Challenging challenge questions: an experimental analysis of authentication technologies and user behaviour

Mike Just, David Aspinall

    Research output: Contribution to journalArticlepeer-review

    Abstract

    To authenticate human users to systems, challenge questions based on personal information are often used, typically when a primary authentication credential, such as a password, is forgotten. This ought to be a trustworthy mechanism, that is both reliable and accurate: personal information should be inherently memorable and not known to others. However, concerns have been raised recently about these assumptions: for example, some commonly used questions may be based on information that is available publicly. A possible improvement, then, is to allow users to choose their own questions. Here we report on an experiment which gathered user chosen questions and a subsequent security and usability analysis of them. Our experiment itself follows a novel method which is designed to engender the trust of participants, so they participate honestly. This methodological innovation demonstrates that it is possible to perform ethical authentication experiments where sensitive information does not have to be collected from users.

    Original languageEnglish
    Pages (from-to)99-115
    Number of pages17
    JournalPolicy and Internet
    Volume2
    Issue number1
    DOIs
    Publication statusPublished - Apr 2010

    Keywords

    • usability
    • authentication
    • security
    • challenge questions

    Fingerprint

    Dive into the research topics of 'Challenging challenge questions: an experimental analysis of authentication technologies and user behaviour'. Together they form a unique fingerprint.

    Cite this