Pictures or questions? Examining user responses to association-based authentication

Karen Renaud, Michael Just

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.
    Original languageEnglish
    Title of host publicationPeople and Computer XXIV Games are a Serious Business
    Subtitle of host publicationProceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010
    Place of PublicationSwindon
    PublisherBritish Informatics Society Limited
    Pages98-107
    Number of pages10
    ISBN (Print)9781780171302
    Publication statusPublished - 6 Sep 2010

    Fingerprint

    Mountings
    Authentication
    Data storage equipment

    Keywords

    • challenge questions
    • pictorial cues
    • challenge protocol
    • associative memories

    Cite this

    Renaud, K., & Just, M. (2010). Pictures or questions? Examining user responses to association-based authentication. In People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010 (pp. 98-107). Swindon: British Informatics Society Limited .
    Renaud, Karen ; Just, Michael. / Pictures or questions? Examining user responses to association-based authentication. People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010. Swindon : British Informatics Society Limited , 2010. pp. 98-107
    @inproceedings{c1450ef018cf407186cb1b3664080390,
    title = "Pictures or questions? Examining user responses to association-based authentication",
    abstract = "Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13{\%} increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.",
    keywords = "challenge questions, pictorial cues, challenge protocol, associative memories",
    author = "Karen Renaud and Michael Just",
    year = "2010",
    month = "9",
    day = "6",
    language = "English",
    isbn = "9781780171302",
    pages = "98--107",
    booktitle = "People and Computer XXIV Games are a Serious Business",
    publisher = "British Informatics Society Limited",

    }

    Renaud, K & Just, M 2010, Pictures or questions? Examining user responses to association-based authentication. in People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010. British Informatics Society Limited , Swindon, pp. 98-107.

    Pictures or questions? Examining user responses to association-based authentication. / Renaud, Karen; Just, Michael.

    People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010. Swindon : British Informatics Society Limited , 2010. p. 98-107.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    TY - GEN

    T1 - Pictures or questions? Examining user responses to association-based authentication

    AU - Renaud, Karen

    AU - Just, Michael

    PY - 2010/9/6

    Y1 - 2010/9/6

    N2 - Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.

    AB - Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.

    KW - challenge questions

    KW - pictorial cues

    KW - challenge protocol

    KW - associative memories

    M3 - Conference contribution

    SN - 9781780171302

    SP - 98

    EP - 107

    BT - People and Computer XXIV Games are a Serious Business

    PB - British Informatics Society Limited

    CY - Swindon

    ER -

    Renaud K, Just M. Pictures or questions? Examining user responses to association-based authentication. In People and Computer XXIV Games are a Serious Business: Proceedings of HCI 2010 The 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK 6-10 September 2010. Swindon: British Informatics Society Limited . 2010. p. 98-107