Building Robust and Automatic Authentication Systems with Activity-Based Personal Questions

1
Building Robust and Automatic Authentication
Systems with Activity-Based Personal Questions

• Mentor Danfeng Yao
• Anitra Babic
• Chestnut Hill College
• Computer Science Department

2
Background

• A secret question is the question that will
  often times be asked as a secondary
  authentication question
• Examples include
• What is your pers name?
• What is your favorite song?
• What was the name of your first school?
• This sort of security has appeared on
• Gmail, Yahoo! Mail, Hotmail, AOL, Facebook

3
Secret Questions Online
4
Negative Results of Secret Questions

• A Microsoft study found that currently
  implemented secret questions are far from
  foolproof
• Focused on top four email providers secret
  questions
• 17 of a users friends could guess the answer on
  first try
• 13 could do it within 5 tries
• 13 are statically guessable
• The study focused on making secret questions
  easier to remember for the user
• Recognized Problems
• Not secure, difficult to remember

Schechter, S, Brush, A. J., Egelman, S
(2008). It's No Secret Measuring the security
and reliability of authentication via 'secret'
questions. 1-16.
5
Activity Based Authentication Requirements

• Question Requirements
• Secrecy dynamically change questions whenever
  the challenge fails
• Memorability recall the most their most recent
  activity
• Non-intrusiveness run in the background , no
  user updating
• Adaptability questions can be produced
  automatically and dynamically each day

6
Activity Based Authentication Categories

• Network activity Focus on the size, type,
  history, and content of user network activity.
• Secrecy relative to popularity of sites visited
• Physical Events Information gathered from
  emails, virtual calendars, ect.
• Secrecy relative to how many people are attending
  the event
• Conceptual Opinions Analyzes browsing history
  and emails to generate questions
• Possibility they may be vulnerable to random
  guessing attacks.
• The k-out-of-n where users need to answer
  correctly k questions out of provided n ones
• For example, if there are three choices then the
  probability of correctly guessing k questions is
  (1/3)k assuming equal likelihood and uniform
  distribution
• attack success rate is low or a reasonably small
  k, e.g., 1 for k 4 (assuming equal likelihood

7
Architectural Design of System

• Client-server architecture
• server utilizes the logged user transaction data
  to extract questions and answers
• Two phases, setup and authentication
• General model deployable on severs that provide
  network related services
• server logs provide information T
• Maybe an email/calendar server or an eCommerce
  server

Image and Architecture designed by Huijun Xiong
8
Architecture of an Activity Based Authentication
System
Image and Architecture designed by Huijun Xiong
9
Preliminary Experiments and Results

• Survey of 12 questions, four from each activity
  based question category
• Participants were asked to answer then guess what
  the others had answered
• Had 4 participants, same mentor
• Temporal based questions most robust
• work-related questions were the most vulnerable
• opinion-based questions hard to attack
• All questions found to be memorable

10
Survey Results
11
Current and Future Work

• Currently planning a study to compare
  conventional authentication questions with ours
• Expanding our study to more diverse participants
• Plan to implement a prototype with the
  integration of semantic web and natural language
  processing techniques.
• Start with an email server
• Plan to Explore the potential application of
  host-based detection system against malicious
  botnets.

12
Acknowledgements

• Danfeng Yao
• Huijun Xiong
• Alex Crowell
• Chih-Cheng Chang

13
Questions