Title: Issues in user authentication using security questions

Authors: Andrew Mangle; Sandip C. Patel

Addresses: Department of Computer and Information Sciences, Towson University, 7800 York Road, Towson, MD 21252, USA ' Department of Information Science and Systems, Morgan State University, 1700 East Cold Spring Lane, Baltimore, MD 21251, USA

Abstract: Security questions are a human-authentication method leveraging unique private knowledge that only the valid user has and provide a reliable means for supplementary authentication. Security questions offer a low-cost alternative for password-resets and provide an additional layer of security beyond the traditional username-and-password protection method. In this survey paper, we review current literature on security questions, examine the issues on their use and identify the areas that need further research. The results of our review indicate that the current literature has acknowledged and discussed how security questions are susceptible to predominantly three types of attacks: blind guess, focused guess and observation. We found gaps in the literature in areas of using automated systems to provide real-time evaluation of responses and providing feedback to users to improve security. Finally, we outline potential directions for future research in using security questions more effectively.

Keywords: security questions; user authentication; information security; access control; blind guess attacks; focused guess attacks; observation attacks; response evaluation; user feedback.

DOI: 10.1504/IJICS.2014.068100

International Journal of Information and Computer Security, 2014 Vol.6 No.4, pp.383 - 407

Received: 16 Apr 2014
Accepted: 13 Aug 2014
Published online: 26 Mar 2015 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article