Personal Choice and Challenge Questions: A Security and Usability Assessment
Author(s): Mike Just, David Aspinall

Date: July 2009
Publication: Symposium on Usable Privacy and Security, SOUPS '09
Publisher: ACM
Source 1: http://homepages.inf.ed.ac.uk/mjust/SOUPS2009Revised.pdf
Source 2: http://dx.doi.org/10.1145/1572532.1572543 - Subscription or payment required

Abstract:
Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users. In a second stage of our experiment, we applied existing metrics to measure the usability of the questions and answers. Despite having youthful memories and choosing their own questions, users made errors more frequently than desirable.



Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com