Asking smarter security questions

Danfeng2

Studies suggest that questions about recent activities are easy for legitimate users to answer but harder for potential intruders to find or guess, computer scientists Danfeng Yao explains. “We want the question to be dynamic. The questions you get today will be different from the ones you would get tomorrow.”

RUTGERS (US)—The trouble with most online security questions is that they’re not very secure, according to Danfeng Yao.

Yao, assistant professor of computer science at Rutgers, thinks the answer is to ask more dynamic questions.

“We call them activity-based personal questions,” says Yao.”Sites could ask you, ‘When was the last time you sent an e-mail?’ Or, ‘What did you do yesterday at noon?’”

Yao and her students have been testing how resistant these activity questions are to “attack,”—computer security lingo for when an intruder answers correctly and gains access to personal information such as e-mails or to do online shopping or banking.

Early studies suggest that questions about recent activities are easy for legitimate users to answer but harder for potential intruders to find or guess, Yao explains.

“We want the question to be dynamic. The questions you get today will be different from the ones you would get tomorrow.”

Yao says she gave four students in her lab a list of questions related to network activities, physical activities and opinion questions, and then told them to “attack” each other.

“We found that questions related to time are more robust than others. Many guessed the answer to the question, ‘Who was the last person you sent e-mail to?’ But fewer were able to guess, ‘What time did you send your last e-mail?’”

Yao explains that it should not be difficult for an online service provider to formulate these kinds of security questions by looking at its users’ e-mail, calendar activities, or previous transactions.

Computers would have to use natural language processing tools to synthesize understandable questions and analyze the answers for accuracy.

The study’s preliminary results were presented at a workshop at the Association for Computing Machinery Conference on Computer and Communications Security in Chicago.

Yao is proposing further studies to determine the practicality of the new approach and the best way to implement it.

The work was funded in part by grants from the National Science Foundation.

Rutgers news: http://news.rutgers.edu/medrel/

chat2 Comments

You are free to share this article under the Creative Commons Attribution-NoDerivs 3.0 Unported license.

2 Comments

  1. Mortgage News

    Internet security is so important now due to all the things we use our pcs for nowadays. I find myself not having to worry about stamps anymore because I pay everything online now.

  2. Josh

    Security questions ultimately come down to the same cryptic trivia that passwords revolve around – you need a shared piece of information that both the host and client know that is difficult for third parties to decipher. Generally security questions are weaker than actual passwords however, so are coupled with other behavior to provide comparable security (i.e. they don’t grant access or show the password, but rather send out a temporary new password to the known email address of the user). In terms of casual authentication on the web (things like ecommerce sites and such where the worst risk you have is your credit card number being misappropriated – a risk that credit card issuers generally transfer to themselves) I think it would be much more productive to look for stronger forms of complementary behavior for the security questions (something better than sending to an email address) rather than stronger security questions themselves. For sites where the risk is greater to either the client or host a stronger form of authentication is appropriate – something surpassing username and password, and certainly surpassing security questions.

    In terms of specific benefits of this line of research I really wonder about the utility. Both the client and host need to be aware of the client’s behavior, which could raise privacy concerns in certain scenarios. Additionally, the host needs to be able to monitor the behavior, which means that either it is a behavior the host offers as a service, or it is a behavior the host would normally not be able to monitor but are granted visibility into (which pretty much violates principles of both least priviledge and default deny). In the case of behaviors the host already has access to, it would need to be recent enough behavior that the client can recall the information as well – which would imply that they have accessed the service recently enough that they probably haven’t forgotten their initial credentials. Scenarios where people forget their credentials are typically scenarios where they use the service the host provides infrequently – in this scenario, would they remember the activity the host is using to base the questions on?

We respect your privacy.