personal choice and challenge questions a security and
play

Personal Choice and Challenge Questions: A Security and Usability - PowerPoint PPT Presentation

Dec 09, 2022 •183 likes •394 views

SOUPS 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike Just University of Edinburgh (joint work with David Aspinall) Challenge Question Authentication Authentication credential is answer

  1. SOUPS 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike Just University of Edinburgh (joint work with David Aspinall)

  2. Challenge Question Authentication Authentication credential is answer from a question-answer pair  Common questions   ”What is my Mother's Maiden Name?”  ”What was my first pet's name?”  ”What was the name of my primary school?” Often, though not always, used for secondary authentication  Answers rely upon information that is already known , as  opposed to memorized A.k.a. ”Personal Verification Questions,” ”Recovery Questions”  16 July 2009 Just, Aspinall - SOUPS 2009 2

  3. Recent Research Results Rabkin, SOUPS 2008  Subjective assessment of 20 banks with ~200 challenge questions  Security: Guessable (33%), Auto. Attackable (12%), Attackable (-)  Usability: Inapplicable (50%), Ambiguous (32%), Not memorable (13%)  Just and Aspinall, Trust 2009  Pilot experiment (paper-based) collecting questions and answer lengths  Security: Answers susceptible to brute-force attack (based upon length)  Usability: Not memorable (25%) including Ambiguous (5%)  Schechter, Berheim Brush and Egelman, IEEE Oakland 2009  Experiment to study questions from AOL, Google, Microsoft and Yahoo!  Security: 17% of answers guessable by arms-length acquaintances  Usability: 20% of users forget their answers within 6 months  16 July 2009 Just, Aspinall - SOUPS 2009 3

  4. Our Research (1 of 2) Research suggests significant problems with both the security  and usability of challenge question authentication systems  How can we begin to improve? A systematic and repeatable way to analyze the security and  usability of challenge questions  To continue to assess current systems, and suggest improvements  To allow assessment of future systems Our focus was on user-chosen questions   Does personal choice encourage increased security and usability? 16 July 2009 Just, Aspinall - SOUPS 2009 4

  5. Our Research (2 of 2) 1.Novel experiment for collecting authentication information 2.Security model for question assessment 3.Assessment of the security and usability of 180 user-chosen challenge questions  Experiment with 60 first-year Biology students at the University of Edinburgh 16 July 2009 Just, Aspinall - SOUPS 2009 5

  6. Collecting Data (1 of 3)  Ethically challenging, but users readily submit  Issues regarding participant behaviour  Sensitivity to challenge question answers?  Contribute real information?  Degree of freedom with user-chosen questions  Opportunities for improved Collector behaviour  Challenge to ourselves: Don't collect!  Avoid having to maintain information  Consistent message: Keep credentials to yourself! 16 July 2009 Just, Aspinall - SOUPS 2009 6

  7. Collecting Data (2 of 3) Experiment Participant Questions Stage 1 Answers Security Analysis Stage 2 Questions Answers Answers MATCH? Usability Analysis 16 July 2009 Just, Aspinall - SOUPS 2009 7

  8. Collecting Data (3 of 3) Participants use of 'real' Questions and Answers   We asked if participants would use same Questions and Answers in real applications (e.g. Banking)  Of the respondents (94%) indicating that they would likely re-use their questions, 45% indicated some influence from not submitting their answers Participants and personal privacy   We asked participants if they would be concerned if their friends or family members knew their Questions and Answers  More than two-thirds of the questions raised 'no concern' at all for participants with < 10% meriting strong concern Results are similar to our earlier pilot experiment ( Trust 2009 )  16 July 2009 Just, Aspinall - SOUPS 2009 8

  9. Security Model (1 of 2)  Existing security analysis of Challenge Questions is ad hoc  There are no clear guidelines for choosing 'good' questions and answers  We wanted a more systematic and repeatable approach that would  Provide some guidance for secure design  Allow continued assessment of new solutions  We encourage further refinement of our model  Assessment results depend upon context 16 July 2009 Just, Aspinall - SOUPS 2009 9

  10. Security Model (2 of 2) Increasing Information for Attacker Answer alphabet and User account, published Questions, distributions of likely distribution, common data, social networks, answers answer sets friends, family, ... Attack Blind Focused Observation Methods Guess Guess Answer Guess 16 July 2009 Just, Aspinall - SOUPS 2009 10

  11. Security Analysis – Blind Guess (1 of 5) Brute force attack  Security Levels based on equivalence to passwords  6-char alphabetic password (2 34 )  Low (2 34 ) Med (2 48 ) High 8-char alphanumeric password (2 48 )  Answer entropy: 2.3 bits (1 st 8 chars), then 1.5 bits  Results (by question)  Average answer length: 7.5 characters  174 Low, 4 Medium, 2 High  Results (by user)  Q1 – 59 Low, 1 Medium, 0 High  Q1, Q2 – 38 Low, 13 Medium, 9 High  Q1, Q2, Q3 – 5 Low, 19 Medium, 36 High  16 July 2009 Just, Aspinall - SOUPS 2009 11

  12. Security Analysis – Focused Guess (2 of 5) Attacker knows the Challenge Questions  Security Levels same as for Blind Guess  log 10 Space Q Type % Answer types and space  Proper Name 50% 4 – 5 Results (by question)  Place 20% 2 – 5 Name 18% 3 – 7 167 Low, 0 Medium, 13 High  Number 3% 1 – 4 Results (by user)  Time/Date 3% 2 – 5 Q1 – 58 Low, 0 Medium, 2 High  Ambiguous 6% 8 – 15 Q1, Q2 – 46 Low, 11 Medium, 3 High  Q1, Q2, Q3 – 5 Low, 28 Medium, 27 High  Much room for refinement of 'Space'  16 July 2009 Just, Aspinall - SOUPS 2009 12

  13. Security Analysis – Observation (3 of 5) Attacker tries to obtain or Results (by question)   observe the answer 124 Low, 54 Medium, 2 High  Security Levels defined  Results (by user)  qualitatively 24 Low, 34 Medium, 2 High  Low – Answer publicly available  Did not ”sum” levels (used max)  Medium – Answer not public, but  Much room for refinement of known to F&F  levels and analysis High – Neither  Levels assigned to questions by  Subjective analysis, and  Participant input (provided upper  bound only) 16 July 2009 Just, Aspinall - SOUPS 2009 13

  14. Security Analysis – Overall (4 of 5)  Overall rating is a 3-tuple (Blind, Focused, Observation)  Results  All Low – 1 participant  All High – 0 participants  No Lows – 31 participants (50%)  (H,M,M) or (M,H,M) – 15 participants (25%)  (H,H,M) – 11 participants (20%)  Dependencies not (yet) considered  Ability to perform observation attacks in parallel, and offline, is a significant advantage for attackers 16 July 2009 Just, Aspinall - SOUPS 2009 14

  15. Security Analysis – Overall (5 of 5)  Perceived effort of Stranger to Discover Answers  Very difficult (47%)  Somewhat difficult (42%)  Not difficult at all (11%)  Users overestimate the difficulty of attack  Perceived effort of Friend/Family to Discover Answers  Very difficult (11%)  Somewhat difficult (36%)  Not difficult at all (53%)  Users surprisingly aware of this risk 16 July 2009 Just, Aspinall - SOUPS 2009 15

  16. Usability Analysis Criteria: Applicability, Memorability, Repeatability  Answer recall (180 questions)  15 errors (8%)  Reduces to 7 errors (4%) if we exclude 'capitalization' errors  Answer recall (60 users)  11 users (18%) made at least one error  Reduces to 7 users (12%) if we exclude 'capitalization' errors  Comments suggest that 'complicated answers' and allowance of free-  form answers may be culprit Florêncio & Herley (2007) found that 4.28% of Yahoo! users forget  their passwords Our results were after 23 days, with young students  16 July 2009 Just, Aspinall - SOUPS 2009 16

  17. What Does it All Mean? (1 of 3)  Serious concerns regarding the security and usability of (user-chosen) challenge questions  Questions were similar to system-chosen  But, before we write-off challenge questions  Multiple questions seem to help (security at least), though security challenges remain  How do the users who forget their answers relate to those forgetting their passwords (same users?)  Are we reducing help-desk costs, relative to not having challenge questions at all? 16 July 2009 Just, Aspinall - SOUPS 2009 17

  18. What Does it All Mean? (2 of 3) Current implementations are terribly boring   Little research of challenge question authentication  Most has been to assess security and usability  Less research into new designs Potential paths forward   Dynamic assessments of security and usability  New types of information for authentication (e.g., 5 W's)  Other methods: who you know, what you have access to, …  Users are different – customize to meet their strengths (no 'one- size-fits-all') 16 July 2009 Just, Aspinall - SOUPS 2009 18

Recommend

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

The Caliber of Your Choice Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9 November 2011 Dan Nolan - Sabot 6, Inc. An Energy Security Company 1800 Diagonal Ave Ste 600 - Alexandria, VA 22314

692 views • 51 slides
Advance Designation: Supporting Autonomy and Personal Choice in Representative Payment Kathryn

Advance Designation: Supporting Autonomy and Personal Choice in Representative Payment Kathryn

Advance Designation: Supporting Autonomy and Personal Choice in Representative Payment Kathryn Olson Democratic Staff Director, Subcommittee on Social Security House Committee on Ways and Means SSA National Disability Forum, October 30, 2018

109 views • 8 slides
Using multiple choice questions to identify student misconceptions Clare Wilkes 29 30 March

Using multiple choice questions to identify student misconceptions Clare Wilkes 29 30 March

Using multiple choice questions to identify student misconceptions Clare Wilkes 29 30 March 2019 Development Manager Using multiple choice questions Purpose: To gain an insight into the writing of multiple choice questions Learn

501 views • 32 slides
The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

INFORMATION SECURITY The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis Information Security Practice Thursday, April 14, 2016 General Information Share the webinar Questions: Submit your

420 views • 14 slides
Individual Choice Behavior: Presentation effects present a different kind of challenge to

Individual Choice Behavior: Presentation effects present a different kind of challenge to

Individual Choice Behavior: Presentation effects present a different kind of challenge to theories of choice based on preferences, since they suggest that choices between two alternatives may depend on how the decision is presented or

379 views • 20 slides
Capstone Personal Challenge Fall 2013 Name: _______________________________________________

Capstone Personal Challenge Fall 2013 Name: _______________________________________________

Capstone Personal Challenge Fall 2013 Name: _______________________________________________ Semester: ___________________________ Year: ______________________ Housing Accommodations: ______________________________________ The Capstone Personal

257 views • 3 slides
26. Security 1 2 3 4 5 27. Stability 1 2 3 4 5 28. Neatness 1 2 3 4 5

26. Security 1 2 3 4 5 27. Stability 1 2 3 4 5 28. Neatness 1 2 3 4 5

Identifying Personal Core Values Consider the following questions. How could these questions help you in identifying you thoughts, feelings, values, beliefs, priorities? 1. What are my most redeeming qualities? 2. What are my weaknesses? 3. What

154 views • 3 slides
Manoj Soma, CEO, Choice International My personal experiences specifically how I benefited from

Manoj Soma, CEO, Choice International My personal experiences specifically how I benefited from

Good Afternoon Whatever our differences of identity, we all have rights and deserve a better quality of life Manoj Soma CEO Choice International Manoj Soma, CEO, Choice International My personal experiences specifically how I benefited

689 views • 9 slides
Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

University of Cambridge Security Seminar Series Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh Outline What are Challenge Questions? Challenge Question Research Our Research Collecting

765 views • 28 slides
Create the Choice The Penmaen Family Create the Choice The Penmaen Family Create the Choice The

Create the Choice The Penmaen Family Create the Choice The Penmaen Family Create the Choice The

Create the Choice The Penmaen Family Create the Choice The Penmaen Family Create the Choice The Penmaen Family 1. Family members who actively work on the farm and have some ownership (directly or indirectly) Overwhelming challenge for

541 views • 28 slides
Discrete choice analysis &amp; taboos Caspar Chorus 5-6-2019 Professor of choice behavior

Discrete choice analysis &amp; taboos Caspar Chorus 5-6-2019 Professor of choice behavior

Discrete choice analysis &amp; taboos Caspar Chorus 5-6-2019 Professor of choice behavior modeling Head: Engineering Systems department Delft University of Technology Challenge the future Discrete choice analysis in one slide If you

1.06k views • 39 slides
ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice

ROUTE CHOICE Dr. Randa Oqab Mujalli Route choice User Equilibrium The rule of choice underlying user equilibrium is that travelers will select a route so as to minimize their personal travel time between the origin and destination. User

274 views • 14 slides
Giving Choice: School Supplies and Personal Care December 12 th , 2018 Kristin Terez Giving

Giving Choice: School Supplies and Personal Care December 12 th , 2018 Kristin Terez Giving

Giving Choice: School Supplies and Personal Care December 12 th , 2018 Kristin Terez Giving Choice: School Supplies and Personal Care is a two part social action project focused on providing school Project supplies to children in need and

257 views • 15 slides
1 The Reality Choice: the choice to realize I am not God and admit I am powerless to control my

1 The Reality Choice: the choice to realize I am not God and admit I am powerless to control my

1 The Reality Choice: the choice to realize I am not God and admit I am powerless to control my tendency to do the wrong thing. Personal and Group Authenticity The Hope Choice: there is a power greater than me and there is hope. A power greater

625 views • 17 slides
Community Choice Energy Challenge and Opportunity The Business of Local Energy Symposium San

Community Choice Energy Challenge and Opportunity The Business of Local Energy Symposium San

Community Choice Energy Challenge and Opportunity The Business of Local Energy Symposium San Jose, California March 2016 1 Established in 1993, Joint Venture Silicon Valley provides analysis and action on issues affecting our region's economy

372 views • 11 slides
Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc

Personal Security and Privacy in Personal Security and Privacy in Ubiquitous Computing Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland Approaches to Security &amp; Privacy in

749 views • 39 slides
REGISTRAR of VOTERS VOTERS CHOICE ACT HISTORY CHANGE VOTE CENTERS SURVEY QUESTIONS CA

REGISTRAR of VOTERS VOTERS CHOICE ACT HISTORY CHANGE VOTE CENTERS SURVEY QUESTIONS CA

REGISTRAR of VOTERS VOTERS CHOICE ACT HISTORY CHANGE VOTE CENTERS SURVEY QUESTIONS CA Legislation SB 450 Passed by the State in 2016 California Voter's Choice Act authorizes specified counties, including Orange County, to conduct

589 views • 39 slides
Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data Protecting Personal Data Privacy &amp; Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
SIX IX CHALLENGE QUESTIONS IN INTO SUSTAINABLE TRANSBOUNDARY AQUIF IFERS Panel 2: Estrategias

SIX IX CHALLENGE QUESTIONS IN INTO SUSTAINABLE TRANSBOUNDARY AQUIF IFERS Panel 2: Estrategias

SIX IX CHALLENGE QUESTIONS IN INTO SUSTAINABLE TRANSBOUNDARY AQUIF IFERS Panel 2: Estrategias cooperativas sobre Agua Subterrnea Alfredo Granados-Olivas UACJ April 10, 2019 Challenge question one. How has cooperation among GW

428 views • 6 slides
Advanced Financial Accounting Lecture 15 MCQs Multiple Choice Questions Question 2 10

Advanced Financial Accounting Lecture 15 MCQs Multiple Choice Questions Question 2 10

Professional, Practical, Proven Academy 2019/2020 Advanced Financial Accounting Lecture 15 MCQs Multiple Choice Questions Question 2 10 Questions = 15 marks 2 Aug 19 1 Section 24 of FRS 102 deals with Government grants. Which of the

636 views • 26 slides
WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

Advanced Network Security WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise WPA3 Key reinstallaton aaacas 2 WiFi IEEE 802.11 standard Some terminology: Staton (STA) is a

479 views • 46 slides
My Media Use: A Personal Challenge commonsense.org/education Shareable with attribution for

My Media Use: A Personal Challenge commonsense.org/education Shareable with attribution for

DIGITAL CITIZENSHIP | GRADE 7 My Media Use: A Personal Challenge commonsense.org/education Shareable with attribution for noncommercial use. Remixing is permitted. Essential Question What is your strategy for finding media balance?

348 views • 12 slides
Multi-Criteria Decision Analysis and choice of sanitation technology: challenge in urban water

Multi-Criteria Decision Analysis and choice of sanitation technology: challenge in urban water

12 th WWW YES, Arcueil France - 20 26 May 2012 Multi-Criteria Decision Analysis and choice of sanitation technology: challenge in urban water quality of Pouytenga, Burkina Faso Lydie S.A YIOUGO , Halidou KOANDA, Joseph WETHE, Samuel

696 views • 17 slides
Security Service Challenge &amp; Security Monitoring Jinny Chien Academia Sinica Grid Computing

Security Service Challenge &amp; Security Monitoring Jinny Chien Academia Sinica Grid Computing

Enabling Grids for E-sciencE Security Service Challenge &amp; Security Monitoring Jinny Chien Academia Sinica Grid Computing OSCT Security Workshop on 7 th March in Taipei www.eu-egee.org 1 Jinny Chien, ASGC Training and Dissemination

1.05k views • 39 slides

More recommend