Evaluating smartphone-based dynamic security questions for fallback authentication: a field study

To address the limitations of static challenge question based fallback authentication mechanisms (e.g., easy predictability), recently, smartphone based autobiographical authentication mechanisms have been explored where challenge questions are not predetermined and are instead generated dynamically based on users’ day-to-day activities captured by smartphones. However, as answering different types and styles of questions is likely to require different amounts of cognitive effort and affect users’ performance, a thorough study is required to investigate the effect of type and style of challenge questions and answer selection mechanisms on users’ recall performance and usability of such systems. Towards that, this paper explores seven different types of challenge questions where different types of questions are generated based on users’ smartphone usage data. For evaluation, we conducted a field study for a period of 30 days with 24 participants who were recruited in pairs to simulate different kinds of adversaries (e.g., close friends, significant others). Our findings suggest that the question types do have a significant effect on user performance. Furthermore, to address the variations in users’ accuracy across multiple sessions and question types, we investigate and present a Bayesian classifier based authentication algorithm that can authenticate legitimate users with high accuracy by leveraging individual response patterns.

[1]  Sotirios Terzis,et al.  A Study in Authentication Via Electronic Personal History Questions , 2010, ICEIS.

[2]  Heinrich Hußmann,et al.  Using icon arrangement for fallback authentication on smartphones , 2014, CHI Extended Abstracts.

[3]  Jason I. Hong,et al.  Exploring capturable everyday memory for autobiographical authentication , 2013, UbiComp.

[4]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[5]  Robert B. Frary,et al.  Formula Scoring of Multiple‐Choice Tests (Correction for Guessing) , 1988 .

[6]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[7]  Ron Henderson,et al.  Cost-effective computer security: cognitive and associative passwords , 1996, Proceedings Sixth Australian Conference on Computer-Human Interaction.

[8]  Vivek Narayanan,et al.  Fast and Accurate Sentiment Classification Using an Enhanced Naive Bayes Model , 2013, IDEAL.

[9]  Heinrich Hußmann,et al.  I Know What You Did Last Week! Do You?: Dynamic Security Questions for Fallback Authentication on Smartphones , 2015, CHI.

[10]  Markus Jakobsson,et al.  The Death of the Internet: Jakobsson/Death of the Internet , 2012 .

[11]  David R. Karger,et al.  Tackling the Poor Assumptions of Naive Bayes Text Classifiers , 2003, ICML.

[12]  Niloy Ganguly,et al.  ActivPass: Your Daily Activity is Your Password , 2015, CHI.

[13]  Debin Gao,et al.  HuMan: Creating memorable fingerprints of mobile users , 2012, 2012 IEEE International Conference on Pervasive Computing and Communications Workshops.

[14]  Julie Thorpe,et al.  Usability and security evaluation of GeoPass: a geographic location-password scheme , 2013, SOUPS.

[15]  Mohammad Maifi Hasan Khan,et al.  Evaluating the Effectiveness of Using Hints for Autobiographical Authentication: A Field Study , 2015, SOUPS.

[16]  Liviu Iftode,et al.  Building robust authentication systems with activity-based personal questions , 2009, SafeConfig '09.

[17]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[18]  Masakatsu NISHIGAKI A User Authentication Based on Personal History-A User Authentication System Using E-mail History - , 2006 .

[19]  B. Föger The FIELD study , 2006, The Lancet.

[20]  M. Conway Episodic memories , 2009, Neuropsychologia.

[21]  William E. Winkler,et al.  String Comparator Metrics and Enhanced Decision Rules in the Fellegi-Sunter Model of Record Linkage. , 1990 .

[22]  R. Sinnott Virtues of the Haversine , 1984 .

[23]  David D. Lewis,et al.  Naive (Bayes) at Forty: The Independence Assumption in Information Retrieval , 1998, ECML.

[24]  D. Ruppert The Elements of Statistical Learning: Data Mining, Inference, and Prediction , 2004 .

[25]  Guy Lapalme,et al.  A systematic analysis of performance measures for classification tasks , 2009, Inf. Process. Manag..

[26]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[27]  Robert W. Reeder,et al.  1 + 1 = you: measuring the comprehensibility of metaphors for configuring backup authentication , 2009, SOUPS.

[28]  Shwetak N. Patel,et al.  How Good is 85%?: A Survey Tool to Connect Classifier Evaluation to Acceptability of Accuracy , 2015, CHI.

[29]  Balqies Sadoun,et al.  The BAU GIS system using open source mapwindow , 2015, Human-centric Computing and Information Sciences.

[30]  Joseph Bonneau,et al.  Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google , 2015, WWW.

[31]  Nhan Nguyen,et al.  A Location-Based Authentication System Leveraging Smartphones , 2014, 2014 IEEE 15th International Conference on Mobile Data Management.

[32]  Charlotte Gray Death on the Internet. , 1995, CMAJ : Canadian Medical Association journal = journal de l'Association medicale canadienne.

[33]  Lawrence O'Gorman,et al.  Call Center Customer Verification by Query-Directed Passwords , 2004, Financial Cryptography.

[34]  Mark D. Dunlop,et al.  Internet authentication based on personal history - a feasibility test , 2005 .

[35]  Heinrich Hußmann,et al.  Locked Your Phone? Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual Concepts , 2015, MobileHCI.

[36]  J. van Leeuwen,et al.  Intelligent Data Engineering and Automated Learning , 2003, Lecture Notes in Computer Science.

[37]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[38]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[39]  Steve M. J. Janssen,et al.  Retention of autobiographical memories: An Internet-based diary study , 2009, Memory.

[40]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[41]  Moshe Zviran,et al.  User authentication by cognitive passwords: an empirical assessment , 1990, Proceedings of the 5th Jerusalem Conference on Information Technology, 1990. 'Next Decade in Information Technology'.

[42]  Nhan Nguyen,et al.  Designing challenge questions for location‐based authentication systems: a real‐life study , 2015, Human-centric Computing and Information Sciences.