Invited Talk by Mike Just - 13 February 2009
Challenge Questions: Authentication's Weakest Link?
Challenge Questions are today's response to a forgotten password. By providing your "Mother's Maiden Name" or "First Pet's Name," a user can easily re-gain access to their account. Afterall, passwords are notoriously difficult to recall, especially given the complex rules and the large quantity of passwords associated with the average user. And challenge questions typically solicit information that a user already knows. But how 'easy' are challenge questions to use? Are the answers memorable for users? Are the answers similarly easy for an attacker to guess? Despite their ubiquity, there is surprisingly little academic research into their security and usability. In this talk, you will learn the results of several recent studies on the security and usability of challenge questions, including why they may even be less secure than passwords.
Back to Knowledge-Based Authentication Project Page