research-article

Personal choice and challenge questions: a security and usability assessment

Authors:

David AspinallAuthors Info & Claims

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

Article No.: 8, Pages 1 - 11

https://doi.org/10.1145/1572532.1572543

Published: 15 July 2009 Publication History

Abstract

Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users. In a second stage of our experiment, we applied existing metrics to measure the usability of the questions and answers. Despite having youthful memories and choosing their own questions, users made errors more frequently than desirable.

References

[1]

F. Asgharpour, M. Jakobsson, "Adaptive Challenge Questions Algorithm in Password Reset/Recovery," in First International Workshop on Security for Spontaneous Interaction (IWIISI '07), Innsbruck, Austria, (2007).

[2]

J. Bonneau, "Alice and Bob in Love: Cryptographic Communication Using Natural Entropy," to appear in Proceedings of the 17th International Workshop on Security Protocols 2009, Cambridge, UK, April 2009.

[3]

C. Ellison, C. Hall, R. Milbert, B. Schneier, "Protecting Secret Keys with Personal Entropy," Journal of Future Generation Computer Systems, 16(4), (2000), 311--318.

Digital Library

[4]

D. Florêncio, C. Herley, "A large-scale study of web password habits," in Proceedings of the 16th international Conference on World Wide Web (Banff, Alberta, Canada, May 08--12, 2007). WWW '07. ACM, New York, NY, 657--666.

Digital Library

[5]

N. Frykholm, A. Juels, "Error-Tolerant Password Recovery," in Proceedings of the ACM Conference on Computer and Communications Security (CCS '01), ACM Press, (2001), 1--9.

Digital Library

[6]

V. Griffith, M. Jakobsson, "Messin' with Texas, Deriving Mother's Maiden Names Using Public Records," RSA CryptoBytes, 8(1), (2007), 18--28.

[7]

W. Haga, M. Zviran, "Question-and-Answer Passwords: An Empirical Evaluation," Information Systems, 16(3), (1991), 335--343.

Digital Library

[8]

M. Jakobsson, E. Stolterman, S. Wetzel, L. Yang. "Love and Authentication," in Proceedings of ACM Human/Computer Interaction Conference (CHI), (2008).

Digital Library

[9]

M. Just, "Designing and Evaluating Challenge Question Systems," in IEEE Security&Privacy: Special Issue on Security and Usability, (L. Faith-Cranor, S. Garfinkel, editors), (2004), 32--39.

Digital Library

[10]

M. Just, "Designing Authentication Systems with Challenge Questions," in Designing Secure Systems that People Can Use, O'Reilly, L. Faith-Cranor, S. Garfinkel, editors, (2005).

[11]

M. Just, D. Aspinall, "Challenging Challenge Questions," presented at Trust 2009: International Conference on the Technical and Socio-Economic Aspects of Trusted Computing, 2009. (Available at {12})

[12]

Knowledge-Based Authentication Project Site. http://homepages.inf.ed.ac.uk/mjust/KBA.html

[13]

National Institute of Standards and Technology (NIST), "Recommendation for Key Management - Part 1: General (Revised)," NIST Special Publication 800-57, March 2007. http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-57Part1_3-8-07.pdf

[14]

National Institute of Standards and Technology (NIST), "Electronic Authentication Guideline," NIST Special Publication 800-63, Version 1.0.2, April 2006. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

[15]

L. O'Gorman, S. Begga, J. Bentley, "Call Center Customer Verification by Query-Directed Passwords," in Proceedings of Financial Cryptography '04, International Financial Cryptography Association, (2004).

[16]

R. Pond, J. Podd, J. Bunnell, R. Henderson, "Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates," Computers and Security, 19(7), (2000), 645--656.

Digital Library

[17]

A. Rabkin. "Personal knowledge questions for fallback authentication: Security questions in the era of Facebook." in Proceedings of the Symposium On Usability, Privacy and Security (SOUPS '08), (2008).

Digital Library

[18]

S. Schechter, A. Bernheim Bruch, S. Egelman, "It's no secret. Measuring the security and reliability of authentication via 'secret' questions," to appear in Proceedings of the IEEE Symposium on Security and Privacy, 17--20 May 2009.

Digital Library

[19]

C. E. Shannon, A mathematical theory of communication. Bell System Technical Journal, 1948, vol. 27, pp. 379--423.

[20]

Y. Spector, J. Ginzberg, "Pass-Sentence - A New Approach to Computer Code," Computers and Security, 13(2), (1994), 145--160.

Digital Library

[21]

H. Thompson, "How I Stole Someone's Identity", Scientific American, online feature posted August 18, 2008. Retrieved from http://www.sciam.com/article.cfm?id=anatomy-of-a-social-hack, 23rd February 2009.

[22]

M. Toomim, X. Zhang, J. Fogarty, J. Landay, "Access Control by Testing for Shared Knowledge," in Proceedings of CHI 2008, Florence, Italy, April 2008, ACM.

Digital Library

[23]

U.S. Census Bureau, 1990 Census - Names, available at http://www.census.gov/genealogy/names/names_files.html.

[24]

U.S. Census Bureau, Frequently Occurring Surnames from Census 2000, available at http://www.census.gov/genealogy/www/freqnames2k.html.

[25]

M. Zviran, W. Haga, "A Comparison of Password Techniques for Multilivel Authentication Mechanisms," The Computer Journal, 36(3), (1993), 227--237.

Cited By

Lassak LMarkert PGolla MStobert EDürmuth M(2024)A Comparative Long-Term Study of Fallback Authentication SchemesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642889(1-19)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642889
Zhu LWang D(2024)Robust Multi-Factor Authentication for WSNs With Dynamic Password RecoveryIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345136419(8398-8413)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3451364
Yamaguchi SGomi HUehara T(2024)User Verification System using Location-based Dynamic Questions for Account Recovery2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00006(9-16)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00006
Show More Cited By

Index Terms

Personal choice and challenge questions: a security and usability assessment
1. Applied computing
  1. Electronic commerce

Recommendations

Challenge Set Designs and User Guidelines for Usable and Secured Recognition-Based Graphical Passwords
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

Graphical passwords are a promising alternative to alphanumeric passwords for user authentication. Recognition-based schemes are commonly used. This paper aims to find the best ways to improve the usability and security of recognition-based graphical ...
A study into the usability and security implications of text and image based challenge questions in the context of online examination

Online examinations are an integral component of online learning environments and research studies have identified academic dishonesty as a critical threat to the credibility of such examinations. Academic dishonesty exists in many forms. Collusion is ...
Users' Perceptions of Recognition-Based Graphical Passwords: A Qualitative Study on Culturally Familiar Graphical Passwords
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

In user authentication, alphanumeric passwords suffer from several weaknesses. They are hard to remember if they have been created from a random mix of letters and numbers. Recognition-based graphical passwords were proposed to increase memorability and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

July 2009

205 pages

ISBN:9781605587363

DOI:10.1145/1572532

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2009 Copyright held by the author/owner.

Sponsors

Carnegie Mellon CyLab
Google Inc.

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Engineering and Physical Sciences Research Council

Conference

SOUPS '09

Sponsor:

SOUPS '09: Symposium on Usable Privacy and Security

July 15 - 17, 2009

California, Mountain View, USA

Acceptance Rates

SOUPS '09 Paper Acceptance Rate 15 of 49 submissions, 31%;

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
957
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lassak LMarkert PGolla MStobert EDürmuth M(2024)A Comparative Long-Term Study of Fallback Authentication SchemesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642889(1-19)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642889
Zhu LWang D(2024)Robust Multi-Factor Authentication for WSNs With Dynamic Password RecoveryIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345136419(8398-8413)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3451364
Yamaguchi SGomi HUehara T(2024)User Verification System using Location-based Dynamic Questions for Account Recovery2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00006(9-16)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00006
Han JWong DFu ZKang B(2024)AuthZit: Personalized Visual-Spatial and Loci-Tagging Fallback Authentication2024 IEEE 29th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC63035.2024.00025(120-130)Online publication date: 13-Nov-2024
https://doi.org/10.1109/PRDC63035.2024.00025
Farhan ABasharat AAllheeib NKanwal S(2024)Enhancing smartphone security with human centric bimodal fallback authentication leveraging sensorsScientific Reports10.1038/s41598-024-74473-714:1Online publication date: 21-Oct-2024
https://doi.org/10.1038/s41598-024-74473-7
Yamaguchi SGomi HUehara T(2023)Enhancing Account Recovery with Location-based Dynamic Questions2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00061(532-539)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00061
Prange SDelgado Rodriguez SDoeding TAlt F(2022)“Where did you first meet the owner?” – Exploring Usable Authentication for Smart Home VisitorsExtended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491101.3519777(1-7)Online publication date: 27-Apr-2022
https://dl.acm.org/doi/10.1145/3491101.3519777
Micallef NArachchilage N(2021)Understanding users’ perceptions to improve fallback authenticationPersonal and Ubiquitous Computing10.1007/s00779-021-01571-yOnline publication date: 23-May-2021
https://doi.org/10.1007/s00779-021-01571-y
Evtimova PNicholson J(2021)Exploring the Acceptability of Graphical Passwords for People with DyslexiaHuman-Computer Interaction – INTERACT 202110.1007/978-3-030-85623-6_14(213-222)Online publication date: 26-Aug-2021
https://doi.org/10.1007/978-3-030-85623-6_14
Kocabas HNandy STamanna TAl-Ameen M(2021)Understanding User’s Behavior and Protection Strategy upon Losing, or Identifying Unauthorized Access to Online AccountHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-77392-2_20(310-325)Online publication date: 3-Jul-2021
https://doi.org/10.1007/978-3-030-77392-2_20
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten