Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper)

Personal Knowledge Questions are widely used for fallback authentication, i.e., recovering access to an account when the primary authenticator is lost. It is well known that the answers only have low-entropy and are sometimes derivable from public data sources, but ease-of-use and supposedly good memorability seem to outweigh this drawback for some applications.

[1]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[2]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[3]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[4]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.

[5]  Joseph Bonneau,et al.  What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions , 2010 .

[6]  Joseph Bonneau,et al.  Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google , 2015, WWW.

[7]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[8]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions , 2009, IEEE Symposium on Security and Privacy.

[9]  Markus Jakobsson,et al.  Love and authentication , 2008, CHI.

[10]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[12]  Ross J. Anderson,et al.  Social Authentication: Harder Than It Looks , 2012, Financial Cryptography.

[13]  Markus Jakobsson,et al.  Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.

[14]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[15]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[16]  David S. Rosenblum,et al.  What Anyone Can Know: The Privacy Risks of Social Networking Sites , 2007, IEEE Security & Privacy.