Pictures or questions? Examining user responses to association-based authentication

Renaud, K. and Just, M. (2010) Pictures or questions? Examining user responses to association-based authentication. In: HCI 2010 The 24th BCS Conference on Human Computer Interaction, University of Abertay, Dundee, 6th-10th September 2010, (Unpublished)

Full text not currently available from Enlighten.

Publisher's URL: http://hci2010.abertay.ac.uk/

Abstract

Challenge questions are commonly used as a backup should users forget their “main” authentication secret. Such questions are notoriously difficult to design properly, and have sometimes allowed intruders to access the system via a back door simply by engaging in some online research about the victim. The problem is that most challenge questions rely on a user’s knowledge of their early life, something which tends not to deteriorate over time. Unfortunately, this kind of information can also be discovered by a determined attacker. We developed a challenge protocol in which a set of pictorial cues are used to prompt answers, rather than using the standard mechanism based on textual questions. The prompts solicit associative memories that need not represent factual information (information that aids an attacker in mounting targeted observation attacks) and serve as a stronger cue to aid the recall. Our results reveal that the solution has comparable security with that of traditional challenge questions, and may offer increased protection against external attackers. Furthermore, we obtained a 13% increase in the memorability of our answers, hence enhanced effectiveness of the mechanism. We conclude by discussing how further modifications could achieve even greater gains on the usability front.

Item Type:Conference Proceedings
Status:Unpublished
Refereed:Yes
Glasgow Author(s) Enlighten ID:Renaud, Professor Karen
Authors: Renaud, K., and Just, M.
Subjects:Q Science > QA Mathematics > QA75 Electronic computers. Computer science
College/School:College of Science and Engineering > School of Computing Science

University Staff: Request a correction | Enlighten Editors: Update this record