skip to main content
10.1145/1456424.1456435acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Quantifying the security of preference-based authentication

Published: 31 October 2008 Publication History

Abstract

We describe a technique aimed at addressing longstanding problems for password reset: security and cost. In our approach, users are authenticated using their preferences. Experiments and simulations have shown that the proposed approach is secure, fast, and easy to use. In particular, the average time for a user to complete the setup is approximately two minutes, and the authentication process takes only half that time. The false negative rate of the system is essentially 0% for our selected parameter choice. For an adversary who knows the frequency distributions of answers to the questions used, the false positive rate of the system is estimated at less than half a percent, while the false positive rate is close to 0% for an adversary without this information. Both of these estimates have a significance level of 5%.

References

[1]
F. Asgharpour and M. Jakobsson. Adaptive Challenge Questions Algorithm in Password Reset/Recovery. In First International Workship on Security for Spontaneious Interaction: IWIISI'07, Innsbruck, Austria, September 2007.
[2]
D. W. Crawford, G. Godbey, and A. C. Crouter. The Stability of Leisure Preferences. Journal of Leisure Research, 18:96--115, 1986.
[3]
J. L. Devore. Probability and Statistics for Engineering and Sciences. Brooks/Cole Publishing Company, 1995.
[4]
C. Ellison, C. Hall, R. Milbert, and B. Schneier. Protecting Secret Keys with Personal Entropy. Future Gener. Comput. Syst., 16(4):311--318, 2000.
[5]
N. Frykholm and A. Juels. Error-tolerant Password Recovery. In CCS'01: Proceedings of the 8th ACM conference on Computer and Communications Security, pages 1--9, New York, NY, USA, 2001. ACM.
[6]
V. Griffith and M. Jakobsson. Messin' with Texas, Deriving Mother's Maiden Names Using Public Records. RSA CryptoBytes, 8(1):18--28, 2007.
[7]
W. J. Haga and M. Zviran. Question-and-Answer Passwords: an Empirical Evaluation. Inf. Syst., 16(3):335--343, 1991.
[8]
M. Jakobsson, T. N. Jagatic, and S. Stamm. Phishing for Clues. https://www.indiana.edu/~phishing/browser-recon/, Last retrieved in August 2008.
[9]
M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and Authentication. In CHI'08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 197--200, New York, NY, USA, 2008. ACM.
[10]
A. Juels and M. Wattenberg. A Fuzzy Commitment Scheme. In CCS'99: Proceedings of the 6th ACM conference on Computer and communications security, pages 28--36, New York, NY, USA, 1999. ACM. www.rsa.com/blog/blog_entry.aspx?id=1152, last retrieved in August 2008.
[11]
M. Just. Designing and Evaluating Challenge-question Systems. IEEE Security and Privacy, 2(5):32--39, 2004.
[12]
G. F. Kuder. The Stability of Preference Items. Journal of Social Psychology, pages 41--50, 10 1939.
[13]
L. O'Gorman, A. Bagga, and J. L. Bentley. Call Center Customer Verification by Query-Directed Passwords. In Financial Cryptography, pages 54--67, 2004. www.voiceport.net/PasswordReset.aspx, last retrieved in August 2008.
[14]
A. Rabkin. Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook. In SOUPS, 2008. www.schneier.com/blog/archives/2005/02/the_curse_of_th.html, last retrieved in August 2008.
[15]
D. Stinson. Cryptography: Theory and Practice. CRC Press, 3rd edition, November 2005. www2.csoonline.com/article/221068/Strong_Authentication_for_Online_Banking_Success_Factors?page=1, last retrieved in August 2008.

Cited By

View all

Index Terms

  1. Quantifying the security of preference-based authentication

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    DIM '08: Proceedings of the 4th ACM workshop on Digital identity management
    October 2008
    112 pages
    ISBN:9781605582948
    DOI:10.1145/1456424
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 31 October 2008

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. password reset
    2. preference-based authentication
    3. security question
    4. simulation

    Qualifiers

    • Research-article

    Conference

    CCS08
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 16 of 34 submissions, 47%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)11
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 17 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2019)Characterizing Conflicting User Values for Cyber Authentication Using a Virtual Public Values ForumDecision Analysis10.1287/deca.2018.038316:3(157-171)Online publication date: 15-Aug-2019
    • (2019)Evaluating Login Challenges as aDefense Against Account TakeoverThe World Wide Web Conference10.1145/3308558.3313481(372-382)Online publication date: 13-May-2019
    • (2017)End-to-End PasswordsProceedings of the 2017 New Security Paradigms Workshop10.1145/3171533.3171542(107-121)Online publication date: 1-Oct-2017
    • (2015)Locked Your Phone? Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual ConceptsProceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services10.1145/2785830.2785839(295-305)Online publication date: 24-Aug-2015
    • (2015)Secrets, Lies, and Account RecoveryProceedings of the 24th International Conference on World Wide Web10.1145/2736277.2741691(141-150)Online publication date: 18-May-2015
    • (2014)Towards reliable storage of 56-bit secrets in human memoryProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671264(607-623)Online publication date: 20-Aug-2014
    • (2013)Alice and Bob in LoveSecurity Protocols XVII10.1007/978-3-642-36213-2_23(189-198)Online publication date: 2013
    • (2012)Improved Visual Preference AuthenticationProceedings of the 2012 Workshop on Socio-Technical Aspects in Security and Trust (STAST)10.1109/STAST.2012.13(27-34)Online publication date: 25-Jun-2012
    • (2012)The Quest to Replace PasswordsProceedings of the 2012 IEEE Symposium on Security and Privacy10.1109/SP.2012.44(553-567)Online publication date: 20-May-2012
    • (2012)Training Johnny to Authenticate (Safely)IEEE Security & Privacy Magazine10.1109/MSP.2011.12910:1(37-45)Online publication date: Jan-2012
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media