Love and Authentication, CHI, 08
The authors propose a fall-back authentication scheme based on a set of questions that relate to the user's personal preferences. The underlying idea is, on a 3-point Likert scale: Really like; Don't care/Don't know; and Really dislike - it is highly unlikely that a legitimate user's response will be off by two points.
The authors collected responses from 423 college students on 193 questions (collected from dating web sites) and selected 96 questions with highest entropy. A user needs to respond to these 96 questions once during the setup phase and during authentication (the user has forgotten his password) he needs to respond to a subset of these 96 questions using 3-point Likert scale. For each answer he gets a score and the sum of the scores has to be higher than a threshold to get authenticated. With 23 questions, a threshold of 50% results in a 0.0% false negative rate and 3.8% false positive rate for a stranger and 10.5% false positive rate for a friend. The stranger is a robot which makes its guesses in decreasing order of probability.
Citation (ACM Ref): Markus Jakobsson, Erik Stolterman, Susanne Wetzel, and Liu Yang. 2008. Love and authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '08). ACM, New York, NY, USA, 197-200. DOI=10.1145/1357054.1357087 http://doi.acm.org/10.1145/1357054.1357087
The authors collected responses from 423 college students on 193 questions (collected from dating web sites) and selected 96 questions with highest entropy. A user needs to respond to these 96 questions once during the setup phase and during authentication (the user has forgotten his password) he needs to respond to a subset of these 96 questions using 3-point Likert scale. For each answer he gets a score and the sum of the scores has to be higher than a threshold to get authenticated. With 23 questions, a threshold of 50% results in a 0.0% false negative rate and 3.8% false positive rate for a stranger and 10.5% false positive rate for a friend. The stranger is a robot which makes its guesses in decreasing order of probability.
Citation (ACM Ref): Markus Jakobsson, Erik Stolterman, Susanne Wetzel, and Liu Yang. 2008. Love and authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '08). ACM, New York, NY, USA, 197-200. DOI=10.1145/1357054.1357087 http://doi.acm.org/10.1145/1357054.1357087
Personal knowledge questions for fallback authentication: Security questions in the era of Facebook, SOUPS, 08
The author analyzes over 200 personal security questions used by 20 banking or brokerage websites for fallback authentication and concludes that the questions provide, at best, weak security. Availability of personal information on the Internet weakens security of personal knowledge based questions.
Security questions are of two types: sensitive security questions, e.g., about account number, PIN, SSN and personal security questions, e.g., mother's maiden name. The author classifies the personal security questions as inapplicable ("Which high school did your spouse attend?"), not memorable ("last name of youe kindergarten teacher?"), ambiguous ("what is the name of a college you applied to but did not attend?", 20%), guessable ("How old were you when you were married?", 30%), attack-able ("with which company did you hold your first job?"), and automatically attack-able ("what year did you graduate from college?"). No institution suggests the user how to choose a secure question. Romantic partners were able to correctly guess answers 30% of the time in one try.
Mostly computer science and computer security students participated in the user study, so the result exhibits an upper-bound on security consciousness. Yet, the users cared memorability while choosing security questions over security, used usernames based on their real names. Although the fallback authentication mechanism was weak, no large-scale attacks on personal Internet banking was known, presumably, because other attacks like phishing is easier and more scale-able and removing money from bank accounts is harder due to the banks' use of other cues to track suspicious transactions.
The author, as remedies, advises to allow the user to come up with his own security question, advises the user to answer approximately correctly, to use questions with ephemeral answers (e.g., about recent browsing history) or preference-based answers. The author also suggests that the system should guide the users in choosing secure questions. The attack on personal security questions is recognized as an information retrieval exercise and the author suggests to make the exercise harder by embedding multimedia contents into questions, e.g., asking questions about a user-selected image.
Citation (ACM Ref): Ariel Rabkin. 2008. Personal knowledge questions for fallback authentication: security questions in the era of Facebook. In Proceedings of the 4th symposium on Usable privacy and security(SOUPS '08). ACM, New York, NY, USA, 13-23. DOI=10.1145/1408664.1408667 http://doi.acm.org/10.1145/1408664.1408667
Security questions are of two types: sensitive security questions, e.g., about account number, PIN, SSN and personal security questions, e.g., mother's maiden name. The author classifies the personal security questions as inapplicable ("Which high school did your spouse attend?"), not memorable ("last name of youe kindergarten teacher?"), ambiguous ("what is the name of a college you applied to but did not attend?", 20%), guessable ("How old were you when you were married?", 30%), attack-able ("with which company did you hold your first job?"), and automatically attack-able ("what year did you graduate from college?"). No institution suggests the user how to choose a secure question. Romantic partners were able to correctly guess answers 30% of the time in one try.
Mostly computer science and computer security students participated in the user study, so the result exhibits an upper-bound on security consciousness. Yet, the users cared memorability while choosing security questions over security, used usernames based on their real names. Although the fallback authentication mechanism was weak, no large-scale attacks on personal Internet banking was known, presumably, because other attacks like phishing is easier and more scale-able and removing money from bank accounts is harder due to the banks' use of other cues to track suspicious transactions.
The author, as remedies, advises to allow the user to come up with his own security question, advises the user to answer approximately correctly, to use questions with ephemeral answers (e.g., about recent browsing history) or preference-based answers. The author also suggests that the system should guide the users in choosing secure questions. The attack on personal security questions is recognized as an information retrieval exercise and the author suggests to make the exercise harder by embedding multimedia contents into questions, e.g., asking questions about a user-selected image.
Citation (ACM Ref): Ariel Rabkin. 2008. Personal knowledge questions for fallback authentication: security questions in the era of Facebook. In Proceedings of the 4th symposium on Usable privacy and security(SOUPS '08). ACM, New York, NY, USA, 13-23. DOI=10.1145/1408664.1408667 http://doi.acm.org/10.1145/1408664.1408667
It's no secret. Measuring the security and reliability of authentication via 'secret' questions, SSP, 09
Authors looked into the personal security questions used by AOL, Google, Microsoft, and Yahoo! for password recovery. They explored the security and memorability of the questions. They found that untrusted acquaintances could correctly guess 17% answers, users forgot 20% answers within six months, and 13% answers was one among the 5 most popular answers.
130 people participated in the user study. Levenshtein edit distance algorithm did well as a guess-matcher. The authors suggest that the threshold of number of retries should adapt according to the types of responses received. They note guiding users away from popular answers makes it more likely that a user will forget the correct answer. Instead, they suggest to occasionally check, after the user has logged in, if he remembers an answer. As a backup authenticator, the authors also suggest single-use account-recovery codes.
Citation (ACM Ref): Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. 2009. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret\&\#148; Questions. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (SP '09). IEEE Computer Society, Washington, DC, USA, 375-390. DOI=10.1109/SP.2009.11 http://dx.doi.org/10.1109/SP.2009.11
130 people participated in the user study. Levenshtein edit distance algorithm did well as a guess-matcher. The authors suggest that the threshold of number of retries should adapt according to the types of responses received. They note guiding users away from popular answers makes it more likely that a user will forget the correct answer. Instead, they suggest to occasionally check, after the user has logged in, if he remembers an answer. As a backup authenticator, the authors also suggest single-use account-recovery codes.
Citation (ACM Ref): Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. 2009. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret\&\#148; Questions. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (SP '09). IEEE Computer Society, Washington, DC, USA, 375-390. DOI=10.1109/SP.2009.11 http://dx.doi.org/10.1109/SP.2009.11
Personal Choice and Challenge Questions: A Security and Usability Assessment, SOUPS, 09
The authors investigate into the security and usability of user-produced security questions. They found that many questions chosen by the participants had low entropy answers, yet the participants believed their challenge questions were secure. Asking multiple questions enhanced security. Albeit having youthful memories and choosing their own questions, many users forgot answers.
60 students participated in the user study which had two stages. The second stage of the study followed the first stage with a lapse of 23 days. The second stage was designed to check memorability. The authors proposed three attacks: blind guess, focused guess, and observation. In the blind guess, the attacker does not know the question to which he is to guess an answer. he tries various possibilities depending on the skewed frequency distribution of English characters. For blind guess 34 bits of entropy is low, between 34 and 48 is medium, and over 48 is high. For focused guess, the attacker knows the question and thus can reduce the search space substantially by identifying likely responses. And for observation attack, the attacker considers the user in question along with the question. In this case, the attacker can search on the Internet for information about the user.
Only one user gave 3 questions that failed against any attack. 31 users managed to avoid low security rating, high-medium-medium was achieved by 15 (25%) users, and high-high-medium was achieved by 12 (20%) users. No users achieved all high. The authors did not investigate the attacker's success rate when he combines different attacks. From users' perception of security, it appears that the users knowingly choose questions whose answers could be guessed by family or friends. 12% of the users failed to reproduce at least one answer among three. The users could not respond perfectly because, perhaps there was a degree of memorization while they associated information with the questions and also knowing a piece of information and reproducing it exactly in written form might be different.
The authors notice that some questions has time as an implicit parameter, e.g., "Personal best for sport?". The answer may change over time and the user may find it difficult to recall which answer he chose during registration. While three questions seem to be secure, the independence of multiple questions must be investigated to ensure the answer to one question does not leak information for others. Requiring minimum length for answers ensures a level of security, but some answers could be fixed in length, e.g., someone's last name. In these case, the system can suggest the user to supply more questions to compensate for the security. The system can discard the question with low entropy answers. The author also suggests using fake questions when user name is incorrect to defend against user name guesses. Many questions proposed by the users align with the questions that banks ask, indicating that users should not be expected to come up with novel high entropy questions.
Citation (ACM Ref): Mike Just and David Aspinall. 2009. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security(SOUPS '09). ACM, New York, NY, USA, , Article 8 , 11 pages. DOI=10.1145/1572532.1572543 http://doi.acm.org/10.1145/1572532.1572543
60 students participated in the user study which had two stages. The second stage of the study followed the first stage with a lapse of 23 days. The second stage was designed to check memorability. The authors proposed three attacks: blind guess, focused guess, and observation. In the blind guess, the attacker does not know the question to which he is to guess an answer. he tries various possibilities depending on the skewed frequency distribution of English characters. For blind guess 34 bits of entropy is low, between 34 and 48 is medium, and over 48 is high. For focused guess, the attacker knows the question and thus can reduce the search space substantially by identifying likely responses. And for observation attack, the attacker considers the user in question along with the question. In this case, the attacker can search on the Internet for information about the user.
Only one user gave 3 questions that failed against any attack. 31 users managed to avoid low security rating, high-medium-medium was achieved by 15 (25%) users, and high-high-medium was achieved by 12 (20%) users. No users achieved all high. The authors did not investigate the attacker's success rate when he combines different attacks. From users' perception of security, it appears that the users knowingly choose questions whose answers could be guessed by family or friends. 12% of the users failed to reproduce at least one answer among three. The users could not respond perfectly because, perhaps there was a degree of memorization while they associated information with the questions and also knowing a piece of information and reproducing it exactly in written form might be different.
The authors notice that some questions has time as an implicit parameter, e.g., "Personal best for sport?". The answer may change over time and the user may find it difficult to recall which answer he chose during registration. While three questions seem to be secure, the independence of multiple questions must be investigated to ensure the answer to one question does not leak information for others. Requiring minimum length for answers ensures a level of security, but some answers could be fixed in length, e.g., someone's last name. In these case, the system can suggest the user to supply more questions to compensate for the security. The system can discard the question with low entropy answers. The author also suggests using fake questions when user name is incorrect to defend against user name guesses. Many questions proposed by the users align with the questions that banks ask, indicating that users should not be expected to come up with novel high entropy questions.
Citation (ACM Ref): Mike Just and David Aspinall. 2009. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security(SOUPS '09). ACM, New York, NY, USA, , Article 8 , 11 pages. DOI=10.1145/1572532.1572543 http://doi.acm.org/10.1145/1572532.1572543
1 + 1 = You. Measuring the comprehensibility of metaphors for configuring backup authentication, SOUPS, 09
The authors investigate into how well various metaphors aid in users' comprehension of complex configuration of backup authentication. Users best understood the exam metaphor.
In order to increase security and reliability of backup authentication, multiple tasks, e.g., answering multiple questions, request code in email, etc. should be configured into the mechanism. Users may have difficulty comprehending which tasks are sufficient for successful authentication. The authors examine exam and evidence metaphor and compare them to Windows Live backup mechanism. The exam metaphor assigns points to various tasks, e.g., one question answered correctly would provide 5 points while some other questions gives 7 points; and the user has to score a fixed total of points, like passing an exam, to get authenticated. Whereas in evidence metaphor, there are tasks that bear strong evidence or weak evidence and the user has to perform a combination of these to pass sufficient evidentiary requirements.
18 people participated in the user study. Exam metaphor was the winner. A user could choose her own pass threshold depending on the level of security and reliability she needs. However, the authors note that the exam metaphor cannot express boolean combination of tasks, e.g., if Alice's boy friend can correctly guess A or B while her brother can correctly guess C and D; she cannot express the requirement: ((A V B) ^ (C V D)) using the exam metaphor.
Citation (ACM Ref): Stuart Schechter and Robert W. Reeder. 2009. 1 + 1 = you: measuring the comprehensibility of metaphors for configuring backup authentication. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS '09). ACM, New York, NY, USA, , Article 9 , 31 pages. DOI=10.1145/1572532.1572544 http://doi.acm.org/10.1145/1572532.1572544
In order to increase security and reliability of backup authentication, multiple tasks, e.g., answering multiple questions, request code in email, etc. should be configured into the mechanism. Users may have difficulty comprehending which tasks are sufficient for successful authentication. The authors examine exam and evidence metaphor and compare them to Windows Live backup mechanism. The exam metaphor assigns points to various tasks, e.g., one question answered correctly would provide 5 points while some other questions gives 7 points; and the user has to score a fixed total of points, like passing an exam, to get authenticated. Whereas in evidence metaphor, there are tasks that bear strong evidence or weak evidence and the user has to perform a combination of these to pass sufficient evidentiary requirements.
18 people participated in the user study. Exam metaphor was the winner. A user could choose her own pass threshold depending on the level of security and reliability she needs. However, the authors note that the exam metaphor cannot express boolean combination of tasks, e.g., if Alice's boy friend can correctly guess A or B while her brother can correctly guess C and D; she cannot express the requirement: ((A V B) ^ (C V D)) using the exam metaphor.
Citation (ACM Ref): Stuart Schechter and Robert W. Reeder. 2009. 1 + 1 = you: measuring the comprehensibility of metaphors for configuring backup authentication. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS '09). ACM, New York, NY, USA, , Article 9 , 31 pages. DOI=10.1145/1572532.1572544 http://doi.acm.org/10.1145/1572532.1572544