Quantifying the security of preference-based authentication

We describe a technique aimed at addressing longstanding problems for password reset: security and cost. In our approach, users are authenticated using their preferences. Experiments and simulations have shown that the proposed approach is secure, fast, and easy to use. In particular, the average time for a user to complete the setup is approximately two minutes, and the authentication process takes only half that time. The false negative rate of the system is essentially 0% for our selected parameter choice. For an adversary who knows the frequency distributions of answers to the questions used, the false positive rate of the system is estimated at less than half a percent, while the false positive rate is close to 0% for an adversary without this information. Both of these estimates have a significance level of 5%.

[1]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[2]  Eric R. Ziegel,et al.  Probability and Statistics for Engineering and the Sciences , 2004, Technometrics.

[3]  Markus Jakobsson,et al.  Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.

[4]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[5]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[6]  Jay L. Devore,et al.  Probability and statistics for engineering and the sciences , 1982 .

[7]  Markus Jakobsson,et al.  Love and authentication , 2008, CHI.

[8]  William J. Haga,et al.  Question-and-answer passwords: an empirical evaluation , 1991, Information Systems.

[9]  G. F. Kuder The Stability of Preference Items , 1939 .

[10]  Ari Juels,et al.  Error-tolerant password recovery , 2001, CCS '01.

[11]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[12]  A. Stamps Of Time and Preference: Temporal Stability of Environmental Preferences , 1997, Perceptual and motor skills.

[13]  G. Godbey,et al.  The Stability of Leisure Preferences. , 1986 .

[14]  Lawrence O'Gorman,et al.  Call Center Customer Verification by Query-Directed Passwords , 2004, Financial Cryptography.

[15]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.