A Model to Improve Security Questions Through Individualized Assistance

Abstract

Security questions are considered a viable alternative for secondary and supplementary authentication. Security questions are susceptible to three types of attacks: blind (brute force), focused guess (statistical), and observation (research/personal). This research outlines how informing users of potential security threats through a security meter may improve security with minimal impact on usability and trust. A security-question authentication model is proposed that builds on the strengths of security question responses, chiefly their ease of recall and higher entropy, while mitigating the core weaknesses of the model, which are the lack of uniform answers and public accessibility to answers. Users that were made aware of the entropy of their responses were more likely to provide stronger responses to the security questions without affecting the repeatability of the responses to the questions but negatively impacting the memorability.