Where Have You Been? Using Location-Based Security Questions for Fallback Authentication

In this paper, we propose and evaluate the combination of location-based authentication with security questions as a more usable and secure fallback authentication scheme. A four weeks user study with and additional evaluation after six months was conducted to test the feasibility of the concept in the context of long-term fallback authentication. The results show that most users are able to recall the locations to their security questions within a distance of 30 meters, while potential adversaries are bad in guessing the answers even after performing Internet research. After four weeks, our approach yields an accuracy of 95% and reaches, after six months, a value of 92%. In both cases, none of the adversaries were able to attack users successfully.

[1]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[2]  Markus Jakobsson,et al.  Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.

[3]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[4]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.

[5]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[6]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[7]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[8]  Liviu Iftode,et al.  Building robust authentication systems with activity-based personal questions , 2009, SafeConfig '09.

[9]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[10]  B. E. Eckbo,et al.  Appendix , 1826, Epilepsy Research.

[11]  E. Tulving,et al.  Availability versus accessibility of information in memory for words , 1966 .

[12]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[13]  E. Tulving,et al.  Episodic and semantic memory , 1972 .

[14]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[15]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[16]  References , 1971 .

[17]  William J. Haga,et al.  Question-and-answer passwords: an empirical evaluation , 1991, Information Systems.

[18]  Julie Thorpe,et al.  Usability and security evaluation of GeoPass: a geographic location-password scheme , 2013, SOUPS.

[19]  Henry L. Roediger,et al.  Episodic and Autobiographical Memory , 2012 .