research-article

Quantifying the security of preference-based authentication

Authors:

Markus Jakobsson,

Susanne WetzelAuthors Info & Claims

DIM '08: Proceedings of the 4th ACM workshop on Digital identity management

Pages 61 - 70

https://doi.org/10.1145/1456424.1456435

Published: 31 October 2008 Publication History

Abstract

We describe a technique aimed at addressing longstanding problems for password reset: security and cost. In our approach, users are authenticated using their preferences. Experiments and simulations have shown that the proposed approach is secure, fast, and easy to use. In particular, the average time for a user to complete the setup is approximately two minutes, and the authentication process takes only half that time. The false negative rate of the system is essentially 0% for our selected parameter choice. For an adversary who knows the frequency distributions of answers to the questions used, the false positive rate of the system is estimated at less than half a percent, while the false positive rate is close to 0% for an adversary without this information. Both of these estimates have a significance level of 5%.

References

[1]

F. Asgharpour and M. Jakobsson. Adaptive Challenge Questions Algorithm in Password Reset/Recovery. In First International Workship on Security for Spontaneious Interaction: IWIISI'07, Innsbruck, Austria, September 2007.

[2]

D. W. Crawford, G. Godbey, and A. C. Crouter. The Stability of Leisure Preferences. Journal of Leisure Research, 18:96--115, 1986.

[3]

J. L. Devore. Probability and Statistics for Engineering and Sciences. Brooks/Cole Publishing Company, 1995.

[4]

C. Ellison, C. Hall, R. Milbert, and B. Schneier. Protecting Secret Keys with Personal Entropy. Future Gener. Comput. Syst., 16(4):311--318, 2000.

Digital Library

[5]

N. Frykholm and A. Juels. Error-tolerant Password Recovery. In CCS'01: Proceedings of the 8th ACM conference on Computer and Communications Security, pages 1--9, New York, NY, USA, 2001. ACM.

Digital Library

[6]

V. Griffith and M. Jakobsson. Messin' with Texas, Deriving Mother's Maiden Names Using Public Records. RSA CryptoBytes, 8(1):18--28, 2007.

[7]

W. J. Haga and M. Zviran. Question-and-Answer Passwords: an Empirical Evaluation. Inf. Syst., 16(3):335--343, 1991.

Digital Library

[8]

M. Jakobsson, T. N. Jagatic, and S. Stamm. Phishing for Clues. https://www.indiana.edu/~phishing/browser-recon/, Last retrieved in August 2008.

[9]

M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and Authentication. In CHI'08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 197--200, New York, NY, USA, 2008. ACM.

Digital Library

[10]

A. Juels and M. Wattenberg. A Fuzzy Commitment Scheme. In CCS'99: Proceedings of the 6th ACM conference on Computer and communications security, pages 28--36, New York, NY, USA, 1999. ACM. www.rsa.com/blog/blog_entry.aspx?id=1152, last retrieved in August 2008.

Digital Library

[11]

M. Just. Designing and Evaluating Challenge-question Systems. IEEE Security and Privacy, 2(5):32--39, 2004.

Digital Library

[12]

G. F. Kuder. The Stability of Preference Items. Journal of Social Psychology, pages 41--50, 10 1939.

[13]

L. O'Gorman, A. Bagga, and J. L. Bentley. Call Center Customer Verification by Query-Directed Passwords. In Financial Cryptography, pages 54--67, 2004. www.voiceport.net/PasswordReset.aspx, last retrieved in August 2008.

[14]

A. Rabkin. Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook. In SOUPS, 2008. www.schneier.com/blog/archives/2005/02/the_curse_of_th.html, last retrieved in August 2008.

Digital Library

[15]

D. Stinson. Cryptography: Theory and Practice. CRC Press, 3rd edition, November 2005. www2.csoonline.com/article/221068/Strong_Authentication_for_Online_Banking_Success_Factors?page=1, last retrieved in August 2008.

Digital Library

Cited By

Kusumastuti SRosoff HJohn R(2019)Characterizing Conflicting User Values for Cyber Authentication Using a Virtual Public Values ForumDecision Analysis10.1287/deca.2018.038316:3(157-171)Online publication date: 15-Aug-2019
https://dl.acm.org/doi/10.1287/deca.2018.0383
Doerfler PThomas KMarincenko MRanieri JJiang YMoscicki AMcCoy D(2019)Evaluating Login Challenges as aDefense Against Account TakeoverThe World Wide Web Conference10.1145/3308558.3313481(372-382)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313481
Ruoti SSeamons K(2017)End-to-End PasswordsProceedings of the 2017 New Security Paradigms Workshop10.1145/3171533.3171542(107-121)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1145/3171533.3171542
Show More Cited By

Index Terms

Quantifying the security of preference-based authentication
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Privacy preserving smartcard-based authentication system with provable security

In this paper, we suggest a new privacy preserving smartcard-based password authenticated key exchange SC-PAKE with provable security. Only the user who has two secrets smartcard and password can go through authentication with key exchange while ...
Protocols and security proofs for data authentication
On Security of Universal Hash Function Based Multiple Authentication
Information and Communications Security
Abstract
Universal hash function based multiple authentication was originally proposed by Wegman and Carter in 1981. In this authentication, a series of messages are authenticated by first hashing each message by a fixed (almost) strongly universal₂ hash ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

DIM '08: Proceedings of the 4th ACM workshop on Digital identity management

October 2008

112 pages

ISBN:9781605582948

DOI:10.1145/1456424

Program Chairs:
Elisa Bertino
CERIAS, Purdue University, USA
,
Kenji Takahashi
NTT, Japan

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 16 of 34 submissions, 47%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
436
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kusumastuti SRosoff HJohn R(2019)Characterizing Conflicting User Values for Cyber Authentication Using a Virtual Public Values ForumDecision Analysis10.1287/deca.2018.038316:3(157-171)Online publication date: 15-Aug-2019
https://dl.acm.org/doi/10.1287/deca.2018.0383
Doerfler PThomas KMarincenko MRanieri JJiang YMoscicki AMcCoy D(2019)Evaluating Login Challenges as aDefense Against Account TakeoverThe World Wide Web Conference10.1145/3308558.3313481(372-382)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313481
Ruoti SSeamons K(2017)End-to-End PasswordsProceedings of the 2017 New Security Paradigms Workshop10.1145/3171533.3171542(107-121)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1145/3171533.3171542
Hang ADe Luca Avon Zezschwitz EDemmler MHussmann HBoring SRukzio EGellersen HHinckley K(2015)Locked Your Phone? Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual ConceptsProceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services10.1145/2785830.2785839(295-305)Online publication date: 24-Aug-2015
https://dl.acm.org/doi/10.1145/2785830.2785839
Bonneau JBursztein ECaron IJackson RWilliamson MGangemi ALeonardi SPanconesi A(2015)Secrets, Lies, and Account RecoveryProceedings of the 24th International Conference on World Wide Web10.1145/2736277.2741691(141-150)Online publication date: 18-May-2015
https://dl.acm.org/doi/10.1145/2736277.2741691
Bonneau JSchechter SFu K(2014)Towards reliable storage of 56-bit secrets in human memoryProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671264(607-623)Online publication date: 20-Aug-2014
https://dl.acm.org/doi/10.5555/2671225.2671264
Bonneau J(2013)Alice and Bob in LoveSecurity Protocols XVII10.1007/978-3-642-36213-2_23(189-198)Online publication date: 2013
https://doi.org/10.1007/978-3-642-36213-2_23
Jakobsson MSiadati H(2012)Improved Visual Preference AuthenticationProceedings of the 2012 Workshop on Socio-Technical Aspects in Security and Trust (STAST)10.1109/STAST.2012.13(27-34)Online publication date: 25-Jun-2012
https://dl.acm.org/doi/10.1109/STAST.2012.13
Bonneau JHerley COorschot PStajano F(2012)The Quest to Replace PasswordsProceedings of the 2012 IEEE Symposium on Security and Privacy10.1109/SP.2012.44(553-567)Online publication date: 20-May-2012
https://dl.acm.org/doi/10.1109/SP.2012.44
Herzberg AMargulies R(2012)Training Johnny to Authenticate (Safely)IEEE Security & Privacy Magazine10.1109/MSP.2011.12910:1(37-45)Online publication date: Jan-2012
https://doi.org/10.1109/MSP.2011.129
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents