Q-A: Towards the Solution of Usability-Security Tension in User Authentication

Users often choose passwords that are easy to remember but also easy to guess by attackers. Recent studies have revealed the vulnerability of textual passwords to shoulder surfing and keystroke loggers. It remains a critical challenge in password research to develop an authentication scheme that addresses these security issues, in addition to offering good memorability. Motivated by psychology research on humans' cognitive strengths and weaknesses, we explore the potential of cognitive questions as a way to address the major challenges in user authentication. We design, implement, and evaluate Q-A, a novel cognitive-question-based password system that requires a user to enter the letter at a given position in her answer for each of six personal questions (e.g. "What is the name of your favorite childhood teacher?"). In this scheme, the user does not need to memorize new, artificial information as her authentication secret. Our scheme offers 28 bits of theoretical password space, which has been found sufficient to prevent online brute-force attacks. Q-A is also robust against shoulder surfing and keystroke loggers. We conducted a multi-session in-lab user study to evaluate the usability of Q-A; 100% of users were able to remember their Q-A password over the span of one week, although login times were high. We compared our scheme with random six character passwords and found that login success rate in Q-A was significantly higher. Based on our results, we suggest that Q-A would be most appropriate in contexts that demand high security and where logins occur infrequently (e.g., online bank accounts).

[1]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[2]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[3]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[4]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[5]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[6]  Endel Tulving,et al.  Encoding specificity and retrieval processes in episodic memory. , 1973 .

[7]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[8]  Cormac Herley,et al.  How to Login from an Internet Cafe Without Worrying about Keyloggers , 2006 .

[9]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[10]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[11]  Henry C. Ellis,et al.  Fundamentals of human memory and cognition , 1983 .

[12]  Julie Thorpe,et al.  Analyzing User Choice in Graphical Passwords , 2004 .

[13]  Steven Furnell,et al.  An assessment of website password practices , 2007, Comput. Secur..

[14]  P. Dowland,et al.  A long-term trial of alternative user authentication technologies , 2004, Inf. Manag. Comput. Secur..

[15]  Heinrich Hußmann,et al.  Using fake cursors to secure on-screen password entry , 2013, CHI.

[16]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[17]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[18]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  Endel Tulving,et al.  Continuity between recall and recognition. , 1973 .

[20]  J.L. Thames,et al.  A distributed active response architecture for preventing SSH dictionary attacks , 2008, IEEE SoutheastCon 2008.

[21]  Michael Weber,et al.  Exploring the design space of graphical passwords on smartphones , 2013, SOUPS.

[22]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[23]  E. Tulving,et al.  Episodic and semantic memory , 1972 .

[24]  Walter Kintsch,et al.  11 – Models for Free Recall and Recognition1 , 1970 .

[25]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[26]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[27]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[28]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[29]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.

[30]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[31]  C. Alberini,et al.  Memory , 2006, Cellular and Molecular Life Sciences CMLS.

[32]  James Nicholson,et al.  Age-related performance issues for PIN and face-based authentication systems , 2013, CHI.

[33]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[34]  L. R. Peterson,et al.  Short-term retention of individual verbal items. , 1959, Journal of experimental psychology.

[35]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[36]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[37]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.