Title: Building Robust and Automatic Authentication Systems with Activity-Based Personal Questions
1Building Robust and Automatic Authentication
Systems with Activity-Based Personal Questions
- Mentor Danfeng Yao
- Anitra Babic
- Chestnut Hill College
- Computer Science Department
2Background
- A secret question is the question that will
often times be asked as a secondary
authentication question - Examples include
- What is your pers name?
- What is your favorite song?
- What was the name of your first school?
- This sort of security has appeared on
- Gmail, Yahoo! Mail, Hotmail, AOL, Facebook
3Secret Questions Online
4Negative Results of Secret Questions
- A Microsoft study found that currently
implemented secret questions are far from
foolproof - Focused on top four email providers secret
questions - 17 of a users friends could guess the answer on
first try - 13 could do it within 5 tries
- 13 are statically guessable
- The study focused on making secret questions
easier to remember for the user - Recognized Problems
- Not secure, difficult to remember
Schechter, S, Brush, A. J., Egelman, S
(2008). It's No Secret Measuring the security
and reliability of authentication via 'secret'
questions. 1-16.
5Activity Based Authentication Requirements
- Question Requirements
- Secrecy dynamically change questions whenever
the challenge fails - Memorability recall the most their most recent
activity - Non-intrusiveness run in the background , no
user updating - Adaptability questions can be produced
automatically and dynamically each day
6Activity Based Authentication Categories
- Network activity Focus on the size, type,
history, and content of user network activity. - Secrecy relative to popularity of sites visited
- Physical Events Information gathered from
emails, virtual calendars, ect. - Secrecy relative to how many people are attending
the event - Conceptual Opinions Analyzes browsing history
and emails to generate questions - Possibility they may be vulnerable to random
guessing attacks. - The k-out-of-n where users need to answer
correctly k questions out of provided n ones - For example, if there are three choices then the
probability of correctly guessing k questions is
(1/3)k assuming equal likelihood and uniform
distribution - attack success rate is low or a reasonably small
k, e.g., 1 for k 4 (assuming equal likelihood
7Architectural Design of System
- Client-server architecture
- server utilizes the logged user transaction data
to extract questions and answers - Two phases, setup and authentication
- General model deployable on severs that provide
network related services - server logs provide information T
- Maybe an email/calendar server or an eCommerce
server
Image and Architecture designed by Huijun Xiong
8Architecture of an Activity Based Authentication
System
Image and Architecture designed by Huijun Xiong
9Preliminary Experiments and Results
- Survey of 12 questions, four from each activity
based question category - Participants were asked to answer then guess what
the others had answered - Had 4 participants, same mentor
- Temporal based questions most robust
- work-related questions were the most vulnerable
- opinion-based questions hard to attack
- All questions found to be memorable
10Survey Results
11Current and Future Work
- Currently planning a study to compare
conventional authentication questions with ours - Expanding our study to more diverse participants
- Plan to implement a prototype with the
integration of semantic web and natural language
processing techniques. - Start with an email server
- Plan to Explore the potential application of
host-based detection system against malicious
botnets.
12Acknowledgements
- Danfeng Yao
- Huijun Xiong
- Alex Crowell
- Chih-Cheng Chang
13Questions