We present a novel method for improving the security of challenge question authentication, which traditionally requires a user to answer questions such as "What is your Mother’s Maiden Name?" In our method, users create an Avatar representing a fictitious person, and later use the Avatar’s information to authenticate themselves. The Avatar Profile consists of basic identifying information (e.g., name, address) as well as personality information (e.g., pets, interests). This info is pseudo-randomly generated from a large corpus of information. For authentication purposes, a small amount of the Avatar Profile information is used to respond to challenge questions. In terms of security, the use of information that is not personally associated with the user is intended to thwart observation attacks such as, for example, knowing the user’s mother’s maiden name. In terms of usability, our design establishes a bond between the user and their Avatar using graphical images and periodic associations by, for example, presenting an image of the Avatar at each login. This nurturing of the bond between a user and their Avatar leverages known psychological phenomena. At the same time it also provides a novel adaptation to security of the emotional investments that users exhibit in virtual worlds and massively multi-user online graphical environments. In this paper, we describe our work-in-progress towards an Avatar Authentication design, partially guided by an initial pilot experiment. Our initial results are promising and point to a possible future for the use of avatars for authentication.
|Title of host publication||Proceedings of the The Fifth International Conference on Emerging Information, Systems and Technologies|
|Subtitle of host publication||SECUREWARE 2011|
|Publisher||International Academy, Research, and Industry Association|
|Number of pages||4|
|Publication status||Published - 21 Aug 2011|