Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook
Author(s): Ariel Rabkin

Date: July 2008
Publication: Proceedings of the 4th Symposium On Usable Privacy and Security, SOUPS '08
Page(s): 13 - 23
Publisher: ACM
Source 1:
Source 2:
Source 3: - Subscription or payment required

Abstract or Summary:
Security questions (or challenge questions) are commonly used to authenticate users who have lost their passwords. We examined the password retrieval mechanisms for a number of personal banking websites, and found that many of them rely in part on security questions with serious usability and security weaknesses. We discuss patterns in the security questions we observed. We argue that today's personal security questions owe their strength to the hardness of an information-retrieval problem. However, as personal information becomes ubiquitously available online, the hardness of this problem, and security provided by such questions, will likely diminish over time. We supplement our survey of bank security questions with a small user study that supplies some context for how such questions are used in practice.

Do you have additional information to contribute regarding this research paper? If so, please email with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016