Authors: Andrew Mangle; Sandip C. Patel
Addresses: Department of Computer and Information Sciences, Towson University, 7800 York Road, Towson, MD 21252, USA ' Department of Information Science and Systems, Morgan State University, 1700 East Cold Spring Lane, Baltimore, MD 21251, USA
Abstract: Security questions are a human-authentication method leveraging unique private knowledge that only the valid user has and provide a reliable means for supplementary authentication. Security questions offer a low-cost alternative for password-resets and provide an additional layer of security beyond the traditional username-and-password protection method. In this survey paper, we review current literature on security questions, examine the issues on their use and identify the areas that need further research. The results of our review indicate that the current literature has acknowledged and discussed how security questions are susceptible to predominantly three types of attacks: blind guess, focused guess and observation. We found gaps in the literature in areas of using automated systems to provide real-time evaluation of responses and providing feedback to users to improve security. Finally, we outline potential directions for future research in using security questions more effectively.
Keywords: security questions; user authentication; information security; access control; blind guess attacks; focused guess attacks; observation attacks; response evaluation; user feedback.
International Journal of Information and Computer Security, 2014 Vol.6 No.4, pp.383 - 407
Received: 16 Apr 2014
Accepted: 13 Aug 2014
Published online: 13 Mar 2015 *