Abstract
Despite receiving a lot of scrutiny and criticism, security questions are still widely adopted. Although new techniques are continuously being proposed to improve fallback authentication (i.e. security questions design), little research investigated users’ security and memorability perceptions. Previous research found that users’ perceptions are important because they can impact the adoption of security techniques. Hence, this research contributes to security questions research by investigating (with a study of n = 30) how users select security questions, what strategies are used to memorize answers, how users perceive the security and memorability of their answers and how a technique which addresses key security weaknesses (but makes them less memorable) impacts users’ perceptions. Our key findings reveal that despite asking participants to select security questions for an online banking scenario, participants who answered security questions with their own answers did not consider security factors. Instead, they selected easy, truthful and certain answers. Memorization strategies were ignored by most participants (even those who used unfamiliar answers). We also found that a technique designed to address key security weaknesses seemed to inspire some kind of security awareness (but would still not be enough). Based on these findings this paper provides recommendations to improve the design of security questions, strengthening fallback authentication mechanisms secure and usable.
Similar content being viewed by others
Notes
References
Bonneau J, Bursztein E, Caron I, Jackson R, Williamson M (2015) Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at google. In: Proceedings of the 24th international conference on world wide web, pp 141–150
Han J K, Bi X, Kim H, Woo S S (2020) Passtag: A graphical-textual hybrid fallback authentication system. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp 60–72
Dhekane R (2020) Towards a usable fallback authentication mechanism
Schechter S, Reeder R W (2009) 1 + 1= you: measuring the comprehensibility of metaphors for configuring backup authentication. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp 1–31
Xu S, Chan A, Lorber M F, Chase J P (2020) Using security questions to link participants in longitudinal data collection. Prev Sci 21(2):194–202
Schechter S, Egelman S, Reeder R W (2009) It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proceedings of the sigchi conference on human factors in computing systems, pp 1983–1992
Stavova V, Matyas V, Just M (2016) Codes v. people: A comparative usability study of two password recovery mechanisms. In: IFIP International Conference on Information Security Theory and Practice. Springer, pp 35–50
Anvari A, Pan L, Zheng X (2020) Generating security questions for better protection of user privacy. Int J Comput Appl 42(4): 329–350
Albayram Y, Khan M M H (2016) Evaluating smartphone-based dynamic security questions for fallback authentication: a field study. Hum-Centric Comput Inf Sci 6(1):16
Hang A, De Luca A, Hussmann H (2015) I know what you did last week! do you? dynamic security questions for fallback authentication on smartphones. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 1383–1392
Ur B, Bees J, Segreti S M, Bauer L, Christin N, Cranor L F (2016) Do users’ perceptions of password security match reality? In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, pp 3748–3760
Wash R (2010) Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, pp 1–16
Ur B, Noma F, Bees J, Segreti S M, Shay R, Bauer L, Christin N, Cranor L F (2015) ”i added’!’at the end to make it secure”: Observing password creation in the lab. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 123–140
Sun S-T, Pospisil E, Muslukhov I, Dindar N, Hawkey K, Beznosov K (2011) What makes users refuse web single sign-on? an empirical investigation of openid. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, pp 1–20
Ion I, Langheinrich M, Kumaraguru P, Čapkun S (2010) Influence of user perception, security needs, and social factors on device pairing method choices. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, pp 1–13
De Luca A, Hang A, Von Zezschwitz E, Hussmann H (2015) I feel like i’m taking selfies all day! towards understanding biometric authentication on smartphones. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 1411–1414
Bhagavatula R, Ur B, Iacovino K, Kywe S M, Cranor L F, Savvides M (2015) Biometric authentication on iphone and android: Usability, perceptions, and influences on adoption
Micallef N, Just M, Baillie L, Halvey M, Kayacik H G (2015) Why aren’t users using protection? investigating the usability of smartphone locking. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, pp 284–294
Rabkin A (2008) Personal knowledge questions for fallback authentication: Security questions in the era of facebook. In: Proceedings of the 4th symposium on Usable privacy and security, pp 13–23
Zhao P, Bian K, Zhao T, Song X, Li X, Ye F, Yan W, et al. (2016) Understanding smartphone sensor and app data for enhancing the security of secret questions. IEEE Trans Mob Comput 16(2): 552–565
Hang A, De Luca A, Von Zezschwitz E, Demmler M, Hussmann H (2015) Locked your phone? buy a new one? from tales of fallback authentication on smartphones to actual concepts. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, pp 295–305
Anvari A, Pan L, Zheng X (2020) Generating security questions for better protection of user privacy. Int J Comput Appl 42(4): 329–350
Micallef N, Just M (2011) Using avatars for improved authentication with challenge questions. In: Proc. of the The Fifth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2011)
Gupta P, Gottipati S, Jiang J, Gao D (2013) Your love is public now: Questioning the use of personal information in authentication. In: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pp 49–60
Javed A, Bletgen D, Kohlar F, Dürmuth M, Schwenk J (2014) Secure fallback authentication and the trusted friend attack. In: 2014 IEEE 34th International Conference on Distributed Computing Systems Workshops (ICDCSW). IEEE, pp 22–28
Schechter S, Brush AJ Bernheim, Egelman S (2009) It’s no secret. measuring the security and reliability of authentication via “secret” questions. In: 2009 30th IEEE Symposium on Security and Privacy. IEEE, pp 375–390
Bonneau J, Just M, Matthews G (2010) Wha’s in a name? In: International Conference on Financial Cryptography and Data Security. Springer, pp 98–113
Zviran M, Haga W J (1990) User authentication by cognitive passwords: an empirical assessment. In: Proceedings of the 5th Jerusalem Conference on Information Technology, 1990.’Next Decade in Information Technology’. IEEE, pp 137–144
Podd J, Bunnell J, Henderson R (1996) Cost-effective computer security: Cognitive and associative passwords. In: Proceedings Sixth Australian Conference on Computer-Human Interaction. IEEE, pp 304–305
Just M, Aspinall D (2009) Personal choice and challenge questions: a security and usability assessment. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp 1–11
Just M, Aspinall D (2010) Challenging challenge questions: an experimental analysis of authentication technologies and user behaviour. Policy Internet 2(1):99–115
Micallef N, Arachchilage N A G (2017) A gamified approach to improve users’ memorability of fall-back authentication. arXiv:1707.08073
Volkamer M, Renaud K (2013) Mental models–general introduction and review of their application to human-centred security. In: Number Theory and Cryptography. Springer, pp 255–280
Asgharpour F, Liu D, Camp L J (2007) Mental models of security risks. In: International Conference on Financial Cryptography and Data Security. Springer, pp 367–377
Rader E, Wash R, Brooks B (2012) Stories as informal lessons about security. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, pp 1–17
Camp L J (2009) Mental models of privacy and security. IEEE Technol Soc Mag 28(3):37–46
Ion I, Reeder R, Consolvo S (2015) ... no one can hack my mind: Comparing expert and non-expert security practices. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 327–346
Bravo-Lillo C, Cranor L F, Downs J, Komanduri S (2010) Bridging the gap in computer security warnings: A mental model approach. IEEE Secur Privacy 9(2):18–26
Ramokapane K M, Rashid A, Such J M (2017) I feel stupid I can’t delete...: a study of users’ cloud deletion practices and coping strategies. In: Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017), pp 241–256
Aviv A J, Fichter D (2014) Understanding visual perceptions of usability and security of android’s graphical password pattern. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp 286–295
Denning T, Bowers K, Van Dijk M, Juels A (2011) Exploring implicit memory for painless password recovery. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp 2615–2618
Haga W J, Zviran M (1991) Question-and-answer passwords: an empirical evaluation. Inf Syst 16(3):335–343
Woo S, Kaiser E, Artstein R, Mirkovic J (2016) Life-experience passwords (leps). In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp 113–126
Das S, Hayashi E, Hong J I (2013) Exploring capturable everyday memory for autobiographical authentication. In: Proceedings of the 2013 ACM international joint conference on Pervasive and ubiquitous computing, pp 211–220
Albayram Y, Khan M M H (2015) Evaluating the effectiveness of using hints for autobiographical authentication: A field study. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 211–224
Hang A, De Luca A, Smith M, Richter M, Hussmann H (2015) Where have you been? using location-based security questions for fallback authentication. In: Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015), pp 169–183
Shay R, Kelley P G, Komanduri S, Mazurek M L, Ur B, Vidas T, Bauer L, Christin N, Cranor L F (2012) Correct horse battery staple: Exploring the usability of system-assigned passphrases. In: Proceedings of the eighth symposium on usable privacy and security, pp 1–20
Al-Ameen M N, Wright M, Scielzo S (2015) Towards making random passwords memorable: leveraging users’ cognitive ability through multiple cues. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 2315–2324
Al-Ameen M N, Fatema K, Wright M, Scielzo S (2015) Leveraging real-life facts to make random passwords more memorable. In: European Symposium on Research in Computer Security. Springer, pp 438–455
Wright N, Patrick A S, Biddle R (2012) Do you see your password? applying recognition to textual passwords. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, pp 1–14
Forget A, Chiasson S, Van Oorschot P C, Biddle R (2008) Improving text passwords through persuasion. In: Proceedings of the 4th symposium on Usable privacy and security, pp 1–12
Kelley P G, Komanduri S, Mazurek M L, Shay R, Vidas T, Bauer L, Christin N, Cranor L F (2013) The impact of length and mathematical operators on the usability and security of system-assigned one-time pins. In: International Conference on Financial Cryptography and Data Security. Springer, pp 34–51
Micallef N, Arachchilage N A G (2017) Involving users in the design of a serious game for security questions education. arXiv:1710.03888
Milikowski M, Elshout J J (1995) What makes a number easy to remember?. Br J Psychol 86(4):537–547
Renaud K, Just M (2010) Pictures or questions? examining user responses to association-based authentication. Proceedings of HCI 2010 24, pp 98–107
Baillie L (2002) The home workshop: A method for investigating the home. Ph.D. Thesis, Edinburgh Napier University
Glaser B G, Strauss A L, Strutzel E (1968) The discovery of grounded theory; strategies for qualitative research. Nurs Res 17(4):364
Micallef N, Baillie L, Uzor S (2016) Time to exercise! an aide-memoire stroke app for post-stroke arm rehabilitation. In: Proceedings of the 18th international conference on Human-computer interaction with mobile devices and services, pp 112–123
Vance A, Eargle D, Ouimet K, Straub D (2013) Enhancing password security through interactive fear appeals: A web-based field experiment. In: 2013 46th Hawaii International Conference on System Sciences, pp 2988–2997, IEEE
Stobert E, Biddle R (2013) Memory retrieval and graphical passwords. In: Proceedings of the ninth symposium on usable privacy and security, pp 1–14
Castelluccia C, Dürmuth M, Golla M, Deniz F (2017) Towards implicit visual memory-based authentication
Stobert E, Biddle R (2014) A password manager that doesn’t remember passwords. In: Proceedings of the 2014 New Security Paradigms Workshop, pp 39–52
Atkinson RC, Shiffrin RM (1968) Human memory: A proposed system and its control processes
Juang KA, Ranganayakulu S, Greenstein JS (2012) Using system-generated mnemonics to improve the usability and security of password authentication. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 56, pp 506–510, SAGE Publications Sage
Komanduri S, Shay R, Kelley PG, Mazurek ML, Bauer L, Christin N, Cranor LF, Egelman S (2011) Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the sigchi conference on human factors in computing systems, pp 2595–2604
Mwagwabi F, McGill T, Dixon M (2014) Improving compliance with password guidelines: How user perceptions of passwords and security threats affect compliance with guidelines. In: 2014 47th Hawaii International Conference on System Sciences. IEEE, pp 3188–3197
Briggs P, Jeske D, Coventry L (2017) Behavior change interventions for cybersecurity. In: Behavior change research and theory, pp 115–136, Elsevier
Felt AP, Ainslie A, Reeder RW, Consolvo S, Thyagaraja S, Bettes A, Harris H, Grimes J (2015) Improving ssl warnings: Comprehension and adherence. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp 2893–2902
Micallef N, Just M, Baillie L, Alharby M (2017) Stop annoying me! an empirical investigation of the usability of app privacy notifications. In: Proceedings of the 29th Australian Conference on Computer-Human Interaction, pp 371–375
Liang H, Xue Y (2010) Understanding security behaviors in personal computer usage: A threat avoidance perspective. J Assoc Inf Syst, 11(7):394–413
Tsai H-YS, Jiang M, Alhabash S, LaRose R, Rifon NJ, Cotten SR (2016) Understanding online safety behaviors: A protection motivation theory perspective. Comput Secur 59: 138–150,
Sasse A (2015) Scaring and bullying people into security won’t work. IEEE Secur Privacy 13(3):80–83
Bowen GA (2008) Naturalistic inquiry and the saturation concept: a research note. Qual Res 8(1):137–152
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix 1. Step 1 — Pre-study interview
The following are the questions that were asked to participants in the Pre-study interview (Step 1). In some of the questions participants were asked to select an answer from the provided choices.
-
1.
I am experienced and confident in using security questions for online websites, in case I have forgotten passwords?
-
Strongly Disagree
-
Disagree
-
Neither Disagree nor Agree
-
Agree
-
Strongly Agree
-
-
2.
Do you use the same security questions for different accounts for online websites (i.e. university email account,online banking account, loyalty cards)?.
-
Follow-up: Please explain your answer?
-
-
3.
Do you usually provide the same answers to your chosen security questions given to different accounts for online websites (i.e. university email account, online banking account, loyalty cards)?
-
Follow-up: Please explain your answer?
-
-
4.
How do you store the answers to your chosen security questions for online websites?
-
Follow-up if they answered yes: Do you encrypt your stored answers to your chosen security questions?
-
-
5.
How secure do you think that your answers to the chosen security questions are, if you scale from 1 to 5 (1- Not secure at all to 5 - Highly secure)?
-
Not secure at all
-
Not secure
-
Not sure
-
Secure
-
Highly Secure
-
-
6.
How likely is it that someone would guess your answers to your chosen security questions by doing an online search looking at your social networking accounts (e.g., facebook, linkedin), on a scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?
-
Not likely at all
-
Not likely
-
Not sure
-
Likely
-
Very Likely
-
-
7.
How likely is it that a family member would guess your answers to the chosen security questions, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?
-
Not likely at all
-
Not likely
-
Not sure
-
Likely
-
Very Likely
-
-
8.
How likely it is that a friend would guess your answers to the chosen security questions, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?
-
Not likely at all
-
Not likely
-
Not sure
-
Likely
-
Very Likely
-
-
9.
How memorable do you think that your answers to the chosen security questions are, if you scale from 1 to (1 - Not memorable at all to 5 - very memorable)?
-
Not memorable at all
-
Not memorable
-
Not sure
-
Memorable
-
Very memorable
-
Appendix 2. Step 2 — Security questions selections
Scenario: Imagine that you are selecting security questions and answers to recover the forgotten passwords of your online banking website. After being briefed with the previous scenario participants were provided with the following security questions:
-
1.
Mother’s Maiden Name.
-
2.
Father’s middle name.
-
3.
Best friends name.
-
4.
Favourite pet.
-
5.
Favourite food.
-
6.
Favourite hobby.
-
7.
Last 6 digits Visa no.
-
8.
Last 6 digits Phone number.
-
9.
Vehicle registration number.
-
10.
High school city name.
-
11.
College city name.
-
12.
First work city name.
-
13.
First Occupation
-
14.
Last gained skill.
-
15.
Main Weakness.
Participants in the Control group were asked to select 3 questions and come up with the answers themselves, while participants in the Experimental Group were asked to select 3 questions and used the provided system-generated profiles to answers the questions.
When ready all participants were asked the following questions:
-
How did you select these security questions/answers?
Appendix 3. Step 3 — Memorizing answers
In this step participants were asked to memorize their answers. When finished they were asked the following question:
-
What strategy did you adopt to memorize your answers?
Appendix 4. Step 6 — Post-study interview
The following are the questions that were asked to participants in the Post-study interview (Step 6). In some of the questions participants were asked to select an answer from the provided choices.
-
1.
Would you use the same security questions that you used in the study for different accounts for online websites (i.e. university email account, online banking account, loyalty cards)?
-
Follow-up: Please explain your answer?
-
-
2.
Would you use the same answers to the security questions that you used in the study to different accounts (i.e. university email account, online banking account, loyalty cards)?
-
Follow-up: Please explain your answer?
For Control Group: 3a. Would you store the answers to the security questions that you used in this study? For Intervention Group: 3b. Would you like the system generated profile to be accessible to you anytime? or do you want to see it just once?
-
-
3.
How secure do you think that the answers to the security questions that you used in this study are, if you scale from 1 to 5 (1 - Not secure at all to 5 - Highly secure)?
-
Not secure at all
-
Not secure
-
Not sure
-
Secure
-
Highly Secure
-
-
4.
How likely is it that someone would guess the answers to the security questions that you used in this study by doing an online search or looking at your social networking accounts (e.g., facebook, linkedin), on a scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?
-
Not likely at all
-
Not likely
-
Not sure
-
Likely
-
Very Likely
-
-
5.
How likely is it that a family member would guess the answers to the security questions that you used in this study, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?
-
Not likely at all
-
Not likely
-
Not sure
-
Likely
-
Very Likely
-
-
6.
How likely it is that a friend would guess the answers to the security questions that you used in this study, if you scale from 1 to 5 (1 - Not likely at all to 5 - very likely)?
-
Not likely at all
-
Not likely
-
Not sure
-
Likely
-
Very Likely
-
-
7.
How memorable do you think that the answers to the security questions that you used in this study are, if you scale from 1 to (1 - Not memorable at all to 5 - very memorable)?
-
Not memorable at all
-
Not memorable
-
Not sure
-
Memorable
-
Very memorable
-
Rights and permissions
About this article
Cite this article
Micallef, N., Arachchilage, N.A.G. Understanding users’ perceptions to improve fallback authentication. Pers Ubiquit Comput 25, 893–910 (2021). https://doi.org/10.1007/s00779-021-01571-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-021-01571-y