Mike Just: Personal Choice and Challenge Questions: A Security and Usability Assessment
ソース
Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS2009) タイトル
ページ
1-11
年
2009
ISBN
978-1-60558-736-3
著者
概要
Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users. In a second stage of our experiment, we applied existing metrics to measure the usability of the questions and answers. Despite having youthful memories and choosing their own questions, users made errors more frequently than desirable.
内容
秘密の質問の問題
自分で秘密の質問を決めるととても弱くなることが判明 複数の秘密の質問を使うとマシになる?
結構人は間違うものらしい
applicability or repeatability の問題がある
Applicability: How widely applicable is the given question?
Memorability: How easy is it for the user to recall the answer?
Repeatability: How accurately can the answer be replayed, without syntactic or semantic ambiguity?
ユーザに質問を作らせると全然駄目なことが多い
すぐ解けてしまうもの
思い出せないもの
どういう秘密の質問をすべきか
コメント
増井俊之.icon
忘れにくく難しい質問を作るのが難しいということか?
問題の選択に根本的に問題があるのでは?
回答は選択式ではなく入力式だったとか?