Personal choice and challenge questions: a security and usability assessment

Mike Just, David Aspinall

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users.

    Original languageEnglish
    Title of host publicationProceedings of the 5th Symposium on Usable Privacy and Security (SOUPS)
    PublisherACM
    Pages1-11
    Number of pages11
    ISBN (Print)9781605587363
    DOIs
    Publication statusPublished - 2009

    Fingerprint

    entropy
    student

    Keywords

    • usability
    • computer security
    • challenge questions

    Cite this

    Just, M., & Aspinall, D. (2009). Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS) (pp. 1-11). ACM. https://doi.org/10.1145/1572532.1572543
    Just, Mike ; Aspinall, David. / Personal choice and challenge questions: a security and usability assessment. Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS). ACM, 2009. pp. 1-11
    @inproceedings{a9c98e5e00c2418c9b3bf7ef05c06ac0,
    title = "Personal choice and challenge questions: a security and usability assessment",
    abstract = "Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users.",
    keywords = "usability, computer security, challenge questions",
    author = "Mike Just and David Aspinall",
    note = "No page no's but article no. 8 ET 21-11-13 <p>Paper presented at the 5th Symposium on Usable Privacy and Security (SOUPS), Mountain View, USA, 15-17 July 2009. Conference website: <a href={"}http://cups.cs.cmu.edu/soups/2009/{"}>http://cups.cs.cmu.edu/soups/2009/</a></p>",
    year = "2009",
    doi = "10.1145/1572532.1572543",
    language = "English",
    isbn = "9781605587363",
    pages = "1--11",
    booktitle = "Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS)",
    publisher = "ACM",

    }

    Just, M & Aspinall, D 2009, Personal choice and challenge questions: a security and usability assessment. in Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS). ACM, pp. 1-11. https://doi.org/10.1145/1572532.1572543

    Personal choice and challenge questions: a security and usability assessment. / Just, Mike; Aspinall, David.

    Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS). ACM, 2009. p. 1-11.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    TY - GEN

    T1 - Personal choice and challenge questions: a security and usability assessment

    AU - Just, Mike

    AU - Aspinall, David

    N1 - No page no's but article no. 8 ET 21-11-13 <p>Paper presented at the 5th Symposium on Usable Privacy and Security (SOUPS), Mountain View, USA, 15-17 July 2009. Conference website: <a href="http://cups.cs.cmu.edu/soups/2009/">http://cups.cs.cmu.edu/soups/2009/</a></p>

    PY - 2009

    Y1 - 2009

    N2 - Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users.

    AB - Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users.

    KW - usability

    KW - computer security

    KW - challenge questions

    UR - http://www.scopus.com/inward/record.url?eid=2-s2.0-70350704929&partnerID=8YFLogxK

    U2 - 10.1145/1572532.1572543

    DO - 10.1145/1572532.1572543

    M3 - Conference contribution

    SN - 9781605587363

    SP - 1

    EP - 11

    BT - Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS)

    PB - ACM

    ER -

    Just M, Aspinall D. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS). ACM. 2009. p. 1-11 https://doi.org/10.1145/1572532.1572543