Geographical Security Questions for Fallback Authentication

Fallback authentication is the backup authentication method used when the primary authentication method (e.g., passwords, biometrics, etc.) fails. Currently, widely-deployed fallback authentication methods (e.g., security questions, email resets, and SMS resets) suffer from documented security and usability flaws that threaten the security of accounts. These flaws motivate us to design and study Geographical Security Questions (GeoSQ), a system for fallback authentication. GeoSQ is an Android application that utilizes autobiographical location data for fallback authentication. We performed security and usability analyses of GeoSQ through an in-person two-session lab study (n=36, 18 pairs). Our results indicate that GeoSQ exceeds the security of its counterparts, while its usability (specifically login time and memorability) has room for improvement.

[1]  Julie Thorpe,et al.  An Exploration of Geographic Authentication Schemes , 2016, IEEE Transactions on Information Forensics and Security.

[2]  Arjun Jaiswal,et al.  Graphical Password Authentication using Cued Click Points , 2014 .

[3]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[4]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[5]  M. Conway Episodic memories , 2009, Neuropsychologia.

[6]  Heinrich Hußmann,et al.  I Know What You Did Last Week! Do You?: Dynamic Security Questions for Fallback Authentication on Smartphones , 2015, CHI.

[7]  Julie Thorpe,et al.  On Purely Automated Attacks and Click-Based Graphical Passwords , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[8]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[9]  Matthew Smith,et al.  Where Have You Been? Using Location-Based Security Questions for Fallback Authentication , 2015, SOUPS.

[10]  Julie Thorpe,et al.  The presentation effect on graphical passwords , 2014, CHI.

[11]  Nasir D. Memon,et al.  Robust discretization, with an application to graphical passwords , 2003, IACR Cryptol. ePrint Arch..

[12]  Chris J. Mitchell,et al.  Web password recovery - a necessary evil? , 2018, ArXiv.

[13]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[14]  Julie Thorpe,et al.  Video-passwords: advertising while authenticating , 2012, NSPW '12.

[15]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[16]  Maximilian Golla,et al.  Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper) , 2015, PASSWORDS.

[17]  Julie Thorpe,et al.  Geographic Hints for Passphrase Authentication , 2019, 2019 17th International Conference on Privacy, Security and Trust (PST).

[18]  Bill Welch Exploiting the weaknesses of SS7 , 2017, Netw. Secur..

[19]  E. Stobert,et al.  A Comparative Long-Term Study of Fallback Authentication Work in Progress , 2019 .

[20]  Andy Lilly IMSI catchers: hacking mobile communications , 2017, Netw. Secur..

[21]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008 .

[22]  Ziming Zhao,et al.  Picture Gesture Authentication , 2015, ACM Trans. Inf. Syst. Secur..

[23]  Jason I. Hong,et al.  Exploring capturable everyday memory for autobiographical authentication , 2013, UbiComp.

[24]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[25]  Mordechai Guri,et al.  Personal Information Leakage During Password Recovery of Internet Services , 2016, 2016 European Intelligence and Security Informatics Conference (EISIC).

[26]  Claude Castelluccia,et al.  OMEN: Faster Password Guessing Using an Ordered Markov Enumerator , 2015, ESSoS.

[27]  Mahdi N. Al-Ameen,et al.  A Comprehensive Study of the GeoPass User Authentication Scheme , 2014, ArXiv.

[28]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[29]  Nhan Nguyen,et al.  Designing challenge questions for location‐based authentication systems: a real‐life study , 2015, Human-centric Computing and Information Sciences.

[30]  Julie Thorpe,et al.  Purely Automated Attacks on PassPoints-Style Graphical Passwords , 2010, IEEE Transactions on Information Forensics and Security.

[31]  Mohammad Maifi Hasan Khan,et al.  Evaluating smartphone-based dynamic security questions for fallback authentication: a field study , 2016, Human-centric Computing and Information Sciences.

[32]  Robert Biddle,et al.  Centered discretization with application to graphical passwords (full paper) , 2008 .

[33]  Joseph Bonneau,et al.  Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google , 2015, WWW.

[34]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[35]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[36]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[37]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[38]  Mahdi Nasrullah Al-Ameen,et al.  Multiple-Password Interference in the GeoPass User Authentication Scheme , 2015 .

[39]  Julie Thorpe,et al.  Usability and security evaluation of GeoPass: a geographic location-password scheme , 2013, SOUPS.

[40]  Mohammad Maifi Hasan Khan,et al.  Evaluating the Effectiveness of Using Hints for Autobiographical Authentication: A Field Study , 2015, SOUPS.

[41]  Julie Thorpe,et al.  Towards models for quantifying the known adversary , 2019, NSPW.

[42]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[43]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[44]  Heinrich Hußmann,et al.  Locked Your Phone? Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual Concepts , 2015, MobileHCI.

[45]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..