Article Preview
Top1. Introduction
Security questions, also referred to as cognitive, secret, or challenge questions, are a common approach to online authentication. Security questions are based upon information that the user already knows and can readily recall while being sufficiently private enough to make it difficult for others to know (Just and Aspinall, 2009). The primary driver for implementing security questions as a secondary form of authentication is reducing costs associated with password resets. The most significant advantage (Zviran & Haga, 1990) of security questions over traditional passwords is their ability to be recalled quickly and consistently. Zviran and Haga (1990) pioneered research into security questions before the widespread Internet access. Their drawbacks include the extra time required to select and respond to multiple questions, questions that may not be pertinent to the user, and the users’ need to remember their previous responses. Individuals are notoriously bad, if not incapable of retaining and recalling high-quality passwords (Ellison, Hall, Milbert, & Schneier, 2000; Kaufman, Perlman, & Speciner, 2002). However, security questions remain relevant as alternatives are more complicated, additional transactional friction, and cost to implement options including SMS messaging (requires a smart device with a text messaging), backup emails (requires access to another email), biometrics (requires appropriate hardware), and authentication tokens (requires an additional device). This study’s findings suggest the benefits of incorporating a security meter to increase response strength while minimally impacting usability. A web-based model provided a realistic simulation framework for future assessment of security questions. The security meter is just one approach to improve security questions. Additional research will be necessary to critique and validate the proposed design, including alternative fallback authentication and advanced security testing tools.
1.1 Security Questions Overview
Just (2004) defined security questions as fixed, open, or controlled. The fixed and open types of questions are the most familiar forms of security questions. A fixed question has the user select from a pool of potential questions. The user must choose, usually with limited “as is” options from a list. The user generates open questions. Controlled questions offer fixed and open blends because the question is static, and users have the flexibility to customize it. Just (2004) offered two approaches to controlled questions. The first type of control question allowed the user to modify the original question text, such as adding a descriptor (i.e., “My friend ____ lives on this street?”). The user would be able to modify the unlined content. Just (2004) presented another option for a controlled question; to allow hints to support the user to answer the question. For example, “A person you met recently” with the hint “high school play,” which hints that the person that the user met recently was at the high school play.
There are benefits and drawbacks to all three question types. The fixed question offers speed and convenience to the user but may prove not applicable or challenging to remember. Open questions may be more practical and easier to remember but less secure. Asking users to develop their questions may prove challenging and impede users from completing the process, especially if multiple questions are requested. Controlled questions have the strengths and weaknesses of open and closed questions. Additional security and memorability concerns arise with the inclusion of hints. All questions have challenges that the authentication system must adequately mitigate.
In terms of security and usability, a fixed question set may reduce the likelihood of selecting an insecure answer and may impede the applicability, memorability, and repeatability of the response. Open questions may allow users to enter their responses. However, the answers may still be highly insecure and suffer usability issues. System administrators could regulate controlled responses to enhance the positive aspects of fixed and open answers. Controlled questions and answers can protect the user’s privacy and improve security while maintaining usability. The study used a pool of fixed (91) questions with open responses.