Personal choice and challenge questions: a security and usability assessment

Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users. In a second stage of our experiment, we applied existing metrics to measure the usability of the questions and answers. Despite having youthful memories and choosing their own questions, users made errors more frequently than desirable.

[1]  Lawrence O'Gorman,et al.  Call Center Customer Verification by Query-Directed Passwords , 2004, Financial Cryptography.

[2]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[3]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[4]  Markus Jakobsson,et al.  Love and authentication , 2008, CHI.

[5]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[6]  William J. Haga,et al.  Question-and-answer passwords: an empirical evaluation , 1991, Information Systems.

[7]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[8]  James A. Landay,et al.  Access control by testing for shared knowledge , 2008, CHI.

[9]  Markus Jakobsson,et al.  Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.

[10]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[11]  Joseph Bonneau Alice and Bob in Love : Cryptographic Communication Using Natural Entropy ( draft version ) , 2009 .

[12]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[13]  Yishay Spector,et al.  Pass-sentence - a new approach to computer code , 1994, Comput. Secur..

[14]  Elaine B. Barker,et al.  SP 800-57. Recommendation for Key Management, Part 1: General (revised) , 2007 .

[15]  Julie Bunnell,et al.  Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates , 2000, Comput. Secur..

[16]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[17]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.

[18]  Ari Juels,et al.  Error-tolerant password recovery , 2001, CCS '01.

[19]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..