Love and Authentication
Markus Jakobsson
Palo Alto Research Center
Palo Alto, CA 94304
markus.jakobsson@gmail.com
Erik Stolterman
Indiana University
Bloomington, IN 47408
estolter@indiana.edu
Susanne Wetzel, Liu Yang
Stevens Institute of Tech.
Hoboken, NJ 07030
{swetzel,lyang}@cs.stevens.edu
ABSTRACT
Passwords are ubiquitous, and users and service providers
alike rely on them for their security. However, good pass-
words may sometimes be hard to remember. For years, se-
curity practitioners have battled with the dilemma of how
to authenticate people who have forgotten their passwords.
Existing approaches suffer from high false positive and false
negative rates, where the former is often due to low entropy
or public availability of information, whereas the latter often
is due to unclear or changing answers, or ambiguous or fault
prone entry of the same. Good security questions should
be based on long-lived personal preferences and knowledge,
and avoid publicly available information. We show that
many of the questions used by online matchmaking services
are suitable as security questions. We first describe a new
user interface approach suitable to such security questions
that is offering a reduced risks of incorrect entry. We then
detail the findings of experiments aimed at quantifying the
security of our proposed method.
ACM Classification Keywords
H.5 Information Interfaces and Presentation; K.6.5 Security
and Protection - Authentication
Author Keywords
Security question, entry error, password, reset, security
INTRODUCTION
One of the more frequent interactions that people have with
computers and services starts with an authentication pro-
cess. While this can be handled in many ways, the most
common one is through the use of passwords. It is a widely
believed fact that users are not good at keeping and remem-
bering passwords. It is also clear that this fact in many cases
leads users to use simple or bad passwords, or keep the same
password for all situations and services. The harder people
try to avoid the vulne