personal choice and challenge questions a security and
play

Personal Choice and Challenge Questions: A Security and Usability - PowerPoint PPT Presentation

Dec 09, 2022 •183 likes •394 views

SOUPS 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike Just University of Edinburgh (joint work with David Aspinall) Challenge Question Authentication Authentication credential is answer

  1. SOUPS 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike Just University of Edinburgh (joint work with David Aspinall)

  2. Challenge Question Authentication Authentication credential is answer from a question-answer pair  Common questions   ”What is my Mother's Maiden Name?”  ”What was my first pet's name?”  ”What was the name of my primary school?” Often, though not always, used for secondary authentication  Answers rely upon information that is already known , as  opposed to memorized A.k.a. ”Personal Verification Questions,” ”Recovery Questions”  16 July 2009 Just, Aspinall - SOUPS 2009 2

  3. Recent Research Results Rabkin, SOUPS 2008  Subjective assessment of 20 banks with ~200 challenge questions  Security: Guessable (33%), Auto. Attackable (12%), Attackable (-)  Usability: Inapplicable (50%), Ambiguous (32%), Not memorable (13%)  Just and Aspinall, Trust 2009  Pilot experiment (paper-based) collecting questions and answer lengths  Security: Answers susceptible to brute-force attack (based upon length)  Usability: Not memorable (25%) including Ambiguous (5%)  Schechter, Berheim Brush and Egelman, IEEE Oakland 2009  Experiment to study questions from AOL, Google, Microsoft and Yahoo!  Security: 17% of answers guessable by arms-length acquaintances  Usability: 20% of users forget their answers within 6 months  16 July 2009 Just, Aspinall - SOUPS 2009 3

  4. Our Research (1 of 2) Research suggests significant problems with both the security  and usability of challenge question authentication systems  How can we begin to improve? A systematic and repeatable way to analyze the security and  usability of challenge questions  To continue to assess current systems, and suggest improvements  To allow assessment of future systems Our focus was on user-chosen questions   Does personal choice encourage increased security and usability? 16 July 2009 Just, Aspinall - SOUPS 2009 4

  5. Our Research (2 of 2) 1.Novel experiment for collecting authentication information 2.Security model for question assessment 3.Assessment of the security and usability of 180 user-chosen challenge questions  Experiment with 60 first-year Biology students at the University of Edinburgh 16 July 2009 Just, Aspinall - SOUPS 2009 5

  6. Collecting Data (1 of 3)  Ethically challenging, but users readily submit  Issues regarding participant behaviour  Sensitivity to challenge question answers?  Contribute real information?  Degree of freedom with user-chosen questions  Opportunities for improved Collector behaviour  Challenge to ourselves: Don't collect!  Avoid having to maintain information  Consistent message: Keep credentials to yourself! 16 July 2009 Just, Aspinall - SOUPS 2009 6

  7. Collecting Data (2 of 3) Experiment Participant Questions Stage 1 Answers Security Analysis Stage 2 Questions Answers Answers MATCH? Usability Analysis 16 July 2009 Just, Aspinall - SOUPS 2009 7

  8. Collecting Data (3 of 3) Participants use of 'real' Questions and Answers   We asked if participants would use same Questions and Answers in real applications (e.g. Banking)  Of the respondents (94%) indicating that they would likely re-use their questions, 45% indicated some influence from not submitting their answers Participants and personal privacy   We asked participants if they would be concerned if their friends or family members knew their Questions and Answers  More than two-thirds of the questions raised 'no concern' at all for participants with < 10% meriting strong concern Results are similar to our earlier pilot experiment ( Trust 2009 )  16 July 2009 Just, Aspinall - SOUPS 2009 8

  9. Security Model (1 of 2)  Existing security analysis of Challenge Questions is ad hoc  There are no clear guidelines for choosing 'good' questions and answers  We wanted a more systematic and repeatable approach that would  Provide some guidance for secure design  Allow continued assessment of new solutions  We encourage further refinement of our model  Assessment results depend upon context 16 July 2009 Just, Aspinall - SOUPS 2009 9

  10. Security Model (2 of 2) Increasing Information for Attacker Answer alphabet and User account, published Questions, distributions of likely distribution, common data, social networks, answers answer sets friends, family, ... Attack Blind Focused Observation Methods Guess Guess Answer Guess 16 July 2009 Just, Aspinall - SOUPS 2009 10

  11. Security Analysis – Blind Guess (1 of 5) Brute force attack  Security Levels based on equivalence to passwords  6-char alphabetic password (2 34 )  Low (2 34 ) Med (2 48 ) High 8-char alphanumeric password (2 48 )  Answer entropy: 2.3 bits (1 st 8 chars), then 1.5 bits  Results (by question)  Average answer length: 7.5 characters  174 Low, 4 Medium, 2 High  Results (by user)  Q1 – 59 Low, 1 Medium, 0 High  Q1, Q2 – 38 Low, 13 Medium, 9 High  Q1, Q2, Q3 – 5 Low, 19 Medium, 36 High  16 July 2009 Just, Aspinall - SOUPS 2009 11

  12. Security Analysis – Focused Guess (2 of 5) Attacker knows the Challenge Questions  Security Levels same as for Blind Guess  log 10 Space Q Type % Answer types and space  Proper Name 50% 4 – 5 Results (by question)  Place 20% 2 – 5 Name 18% 3 – 7 167 Low, 0 Medium, 13 High  Number 3% 1 – 4 Results (by user)  Time/Date 3% 2 – 5 Q1 – 58 Low, 0 Medium, 2 High  Ambiguous 6% 8 – 15 Q1, Q2 – 46 Low, 11 Medium, 3 High  Q1, Q2, Q3 – 5 Low, 28 Medium, 27 High  Much room for refinement of 'Space'  16 July 2009 Just, Aspinall - SOUPS 2009 12

  13. Security Analysis – Observation (3 of 5) Attacker tries to obtain or Results (by question)   observe the answer 124 Low, 54 Medium, 2 High  Security Levels defined  Results (by user)  qualitatively 24 Low, 34 Medium, 2 High  Low – Answer publicly available  Did not ”sum” levels (used max)  Medium – Answer not public, but  Much room for refinement of known to F&F  levels and analysis High – Neither  Levels assigned to questions by  Subjective analysis, and  Participant input (provided upper  bound only) 16 July 2009 Just, Aspinall - SOUPS 2009 13

  14. Security Analysis – Overall (4 of 5)  Overall rating is a 3-tuple (Blind, Focused, Observation)  Results  All Low – 1 participant  All High – 0 participants  No Lows – 31 participants (50%)  (H,M,M) or (M,H,M) – 15 participants (25%)  (H,H,M) – 11 participants (20%)  Dependencies not (yet) considered  Ability to perform observation attacks in parallel, and offline, is a significant advantage for attackers 16 July 2009 Just, Aspinall - SOUPS 2009 14

  15. Security Analysis – Overall (5 of 5)  Perceived effort of Stranger to Discover Answers  Very difficult (47%)  Somewhat difficult (42%)  Not difficult at all (11%)  Users overestimate the difficulty of attack  Perceived effort of Friend/Family to Discover Answers  Very difficult (11%)  Somewhat difficult (36%)  Not difficult at all (53%)  Users surprisingly aware of this risk 16 July 2009 Just, Aspinall - SOUPS 2009 15

  16. Usability Analysis Criteria: Applicability, Memorability, Repeatability  Answer recall (180 questions)  15 errors (8%)  Reduces to 7 errors (4%) if we exclude 'capitalization' errors  Answer recall (60 users)  11 users (18%) made at least one error  Reduces to 7 users (12%) if we exclude 'capitalization' errors  Comments suggest that 'complicated answers' and allowance of free-  form answers may be culprit Florêncio & Herley (2007) found that 4.28% of Yahoo! users forget  their passwords Our results were after 23 days, with young students  16 July 2009 Just, Aspinall - SOUPS 2009 16

  17. What Does it All Mean? (1 of 3)  Serious concerns regarding the security and usability of (user-chosen) challenge questions  Questions were similar to system-chosen  But, before we write-off challenge questions  Multiple questions seem to help (security at least), though security challenges remain  How do the users who forget their answers relate to those forgetting their passwords (same users?)  Are we reducing help-desk costs, relative to not having challenge questions at all? 16 July 2009 Just, Aspinall - SOUPS 2009 17

  18. What Does it All Mean? (2 of 3) Current implementations are terribly boring   Little research of challenge question authentication  Most has been to assess security and usability  Less research into new designs Potential paths forward   Dynamic assessments of security and usability  New types of information for authentication (e.g., 5 W's)  Other methods: who you know, what you have access to, …  Users are different – customize to meet their strengths (no 'one- size-fits-all') 16 July 2009 Just, Aspinall - SOUPS 2009 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

The Caliber of Your Choice Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9 November 2011 Dan Nolan - Sabot 6, Inc. An Energy Security Company 1800 Diagonal Ave Ste 600 - Alexandria, VA 22314

692 views • 51 slides
Advance Designation: Supporting Autonomy and Personal Choice in Representative Payment Kathryn

Advance Designation: Supporting Autonomy and Personal Choice in Representative Payment Kathryn

Advance Designation: Supporting Autonomy and Personal Choice in Representative Payment Kathryn Olson Democratic Staff Director, Subcommittee on Social Security House Committee on Ways and Means SSA National Disability Forum, October 30, 2018

109 views • 8 slides
Using multiple choice questions to identify student misconceptions Clare Wilkes 29 30 March

Using multiple choice questions to identify student misconceptions Clare Wilkes 29 30 March

Using multiple choice questions to identify student misconceptions Clare Wilkes 29 30 March 2019 Development Manager Using multiple choice questions Purpose: To gain an insight into the writing of multiple choice questions Learn

501 views • 32 slides
The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

INFORMATION SECURITY The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis Information Security Practice Thursday, April 14, 2016 General Information Share the webinar Questions: Submit your

420 views • 14 slides
Individual Choice Behavior: Presentation effects present a different kind of challenge to

Individual Choice Behavior: Presentation effects present a different kind of challenge to

Individual Choice Behavior: Presentation effects present a different kind of challenge to theories of choice based on preferences, since they suggest that choices between two alternatives may depend on how the decision is presented or

379 views • 20 slides
Capstone Personal Challenge Fall 2013 Name: _______________________________________________

Capstone Personal Challenge Fall 2013 Name: _______________________________________________

Capstone Personal Challenge Fall 2013 Name: _______________________________________________ Semester: ___________________________ Year: ______________________ Housing Accommodations: ______________________________________ The Capstone Personal

257 views • 3 slides
26. Security 1 2 3 4 5 27. Stability 1 2 3 4 5 28. Neatness 1 2 3 4 5

26. Security 1 2 3 4 5 27. Stability 1 2 3 4 5 28. Neatness 1 2 3 4 5

Identifying Personal Core Values Consider the following questions. How could these questions help you in identifying you thoughts, feelings, values, beliefs, priorities? 1. What are my most redeeming qualities? 2. What are my weaknesses? 3. What

154 views • 3 slides
Manoj Soma, CEO, Choice International My personal experiences specifically how I benefited from

Manoj Soma, CEO, Choice International My personal experiences specifically how I benefited from

Good Afternoon Whatever our differences of identity, we all have rights and deserve a better quality of life Manoj Soma CEO Choice International Manoj Soma, CEO, Choice International My personal experiences specifically how I benefited

689 views • 9 slides
Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

University of Cambridge Security Seminar Series Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh Outline What are Challenge Questions? Challenge Question Research Our Research Collecting

765 views • 28 slides
Create the Choice The Penmaen Family Create the Choice The Penmaen Family Create the Choice The

Create the Choice The Penmaen Family Create the Choice The Penmaen Family Create the Choice The

Create the Choice The Penmaen Family Create the Choice The Penmaen Family Create the Choice The Penmaen Family 1. Family members who actively work on the farm and have some ownership (directly or indirectly) Overwhelming challenge for

541 views • 28 slides
Discrete choice analysis &amp; taboos Caspar Chorus 5-6-2019 Professor of choice behavior

Discrete choice analysis &amp; taboos Caspar Chorus 5-6-2019 Professor of choice behavior

Discrete choice analysis &amp; taboos Caspar Chorus 5-6-2019 Professor of choice behavior modeling Head: Engineering Systems department Delft University of Technology Challenge the future Discrete choice analysis in one slide If you

1.06k views • 39 slides
ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice underlying user equilibrium is that travelers will select a route so as to minimize their personal travel time between the origin and destination. User

274 views • 14 slides
Giving Choice: School Supplies and Personal Care December 12 th , 2018 Kristin Terez Giving

Giving Choice: School Supplies and Personal Care December 12 th , 2018 Kristin Terez Giving

Giving Choice: School Supplies and Personal Care December 12 th , 2018 Kristin Terez Giving Choice: School Supplies and Personal Care is a two part social action project focused on providing school Project supplies to children in need and

257 views • 15 slides
1 The Reality Choice: the choice to realize I am not God and admit I am powerless to control my

1 The Reality Choice: the choice to realize I am not God and admit I am powerless to control my

1 The Reality Choice: the choice to realize I am not God and admit I am powerless to control my tendency to do the wrong thing. Personal and Group Authenticity The Hope Choice: there is a power greater than me and there is hope. A power greater

625 views • 17 slides
Community Choice Energy Challenge and Opportunity The Business of Local Energy Symposium San

Community Choice Energy Challenge and Opportunity The Business of Local Energy Symposium San

Community Choice Energy Challenge and Opportunity The Business of Local Energy Symposium San Jose, California March 2016 1 Established in 1993, Joint Venture Silicon Valley provides analysis and action on issues affecting our region's economy

372 views • 11 slides
Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland Approaches to Security &amp; Privacy in

749 views • 39 slides
6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

Heap Menu Implementation of a priority queue Priority Queues An array, visualized as a nearly complete binary tree Max Heap Property: The key of a node is than the keys of Heaps its children (Min Heap defined

202 views • 7 slides
Differential cohomology and topological actions Ben Gripaios Cambridge 28.x.20 with Joe Davighi

Differential cohomology and topological actions Ben Gripaios Cambridge 28.x.20 with Joe Davighi

Differential cohomology and topological actions Ben Gripaios Cambridge 28.x.20 with Joe Davighi and Oscar Randal-Williams goal and motivations examples differential cohomology Goal: construct and classify topological actions in

873 views • 52 slides
P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

CIKM Applied Research Paper P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju Junhen eng g Hao , Tong Zhao, Jin Li, Xin Luna Dong, Christos Faloutsos, Yizhou Sun, Wei Wang Oct. 19-23, 2020 | Online

684 views • 24 slides
10/21/2020 Teaching Social Justice: Navigating the Deep Waters of Equity in Early Childhood

10/21/2020 Teaching Social Justice: Navigating the Deep Waters of Equity in Early Childhood

10/21/2020 Teaching Social Justice: Navigating the Deep Waters of Equity in Early Childhood Presented by: Nadia Jaboneta 1 2 Questions I am often asked: How did you became the anti-bias educator you are now? What are the steps that

361 views • 11 slides
In a Silent Way Communication Between AI and Improvising Musicians Beyond Sound MASAHIRO ISERI

In a Silent Way Communication Between AI and Improvising Musicians Beyond Sound MASAHIRO ISERI

In a Silent Way Communication Between AI and Improvising Musicians Beyond Sound MASAHIRO ISERI STUDENT NUMBER 46193003 Information Title In a Silent Way: Communication Between AI and Improvising Musicians Beyond Sound Author McCormack,

637 views • 51 slides
Rationalization Vadim Cherepanov (Upenn and Kellogg) Alvaro Sandroni (Kellogg) Tim Feddersen

Rationalization Vadim Cherepanov (Upenn and Kellogg) Alvaro Sandroni (Kellogg) Tim Feddersen

Rationalization Vadim Cherepanov (Upenn and Kellogg) Alvaro Sandroni (Kellogg) Tim Feddersen (Kellogg) 23/11/10 1 Economics and Psychology Economics: Agents think to relate means and consequences Choice = Preference Psychology:

577 views • 10 slides
Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we

Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we

AIM: How do we rationalize the denominator ? Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we begin today's lesson. Alert! Alert! aim 1 Aim: How do we rationalize the denominator? HW: Worksheet

284 views • 9 slides
Credit Suisse Third Quarter 2018 Results Tidjane Thiam, Chief Executive Officer David Mathers,

Credit Suisse Third Quarter 2018 Results Tidjane Thiam, Chief Executive Officer David Mathers,

Credit Suisse Third Quarter 2018 Results Tidjane Thiam, Chief Executive Officer David Mathers, Chief Financial Officer November 1, 2018 Disclaimer This material does not purport to contain all of the information that you may wish to consider.

939 views • 79 slides

More recommend