Knowledge-based Authentication; Evaluating and Improving

This project aimed to investigate personal knowledge mechanisms used for authentication, to find out how good they are from security and usability aspects, and how they might be improved. Knowledge-based mechanisms include "challenge questions" such as "what is your mother's maiden name?" which are supposedly known only to the recipient. In practice data leaks more widely and there have been several high-profile attacks. In particular, we sought to investigate whether questions generated individually by users could be better than system generated questions.

Challenge questions are used for logging in to computers using personal information that should be secret, such as "what is your mother's maiden name"?.  They are easier to use than cryptic passwords, but unfortunately answers are often given away, e.g. on sites like Facebook (there was a famous attack on Sarah Palin's account during this project).  We investigated how guessable answers would be whether or not the attacker knew the target, and whether users could invent better questions for themselves.  We investigated whether users would remember the answers to questions they had invented.

We conducted several experiments, in total gathering 500 user-generated challenge questions and testing memorability and accuracy of responses after a two week period.  We found that memorability was fair but not as good as might be hoped.  And without special guidance, most users chose poor questions or ones that they had been taught already to use by banks (such as "what is my mother's maiden name").  But some users invented much better questions, including more complex ones which introduced indirection (e.g., "what was my childhood friend's pet called?") and so offered the chance of better security. 



We developed an attack model to measure the strength of questions based on three strategies: a brute force attack based on the size of the answer space, a focused guess based on distributions of likely answers (e.g. common names, geographical locality) and finally an observation-based attack modelling the likelihood to find answers in public sources including social media, or via connections.  In a positive outcome, we found that most users chose a set of three questions which taken together, achieved a good level of security against all attack strategies. 



We hypothesised that with further guidance and some automatic heuristics, it would be possible to help the user find good and memorable challenge questions.  This is in contrast to the pervading view in the community that challenge questions are simply broken.