Download - It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions
![Page 1: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/1.jpg)
It’s no secretIt’s no secretMeasuring the security and reliabilityMeasuring the security and reliability
of authentication via ‘secret’ questionsof authentication via ‘secret’ questions
Stuart Schechter, A. J. Bernheim Brush, Serge Egelman
IEEE S&P ’09
Presented by: HAN Jin
![Page 2: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/2.jpg)
Outline
• Motivation & Introduction
• Background
• Study recruitment and methodology
• Discussion
2
![Page 3: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/3.jpg)
Motivation
• Forums, blogs, online-games may use may authenticate users who have forgotten their passwords via their email addresses, webmail services cannot always do so.
• All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords.
3
![Page 4: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/4.jpg)
Motivation
• The most recent burst:– 2008 vice presidential nominee Sarah Palin’s
Yahoo!Yahoo! account had been compromisedby someone who researched the answer to the question:“Where did you meet your spouse?”
• Despite the consequences of authentication failures, the four largest webmail providers require only one question one question be answered in order to reset an account’s password.
4
![Page 5: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/5.jpg)
Introduction
• To quantify the security and reliabilitysecurity and reliability of personal authentication questions authentication questions as they are used today,
These authors ran a user study a user study for those questions used by all four top webmail providers.
5
![Page 6: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/6.jpg)
Study Recruitment
• 4 separate days (March 22 ~ June 23, 2008)
• 130 participants (ppts)
• 64 male, 66 females
• A diversity of ages and professions
6
![Page 7: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/7.jpg)
Participant recruitment
• Their recruiting team selected participants from a larger pool of potential participants they maintain for all studies at Microsoft.
• All participants were required to have partnerspartners and the categories of relationships between participants and their partners are broken down in Table 2c.
7
![Page 8: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/8.jpg)
Initial laboratory visit
• Two-hour visit
8
![Page 9: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/9.jpg)
Tricky parts
• Awards– They offered two prizes (an XBOX 360 and a Zune
digital music player) and gave participants a virtual lottery ticket for each question they both answered and later recalled.
• Authors anticipated participants might1. try to increase their chance of recalling their answers
by providing the same answer for all questions
– They added a rule that eliminated rewards for recalling the same answer numerous times
2. Participants might record their answers
– They did not inform participants that we would follow-up to test their recollections in the future.
9
![Page 10: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/10.jpg)
Reliability (memorability) follow-up
• Answers were judged as correct recollections if they differed from the original only in the use of white space, punctuation, and capitalization.
• To encourage participants to do their best at recalling their original answers, authors offered all participants a new incentive, again based on the percentage of answers they recalled.– The top quartile received an Amazon.com gift card
worth $15, the second quartile received one worth $10, the third $5, and the last quartile received no performance-based gratuity.
– In addition, all participants received some form of base gratuity just for participating
10
![Page 11: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/11.jpg)
Answer comparison algorithms
• equality– an artifact in their study: the Illume survey
software they used to collect the answers fails to store carriage returns
• substring– treated a guess as valid if it contained a substring
that matched the original answer
• distance– Levenshtein edit distance algorithm
11
![Page 12: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/12.jpg)
Answer comparison algorithms (cont.)
• distance algorithm:– reduced the cost of transpositions of two
characters (‘swapped’‘sawpped’) from two to one
– They allowed one error (an edit distance cost of one) for every five characters in the original answer
• Change from substring to distance:– reduces the number of answers forgotten (not recalled
within 5 attempts) by 2.52.5% (11.3% reduction)– increased the percentage of answers guessed by
participants’ partners by 1.41.4% (6.8% relative increase)
12
![Page 13: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/13.jpg)
13
![Page 14: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/14.jpg)
Closely analysis
• The trade-off was well worth it:
• In 34 of the 40 cases where a guess was treated as incorrect by the substring algorithm but correct by the distance algorithm (80%),the guessing partner clearly knew the correct answer:
• The difference was a one character typing error that an attacker could easily fix with a second guess.
14
![Page 15: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/15.jpg)
15
Results
![Page 16: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/16.jpg)
Real-world memorability results
• Resetting Hotmail passwords needs– An correct answer to a personal question & correct
answer to zip code
• Only 43 out of 99 (43%) reported participants were able to successfully provide the correct answer to their personal question and zip code, the rest 57%:– 75% unable to answer their personal question– 31% unable to recall the zip code– A surprising 13% of participants suspected that the
reason they could not answer their personal question was because they had intentionally provided a bogus answer when setting up their account.
16
![Page 17: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/17.jpg)
Main results
• The results for all questions used by the top four webmail services (as of March, 2008) are summarized in Table 4.– Willingness to answer
• “not willing”, “unknown”, and “don’t have one”
– Reliability (memorability)– Security against statistical guessing
• An answer is deemed vulnerable to this attack if it is among the five most popular answers provided by other participants (excluding the participant’s partner)
– Security against guessing by acquaintance17
![Page 18: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/18.jpg)
18
![Page 19: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/19.jpg)
19
Top left part of the result table
![Page 20: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/20.jpg)
Top right of the result table
20
![Page 21: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/21.jpg)
Results analysis
• Google’s questions performed the best since the overall guess rate was just 4%.
• Questions with answers that participants found easiest to recall appeared to be those that their partners found easiest to guess.
• A non-parametric Kendall test, examining the correlation between the fraction of answers recalled for each question and the fraction guessed by participants’ partners, indicates a strong correlation,
21
![Page 22: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/22.jpg)
The security of user-written questions
22
2. Vulnerable with no personal knowledge other than geographic region(31 of 127, 24%)i.Answer can be found via simple web search (2, 2%)
What’s your favorite cookie at Panera Bakery?ii.Answer space <= 5 (11, 8%), <= 10 (15, 12%) & <= 25 (18, 14%)
How many children do I have?What is my blood type?
iii.Answer high on easily searchable popularity lists, top 5 (6, 5%), top 25 (11, 7%) Favorite Food What sports team would you love to see lose
3. Vulnerable to coworkers, clients, or family members (32 of 127, 25%)
![Page 23: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/23.jpg)
Discussions
• Improving questions to reduce vulnerability to statistical guessing attacks:– responses could be penalized in proportion to their
popularity– reduce the proportion of popular answers: rejecting
answers that exceed a certain threshold of popularity (e.g. 1%)
• Alternative backup authenticators– authentication via a code sent to an alternate email
address – not viable for users’ primary email accounts– mobile phones – frequently shared, lost, and stolen– User-selected trustees vouch for the identity of the user.
23
![Page 24: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/24.jpg)
Related Work
• Two other earlier worksfor the use of personal questions for authentication
– Zviran and Haga in 1990 [17]– Podd et al. in 1996
• They extend prior research by– measuring the security of those questions
against guessing not just by significant others, but by untrusted acquaintances untrusted acquaintances as well
– They also examine the vulnerability of those questions to statistical guessing attacksstatistical guessing attacks.
24
![Page 25: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/25.jpg)
Epilog
• On November 12, 2008, authors contacted AOL, Google, and Yahoo! to provide them with a draft of this paper and share their intent to publish at this symposium.
• In February 2009, Yahoo! had replaced all nine of the personal authentication questions that its users may choose from when signing up for a new account.
25
![Page 26: It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions](https://reader036.vdocument.in/reader036/viewer/2022062304/568144c0550346895db18b40/html5/thumbnails/26.jpg)
My conclusion
• Aim the top– webmail providers– conference
• Good funding
• Easy extendable
26