Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook
Date: July 2008
Publication: Proceedings of the 4th Symposium On Usable Privacy and Security, SOUPS '08
Page(s): 13 - 23
Source 1: http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf
Source 2: http://rfml.kaust.edu.sa/Documents/cvs/10.1.1.140.8349%281%29.pdf
Source 3: http://dx.doi.org/10.1145/1408664.1408667 - Subscription or payment required
Abstract or Summary:
Security questions (or challenge questions) are commonly used to authenticate users who have lost their passwords. We examined the password retrieval mechanisms for a number of personal banking websites, and found that many of them rely in part on security questions with serious usability and security weaknesses. We discuss patterns in the security questions we observed. We argue that today's personal security questions owe their strength to the hardness of an information-retrieval problem. However, as personal information becomes ubiquitously available online, the hardness of this problem, and security provided by such questions, will likely diminish over time. We supplement our survey of bank security questions with a small user study that supplies some context for how such questions are used in practice.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.