E, Wash R, Brooks B (2012) Stories as informal lessons about security. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, pp 1–17

  36. Camp L J (2009) Mental models of privacy and security. IEEE Technol Soc Mag 28(3):37–46

    Article  Google Scholar 

  37. Ion I, Reeder R, Consolvo S (2015) ... no one can hack my mind: Comparing expert and non-expert security practices. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 327–346

  38. Bravo-Lillo C, Cranor L F, Downs J, Komanduri S (2010) Bridging the gap in computer security warnings: A mental model approach. IEEE Secur Privacy 9(2):18–26

    Article  Google Scholar 

  39. Ramokapane K M, Rashid A, Such J M (2017) I feel stupid I can’t delete...: a study of users’ cloud deletion practices and coping strategies. In: Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017), pp 241–256

  40. Aviv A J, Fichter D (2014) Understanding visual perceptions of usability and security of android’s graphical password pattern. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp 286–295

  41. Denning T, Bowers K, Van Dijk M, Juels A (2011) Exploring implicit memory for painless password recovery. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp 2615–2618

  42. Haga W J, Zviran M (1991) Question-and-answer passwords: an empirical evaluation. Inf Syst 16(3):335–343

    Article  Google Scholar 

  43. Woo S, Kaiser E, Artstein R, Mirkovic J (2016) Life-experience passwords (leps). In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp 113–126

  44. Das S, Hayashi E, Hong J I (2013) Exploring capturable everyday memory for autobiographical authentication. In: Proceedings of the 2013 ACM international joint conference on Pervasive and ubiquitous computing, pp 211–220

  45. Albayram Y, Khan M M H (2015) Evaluating the effectiveness of using hints for autobiographical authentication: A field study. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 211–224

  46. Hang A, De Luca A, Smith M, Richter M, Hussmann H (2015) Where have you been? using location-based security questions for fallback authentication. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 169–183

  47. Shay R, Kelley P G, Komanduri S, Mazurek M L, Ur B, Vidas T, Bauer L, Christin N, Cranor L F (2012) Correct horse battery staple: Exploring the usability of system-assigned passphrases. In: Proceedings of the eighth symposium on usable privacy and security, pp 1–20

  48. Al-Ameen M N, Wright M, Scielzo S (2015) Towards making random passwords memorable: leveraging users’ cognitive ability through multiple cues. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 2315–2324

  49. Al-Ameen M N, Fatema K, Wright M, Scielzo S (2015) Leveraging real-life facts to make random passwords more memorable. In: European Symposium on Research in Computer Security. Springer, pp 438–455

  50. Wright N, Patrick A S, Biddle R (2012) Do you see your password? applying recognition to textual passwords. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, pp 1–14

  51. Forget A, Chiasson S, Van Oorschot P C, Biddle R (2008) Improving text passwords through persuasion. In: Proceedings of the 4th symposium on Usable privacy and security, pp 1–12

  52. Kelley P G, Komanduri S, Mazurek M L, Shay R, Vidas T, Bauer L, Christin N, Cranor L F (2013) The impact of length and mathematical operators on the usability and security of system-assigned one-time pins. In: International Conference on Financial Cryptography and Data Security. Springer, pp 34–51

  53. Micallef N, Arachchilage N A G (2017) Involving users in the design of a serious game for security questions education. arXiv:1710.03888

  54. Milikowski M, Elshout J J (1995) What makes a number easy to remember?. Br J Psychol 86(4):537–547

    Article  Google Scholar 

  55. Renaud K, Just M (2010) Pictures or questions? examining user responses to association-based authentication. Proceedings of HCI 2010 24, pp 98–107

  56. Baillie L (2002) The home workshop: A method for investigating the home. Ph.D. Thesis, Edinburgh Napier University

  57. Glaser B G, Strauss A L, Strutzel E (1968) The discovery of grounded theory; strategies for qualitative research. Nurs Res 17(4):364

    Article  Google Scholar 

  58. Micallef N, Baillie L, Uzor S (2016) Time to exercise! an aide-memoire stroke app for post-stroke arm rehabilitation. In: Proceedings of the 18th international conference on Human-computer interaction with mobile devices and services, pp 112–123

  59. Vance A, Eargle D, Ouimet K, Straub D (2013) Enhancing password security through interactive fear appeals: A web-based field experiment. In: 2013 46th Hawaii International Conference on System Sciences, pp 2988–2997, IEEE

  60. Stobert E, Biddle R (2013) Memory retrieval and graphical passwords. In: Proceedings of the ninth symposium on usable privacy and security, pp 1–14

  61. Castelluccia C, Dürmuth M, Golla M, Deniz F (2017) Towards implicit visual memory-based authentication

  62. Stobert E, Biddle R (2014) A password manager that doesn’t remember passwords. In: Proceedings of the 2014 New Security Paradigms Workshop, pp 39–52

  63. Atkinson RC, Shiffrin RM (1968) Human memory: A proposed system and its control processes

  64. Juang KA, Ranganayakulu S, Greenstein JS (2012) Using system-generated mnemonics to improve the usability and security of password authentication. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 56, pp 506–510, SAGE Publications Sage

  65. Komanduri S, Shay R, Kelley PG, Mazurek ML, Bauer L, Christin N, Cranor LF, Egelman S (2011) Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the sigchi conference on human factors in computing systems, pp 2595–2604

  66. Mwagwabi F, McGill T, Dixon M (2014) Improving compliance with password guidelines: How user perceptions of passwords and security threats affect compliance with guidelines. In: 2014 47th Hawaii International Conference on System Sciences. IEEE, pp 3188–3197

  67. Briggs P, Jeske D, Coventry L (2017) Behavior change interventions for cybersecurity. In: Behavior change research and theory, pp 115–136, Elsevier

  68. Felt AP, Ainslie A, Reeder RW, Consolvo S, Thyagaraja S, Bettes A, Harris H, Grimes J (2015) Improving ssl warnings: Comprehension and adherence. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 2893–2902

  69. Micallef N, Just M, Baillie L, Alharby M (2017) Stop annoying me! an empirical investigation of the usability of app privacy notifications. In: Proceedings of the 29th Australian Conference on Computer-Human Interaction, pp 371–375

  70. Liang H, Xue Y (2010) Understanding security behaviors in personal computer usage: A threat avoidance perspective. J Assoc Inf Syst, 11(7):394–413

  71. Tsai H-YS, Jiang M, Alhabash S, LaRose R, Rifon NJ, Cotten SR (2016) Understanding online safety behaviors: A protection motivation theory perspective. Comput Secur 59: 138–150,

  72. Sasse A (2015) Scaring and bullying people into security won’t work. IEEE Secur Privacy 13(3):80–83

  73. Bowen GA (2008) Naturalistic inquiry and the saturation concept: a research note. Qual Res 8(1):137–152

Download references

Author information

Authors and Affiliations

  1. University of New South Wales, New South Wales, Australia

    Nicholas Micallef

  2. School of Computer Science, The University of Auckland, Auckland, New Zealand

    Nalin Asanka Gamagedara Arachchilage

Authors
  1. Nicholas Micallef
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nalin Asanka Gamagedara Arachchilage
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nalin Asanka Gamagedara Arachchilage.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix 1. Step 1 — Pre-study interview

The following are the questions that were asked to participants in the Pre-study interview (Step 1). In some of the questions participants were asked to select an answer from the provided choices.

  1. 1.

    I am experienced and confident in using security questions for online websites, in case I have forgotten passwords?

    • Strongly Disagree

    • Disagree

    • Neither Disagree nor Agree

    • Agree

    • Strongly Agree

  2. 2.

    Do you use the same security questions for different accounts for online websites (i.e. university email account,online banking account, loyalty cards)?.

    • Follow-up: Please explain your answer?

  3. 3.

    Do you usually provide the same answers to your chosen security questions given to different accounts for online websites (i.e. university email account, online banking account, loyalty cards)?

    • Follow-up: Please explain your answer?

  4. 4.

    How do you store the answers to your chosen security questions for online websites?

    • Follow-up if they answered yes: Do you encrypt your stored answers to your chosen security questions?

  5. 5.

    How secure do you think that your answers to the chosen security questions are, if you scale from 1 to 5 (1- Not secure at all to 5 - Highly secure)?

    • Not secure at all

    • Not secure

    • Not sure

    • Secure

    • Highly Secure

  6. 6.

    How likely is it that someone would guess your answers to your chosen security questions by doing an online search looking at your social networking accounts (e.g., facebook, linkedin), on a scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?

    • Not likely at all

    • Not likely

    • Not sure

    • Likely

    • Very Likely

  7. 7.

    How likely is it that a family member would guess your answers to the chosen security questions, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?

    • Not likely at all

    • Not likely

    • Not sure

    • Likely

    • Very Likely

  8. 8.

    How likely it is that a friend would guess your answers to the chosen security questions, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?

    • Not likely at all

    • Not likely

    • Not sure

    • Likely

    • Very Likely

  9. 9.

    How memorable do you think that your answers to the chosen security questions are, if you scale from 1 to (1 - Not memorable at all to 5 - very memorable)?

    • Not memorable at all

    • Not memorable

    • Not sure

    • Memorable

    • Very memorable

Appendix 2. Step 2 — Security questions selections

Scenario: Imagine that you are selecting security questions and answers to recover the forgotten passwords of your online banking website. After being briefed with the previous scenario participants were provided with the following security questions:

  1. 1.

    Mother’s Maiden Name.

  2. 2.

    Father’s middle name.

  3. 3.

    Best friends name.

  4. 4.

    Favourite pet.

  5. 5.

    Favourite food.

  6. 6.

    Favourite hobby.

  7. 7.

    Last 6 digits Visa no.

  8. 8.

    Last 6 digits Phone number.

  9. 9.

    Vehicle registration number.

  10. 10.

    High school city name.

  11. 11.

    College city name.

  12. 12.

    First work city name.

  13. 13.

    First Occupation

  14. 14.

    Last gained skill.

  15. 15.

    Main Weakness.

Participants in the Control group were asked to select 3 questions and come up with the answers themselves, while participants in the Experimental Group were asked to select 3 questions and used the provided system-generated profiles to answers the questions.

When ready all participants were asked the following questions:

  • How did you select these security questions/answers?

Appendix 3. Step 3 — Memorizing answers

In this step participants were asked to memorize their answers. When finished they were asked the following question:

  • What strategy did you adopt to memorize your answers?

Appendix 4. Step 6 — Post-study interview

The following are the questions that were asked to participants in the Post-study interview (Step 6). In some of the questions participants were asked to select an answer from the provided choices.

  1. 1.

    Would you use the same security questions that you used in the study for different accounts for online websites (i.e. university email account, online banking account, loyalty cards)?

    • Follow-up: Please explain your answer?

  2. 2.

    Would you use the same answers to the security questions that you used in the study to different accounts (i.e. university email account, online banking account, loyalty cards)?

    • Follow-up: Please explain your answer?

    For Control Group: 3a. Would you store the answers to the security questions that you used in this study? For Intervention Group: 3b. Would you like the system generated profile to be accessible to you anytime? or do you want to see it just once?

  3. 3.

    How secure do you think that the answers to the security questions that you used in this study are, if you scale from 1 to 5 (1 - Not secure at all to 5 - Highly secure)?

    • Not secure at all

    • Not secure

    • Not sure

    • Secure

    • Highly Secure

  4. 4.

    How likely is it that someone would guess the answers to the security questions that you used in this study by doing an online search or looking at your social networking accounts (e.g., facebook, linkedin), on a scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?

    • Not likely at all

    • Not likely

    • Not sure

    • Likely

    • Very Likely

  5. 5.

    How likely is it that a family member would guess the answers to the security questions that you used in this study, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?

    • Not likely at all

    • Not likely

    • Not sure

    • Likely

    • Very Likely

  6. 6.

    How likely it is that a friend would guess the answers to the security questions that you used in this study, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?

    • Not likely at all

    • Not likely

    • Not sure

    • Likely

    • Very Likely

  7. 7.

    How memorable do you think that the answers to the security questions that you used in this study are, if you scale from 1 to (1 - Not memorable at all to 5 - very memorable)?

    • Not memorable at all

    • Not memorable

    • Not sure

    • Memorable

    • Very memorable

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Micallef, N., Arachchilage, N.A.G. Understanding users’ perceptions to improve fallback authentication. Pers Ubiquit Comput 25, 893–910 (2021). https://doi.org/10.1007/s00779-021-01571-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-021-01571-y

Keywords

Search

Navigation