Pictures or questions? Examining user responses to association-based authentication

Karen Renaud; Michael Just

Pictures or questions? Examining user responses to association-based authentication

Karen Renaud, Michael Just

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

15 Citations (Scopus)

Abstract

Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.

Original language	English
Title of host publication	People and Computer XXIV Games are a Serious Business
Subtitle of host publication	Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010
Place of Publication	Swindon
Publisher	British Informatics Society Limited
Pages	98-107
Number of pages	10
ISBN (Print)	9781780171302
Publication status	Published - 6 Sep 2010
Event	24th BCS Interaction Specialist Group Conference - University of Abertay, Dundee, United Kingdom Duration: 6 Sep 2010 → 10 Sep 2010

Conference

Conference	24th BCS Interaction Specialist Group Conference
Abbreviated title	BCS '10
Country/Territory	United Kingdom
City	Dundee
Period	6/09/10 → 10/09/10
Other	BCS-HCI: British Computer Society Conference on Human-Computer Interaction

Keywords

challenge questions
pictorial cues
challenge protocol
associative memories

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Documents and Links

Cite this

Renaud, K., & Just, M. (2010). Pictures or questions? Examining user responses to association-based authentication. In People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010 (pp. 98-107). British Informatics Society Limited . http://dl.acm.org/citation.cfm?id=2146318&CFID=892662859&CFTOKEN=68841250

@inproceedings{c1450ef018cf407186cb1b3664080390,

title = "Pictures or questions? Examining user responses to association-based authentication",

abstract = "Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user{\textquoteright}s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.",

keywords = "challenge questions, pictorial cues, challenge protocol, associative memories",

author = "Karen Renaud and Michael Just",

year = "2010",

month = sep,

day = "6",

language = "English",

isbn = "9781780171302 ",

pages = "98--107",

booktitle = "People and Computer XXIV Games are a Serious Business",

publisher = "British Informatics Society Limited ",

note = "24th BCS Interaction Specialist Group Conference, BCS '10 ; Conference date: 06-09-2010 Through 10-09-2010",

}

Renaud, K & Just, M 2010, Pictures or questions? Examining user responses to association-based authentication. in People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010. British Informatics Society Limited , Swindon, pp. 98-107, 24th BCS Interaction Specialist Group Conference, Dundee, United Kingdom, 6/09/10. <http://dl.acm.org/citation.cfm?id=2146318&CFID=892662859&CFTOKEN=68841250>

Pictures or questions? Examining user responses to association-based authentication. / Renaud, Karen; Just, Michael.

People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010. Swindon : British Informatics Society Limited , 2010. p. 98-107.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Pictures or questions? Examining user responses to association-based authentication

AU - Renaud, Karen

AU - Just, Michael

PY - 2010/9/6

Y1 - 2010/9/6

N2 - Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.

AB - Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.

KW - challenge questions

KW - pictorial cues

KW - challenge protocol

KW - associative memories

M3 - Conference contribution

SN - 9781780171302

SP - 98

EP - 107

BT - People and Computer XXIV Games are a Serious Business

PB - British Informatics Society Limited

CY - Swindon

T2 - 24th BCS Interaction Specialist Group Conference

Y2 - 6 September 2010 through 10 September 2010

ER -

Pictures or questions? Examining user responses to association-based authentication

Abstract

Conference

Keywords

UN SDGs

Documents and Links

Fingerprint

Cite this