Using avatars for improved authentication with challenge questions

We present a novel method for improving the security of challenge question authentication, which tradition- ally requires a user to answer questions such as "What is your Mother's Maiden Name?". In our method, users create an Avatar representing a fictitious person, and later use the Avatar's information to authenticate themselves. The Avatar Profile consists of basic identifying information (e.g., name, address) as well as personality information (e.g., pets, interests). This info is pseudo-randomly generated from a large corpus of information. For authentication purposes, a small amount of the Avatar Profile information is used to respond to challenge questions. In terms of security, the use of information that is not personally associated with the user is intended to thwart observation attacks such as, for example, knowing the user's mother's maiden name. In terms of usability, our design establishes a bond between the user and their Avatar using graphical images and periodic associations by, for example, presenting an image of the Avatar at each login. This nurturing of the bond between a user and their Avatar leverages known psychological phenomena. At the same time it also provides a novel adaptation to security of the emotional investments that users exhibit in virtual worlds and massively multi-user online graphical environments. In this paper, we describe our work- in-progress towards an Avatar Authentication design, partially guided by an initial pilot experiment. Our initial results are promising and point to a possible future for the use of avatars for authentication. Keywords-authentication; avatar; security; usability.

[1]  A. Baddeley Essentials of Human Memory , 1999 .

[2]  Pamela Briggs,et al.  Biometric daemons: authentication via electronic pets , 2008, UPSEC.

[3]  Eugene H. Spafford,et al.  Observing Reusable Password Choices , 1992 .

[4]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[5]  Michael K. Reiter,et al.  The Practical Subtleties of Biometric Key Generation , 2008, USENIX Security Symposium.

[6]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[7]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[8]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[9]  Joseph Bonneau,et al.  What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions , 2010 .

[10]  Robert Biddle,et al.  User Study, Analysis, and Usable Security of Passwords Based on Digital Objects , 2011, IEEE Transactions on Information Forensics and Security.

[11]  N. Yee,et al.  The psychology of massively multi-user online role-playing games: Motivations , 2005 .

[12]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[13]  N. Yee The Psychology of Massively Multi-User Online Role-Playing Games: Motivations, Emotional Investment, Relationships and Problematic Usage , 2005 .

[14]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.