ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Quantifying the security of preference-based authentication
Full text PdfPdf (626 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 4th ACM workshop on Digital identity management table of contents
Alexandria, Virginia, USA
SESSION: Novel services table of contents
Pages 61-70  
Year of Publication: 2008
ISBN:978-1-60558-294-8
Authors
Markus Jakobsson  Palo Alto Research Center, Palo Alto, CA, USA
Liu Yang  Stevens Institute of Technology, Hoboken, NJ, USA
Susanne Wetzel  Stevens Institute of Technology, Hoboken, NJ, USA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 7,   Downloads (12 Months): 149,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456424.1456435
What is a DOI?

ABSTRACT

We describe a technique aimed at addressing longstanding problems for password reset: security and cost. In our approach, users are authenticated using their preferences. Experiments and simulations have shown that the proposed approach is secure, fast, and easy to use. In particular, the average time for a user to complete the setup is approximately two minutes, and the authentication process takes only half that time. The false negative rate of the system is essentially 0% for our selected parameter choice. For an adversary who knows the frequency distributions of answers to the questions used, the false positive rate of the system is estimated at less than half a percent, while the false positive rate is close to 0% for an adversary without this information. Both of these estimates have a significance level of 5%.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
F. Asgharpour and M. Jakobsson. Adaptive Challenge Questions Algorithm in Password Reset/Recovery. In First International Workship on Security for Spontaneious Interaction: IWIISI'07, Innsbruck, Austria, September 2007.
 
2
D. W. Crawford, G. Godbey, and A. C. Crouter. The Stability of Leisure Preferences. Journal of Leisure Research, 18:96--115, 1986.
 
3
J. L. Devore. Probability and Statistics for Engineering and Sciences. Brooks/Cole Publishing Company, 1995.
 
4
Carl Ellison , Chris Hall , Randy Milbert , Bruce Schneier, Protecting secret keys with personal entropy, Future Generation Computer Systems, v.16 n.4, p.311-318, Feb. 2000  [doi>10.1016/S0167-739X(99)00055-2]
5
Niklas Frykholm , Ari Juels, Error-tolerant password recovery, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA  [doi>10.1145/501983.501985]
 
6
V. Griffith and M. Jakobsson. Messin' with Texas, Deriving Mother's Maiden Names Using Public Records. RSA CryptoBytes, 8(1):18--28, 2007.
 
7
William J. Haga , Moshe Zviran, Question-and-answer passwords: an empirical evaluation, Information Systems, v.16 n.3, p.335-343, 1991  [doi>10.1016/0306-4379(91)90005-T]
 
8
M. Jakobsson, T. N. Jagatic, and S. Stamm. Phishing for Clues. https://www.indiana.edu/~phishing/browser-recon/, Last retrieved in August 2008.
9
Markus Jakobsson , Erik Stolterman , Susanne Wetzel , Liu Yang, Love and authentication, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy  [doi>10.1145/1357054.1357087]
10
Ari Juels , Martin Wattenberg, A fuzzy commitment scheme, Proceedings of the 6th ACM conference on Computer and communications security, p.28-36, November 01-04, 1999, Kent Ridge Digital Labs, Singapore  [doi>10.1145/319709.319714]
 
11
Mike Just, On the Design of Challenge Question Systems, IEEE Security and Privacy, v.2 n.5, p.32-39, September 2004  [doi>10.1109/MSP.2004.80]
 
12
G. F. Kuder. The Stability of Preference Items. Journal of Social Psychology, pages 41--50, 10 1939.
 
13
L. O'Gorman, A. Bagga, and J. L. Bentley. Call Center Customer Verification by Query-Directed Passwords. In Financial Cryptography, pages 54--67, 2004. www.voiceport.net/PasswordReset.aspx, last retrieved in August 2008.
14
Ariel Rabkin, Personal knowledge questions for fallback authentication: security questions in the era of Facebook, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania  [doi>10.1145/1408664.1408667]
 
15
Douglas R. Stinson, Cryptography: Theory and Practice, CRC Press, Inc., Boca Raton, FL, 1995

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Authentication


General Terms:
Design, Experimentation, Security


Keywords:
password reset, preference-based authentication, security question, simulation

Collaborative Colleagues:
Markus Jakobsson: colleagues
Liu Yang: colleagues
Susanne Wetzel: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player