Issues in user authentication using security questions Online publication date: Thu, 26-Mar-2015
by Andrew Mangle; Sandip C. Patel
International Journal of Information and Computer Security (IJICS), Vol. 6, No. 4, 2014
Abstract: Security questions are a human-authentication method leveraging unique private knowledge that only the valid user has and provide a reliable means for supplementary authentication. Security questions offer a low-cost alternative for password-resets and provide an additional layer of security beyond the traditional username-and-password protection method. In this survey paper, we review current literature on security questions, examine the issues on their use and identify the areas that need further research. The results of our review indicate that the current literature has acknowledged and discussed how security questions are susceptible to predominantly three types of attacks: blind guess, focused guess and observation. We found gaps in the literature in areas of using automated systems to provide real-time evaluation of responses and providing feedback to users to improve security. Finally, we outline potential directions for future research in using security questions more effectively.
Existing subscribers:
Go to Inderscience Online Journals to access the Full Text of this article.
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Information and Computer Security (IJICS):
Login with your Inderscience username and password:
Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.
If you still need assistance, please email subs@inderscience.com
Our Blog 
Follow us on Twitter 
Visit us on Facebook