Joseph Bonneau
ABSTRACT
We examine the first large real-world data set on personal knowledge question's security and memorability from their deployment at Google. Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate. Surprisingly, we found that a significant cause of this insecurity is that users often don't answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them "harder to guess" although on aggregate this behavior had the opposite effect as people "harden" their answers in the same and predictable way. On the usability side, we show that secret answers have surprisingly poor memorability despite the assumption that their reliability motivates their continued deployment. From millions of account recovery attempts we observed a significant fraction of users (e.g 40% of our English-speaking US users) were unable to recall their answers when needed. This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%). Comparing question strength and memorability reveals that the questions that are potentially the most secure (e.g what is your first phone number) are also the ones with the worst memorability. We conclude that it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.
- Mansour Alsaleh, Mohammad Mannan, and P.C. van Oorschot. Revisiting defenses against large-scale online password guessing attacks. IEEE Transactions on Dependable and Secure Computing, 2012. Google Scholar
Digital Library
- Robert Biddle, Sonia Chiasson, and P.C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. Technical Report TR-11-01, Carleton University, 2011.Google Scholar
- Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords, May 2012.Google Scholar
- Joseph Bonneau. Guessing human-chosen secrets. PhD thesis, University of Cambridge, May 2012.Google Scholar
- Joseph Bonneau, Mike Just, and Greg Matthews. What's in a name? Evaluating statistical attacks against personal knowledge questions. Financial Cryptography, 2010. Google ScholarDigital Library
- Joseph Bonneau, Sören Preibusch, and Ross Anderson. A birthday present every eleven wallets? The security of customer-chosen banking PINs. Financial Cryptography, 2012.Google ScholarCross Ref
- John Brainard, Ari Juels, Ronald L. Rivest, Michael Szydlo, and Moti Yung. Fourth-Factor Authentication: Somebody You Know. CCS '06: The 13\textsuperscriptth ACM Conference on Computer and Communications Security, 2006. Google ScholarDigital Library
- Sacha Brostoff and Angela Sasse. "Ten strikes and you're out": Increasing the number of login attempts can improve password usability. CHI Workshop on HCI and Security Systems, 2003.Google Scholar
- Sacha Brostoff and M. Angela Sasse. Are Passfaces More Usable Than Passwords? A Field Trial Investigation. People and Computers XIV: Usability or Else!: HCI 2000, 2000.Google Scholar
- Julie Bunnell, John Podd, Ron Henderson, Renee Napier, and James Kennedy-Moffat. Cognitive, associative and conventional passwords: Recall and guessing rates. Computers & Security, 1997. Google ScholarDigital Library
- Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, and Stefan Savage. Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. Internet Measurement Conference, 2014. Google ScholarDigital Library
- Rachna Dhamija and Adrian Perrig. Déjà vu: A user study using images for authentication. USENIX Security Symposium, 2000. Google ScholarDigital Library
- A.D. Frankel and M. Maheswaran. Feasibility of a Socially Aware Authentication Scheme. CCNC '09: IEEE Consumer Communications and Networking Conference, 2009. Google ScholarDigital Library
- Simson L. Garfinkel. Email-Based Identification and Authentication: An Alternative to PKI? IEEE Security & Privacy Magazine, 1(6), 2003. Google ScholarDigital Library
- Virgil Griffith and Markus Jakobsson. Messin' with Texas: Deriving Mother's Maiden Names Using Public Records. Applied Cryptography and Network Security, 2005. Google ScholarDigital Library
- William J. Haga and Moshe Zviran. Question-and-Answer Passwords: An Empirical Evaluation. Information Systems, 16(3):335--343, 1991. Google ScholarDigital Library
- Markus Jakobsson and Hossein Siadati. Improved visual preference authentication. Workshop on Socio-Technical Aspects in Security and Trust (STAST), 2012. Google ScholarDigital Library
- Markus Jakobsson, Erik Stolterman, Susanne Wetzel, and Liu Yang. Love and Authentication. ACM SIGCHI Conference on Human Factors in Computing Systems, 2008. Google ScholarDigital Library
- Markus Jakobsson, Liu Yang, and Susanne Wetzel. Quantifying the Security of Preference-Based Authentication. ACM Workshop on Digital Identity Management (DIM), 2008. Google ScholarDigital Library
- Mike Just. Designing and Evaluating Challenge-Question Systems. IEEE Security & Privacy Magazine, 2(5), 2004. Google ScholarDigital Library
- Mike Just and David Aspinall. Personal Choice and Challenge Questions: A Security and Usability Assessment. SOUPS '09: The 5th Symposium on Usable Privacy and Security, 2009. Google ScholarDigital Library
- Chris Karlof, J. D. Tygar, and David Wagner. Conditioned-Safe Ceremonies and a User Study of an Application to Web Authentication. SOUPS '09: The 5th Symposium on Usable Privacy and Security, 2009. Google ScholarDigital Library
- Hyoungshick Kim, John Tang, and Ross Anderson. Social Authentication: Harder than it Looks. Financial Cryptography, 2012.Google ScholarCross Ref
- Jack Lindamood and Murat Kantarcioglu. Inferring Private Information Using Social Network Data. Technical Report UTDCS-21-08, University of Texas at Dallas Computer Science Department, 2008.Google Scholar
- A. Nosseir, R. Connor, and M.D. Dunlop. Internet Authentication Based on Personal History--A Feasibility Test. ACM Customer Focused Mobile Services Workshop, 2005.Google Scholar
- Rachael Pond, John Podd, Julie Bunnell, and Ron Henderson. Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates. Computers & Security, 2000. Google ScholarDigital Library
- Ariel Rabkin. Personal knowledge questions for fallback authentication: Security questions in the era of Facebook. SOUPS '08: The 4th Symposium on Usable Privacy and Security, 2008. Google ScholarDigital Library
- Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. It's No Secret: Measuring the security and reliability of authentication via 'secret' questions. 2009 IEEE Symposium on Security and Privacy, 2009. Google ScholarDigital Library
- Stuart Schechter, Serge Egelman, and Robert W. Reeder. It's Not What You Know, But Who You Know: A social approach to last-resort authentication. ACM SIGCHI Conference on Human Factors in Computing Systems, 2009. Google ScholarDigital Library
- Victoria Schwanda-Sosik, Elie Bursztein, Sunny Consolvo, David A Huffaker, Gueorgi Kossinets, Kerwell Liao, Paul McDonald, and Aaron Sedley. Online microsurveys for user experience research. CHI'14 Extended Abstracts on Human Factors in Computing Systems, 2014. Google ScholarDigital Library
- The Next Web. Microsoft can recycle your outlook.com email address if your account becomes inactive. http://tnw.co/1sWsNAU, 2013.Google Scholar
- Sarita Yardi, Nick Feamster, and Amy Bruckman. Photo-Based Authentication Using Social Networks. WOSN '08: The 1st Workshop on Online Social Networks, 2008. Google ScholarDigital Library
- Moshe Zviran and William J. Haga. A Comparison of Password Techniques for Multilevel Authentication Mechanisms. Computer Journal, 36(3):227--237, 1993.Google Scholar
Index Terms
- Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google
Recommendations
Securing Account Recovery Mechanism on Desktop Computers and Mobile Phones with Keystroke Dynamics
AbstractAccount recovery has become a prevalent feature across mobile and web applications that circumvents the regular username/password-based user authentication process, and thus is known to be less secure and fraught with attacks. For example, to ...
Comments