skip to main content
10.1145/1357054.1357087acmconferencesArticle/Chapter ViewAbstractPublication PageschiConference Proceedingsconference-collections
research-article

Love and authentication

Published: 06 April 2008 Publication History

Abstract

Passwords are ubiquitous, and users and service providers alike rely on them for their security. However, good passwords may sometimes be hard to remember. For years, security practitioners have battled with the dilemma of how to authenticate people who have forgotten their passwords. Existing approaches suffer from high false positive and false negative rates, where the former is often due to low entropy or public availability of information, whereas the latter often is due to unclear or changing answers, or ambiguous or fault prone entry of the same. Good security questions should be based on long-lived personal preferences and knowledge, and avoid publicly available information. We show that many of the questions used by online matchmaking services are suitable as security questions. We first describe a new user interface approach suitable to such security questions that is offering a reduced risks of incorrect entry. We then detail the findings of experiments aimed at quantifying the security of our proposed method.

References

[1]
K. W. Chapman, K. Grace-Martin, and H. T. Lawless. Expectations and Stability of Preference Choice. Journal of Sensory Studies, Vol 21(4):441--455, August 2006.
[2]
http://www.bowwow.com.au/top20/index.asp.
[3]
D. W. Crawford, G. Godbey, and A. C. Crouter. The Stability of Leisure Preferences. Journal of Leisure Research, 18:96--115, 1986.
[4]
V. Griffith and M. Jakobsson. Messin' with Texas, Deriving Mother's Maiden Names Using Public Records. RSA CryptoBytes, 8(1):18--28, 2007.
[5]
G. F. Kuder. The Stability of Preference Items. Journal of Social Psychology, pages 41--50, 10 1939.
[6]
Oracle Identity Management. http://www.oracle.com/ technology/products/oid/oidhtml/sec_idm_ training/%html_masters/c_page07.htm.
[7]
http://www.voiceport.net/PasswordReset.aspx.
[8]
J. Staddon, P. Golle, and B. Zimny. Web-based Inference Detection. In USENIX Security, pages 71--86, Boston, USA, August 2007.
[9]
A. E. I. Stamps. Of Time and Preference: Temporal Stability of Environmental Preferences. Perceptual and Motor Skills, Vol 85(3, Pt 1):883--896, December 1997.
[10]
D. Stinson. Cryptography: Theory and Practice. CRC Press, 3rd edition, November 2005.
[11]
Pennkey Challenge-response Password Reset Authenticating (Identifying) Yourself. https://galaxy.isc-seo.upenn.edu:7778/pls/com8i/Challenge_Controller_pg. Start_Challenge.
[12]
RSA Identity Verification from Verid. http://www.rsa.com/node.aspx?id=3347.
[13]
http://www.zazzle.com/.

Cited By

View all
  • (2023)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 1-Dec-2023
  • (2021)A Model to Improve Security Questions Through Individualized AssistanceInternational Journal of Information Security and Privacy10.4018/IJISP.202110010315:4(31-53)Online publication date: 1-Oct-2021
  • (2021)A Private Key Recovery Scheme Using Partial Knowledge2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS)10.1109/NTMS49979.2021.9432642(1-5)Online publication date: 19-Apr-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CHI '08: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
April 2008
1870 pages
ISBN:9781605580111
DOI:10.1145/1357054
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 April 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. entry error
  2. password
  3. reset
  4. security
  5. security question

Qualifiers

  • Research-article

Conference

CHI '08
Sponsor:

Acceptance Rates

CHI '08 Paper Acceptance Rate 157 of 714 submissions, 22%;
Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025
ACM CHI Conference on Human Factors in Computing Systems
April 26 - May 1, 2025
Yokohama , Japan

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)14
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 1-Dec-2023
  • (2021)A Model to Improve Security Questions Through Individualized AssistanceInternational Journal of Information Security and Privacy10.4018/IJISP.202110010315:4(31-53)Online publication date: 1-Oct-2021
  • (2021)A Private Key Recovery Scheme Using Partial Knowledge2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS)10.1109/NTMS49979.2021.9432642(1-5)Online publication date: 19-Apr-2021
  • (2021)You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset ProceduresDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-80825-9_1(1-20)Online publication date: 14-Jul-2021
  • (2019)User Account Access GraphsProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3354193(1405-1422)Online publication date: 6-Nov-2019
  • (2017)The Password Reset MitM Attack2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.9(251-267)Online publication date: May-2017
  • (2016)The trade-off between usability and security in the context of eGovernmentProceedings of the 30th International BCS Human Computer Interaction Conference: Fusion!10.14236/ewic/HCI2016.36(1-13)Online publication date: 11-Jul-2016
  • (2016)Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper)Technology and Practice of Passwords10.1007/978-3-319-29938-9_3(39-44)Online publication date: 2016
  • (2015)Locked Your Phone? Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual ConceptsProceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services10.1145/2785830.2785839(295-305)Online publication date: 24-Aug-2015
  • (2015)Secrets, Lies, and Account RecoveryProceedings of the 24th International Conference on World Wide Web10.1145/2736277.2741691(141-150)Online publication date: 18-May-2015
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media