Making Passwords Secure and Usable
HCI 97 Proceedings of HCI on People and Computers XII
Cost-Effective Computer Security: Cognitive and Associative Passwords
OZCHI '96 Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96)
Password sharing: implications for security design based on social practice
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Personal knowledge questions for fallback authentication: security questions in the era of Facebook
Proceedings of the 4th symposium on Usable privacy and security
VIP: a visual approach to user authentication
Proceedings of the Working Conference on Advanced Visual Interfaces
Personal choice and challenge questions: a security and usability assessment
Proceedings of the 5th Symposium on Usable Privacy and Security
It's No Secret. Measuring the Security and Reliability of Authentication via "Secret Questions
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Web Authentication Using Mikon Images
CONGRESS '09 Proceedings of the 2009 World Congress on Privacy, Security, Trust and the Management of e-Business
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Mercury: recovering forgotten passwords using personal devices
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Hi-index | 0.00 |
Challenge questions are commonly used as a backup should users forget their "main" authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim [33]. Most challenge questions rely on a user's knowledge of their early life, something which tends not to deteriorate over time [15]. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions (when considering external attackers), and suggests additional benefits from posing three or more questions serially. Furthermore, we obtained a 13% increase in the memorability of our (name-based) answers, while our results suggest enhancements could help improve the recall of place-based answers. We conclude by discussing how further modifications could achieve gains on the usability front.