• PDF / 505,108 Bytes
• 16 Pages / 439.37 x 666.142 pts Page_size
• 15 Downloads / 144 Views

DOWNLOAD

REPORT

2

Faculty of Informatics, Masaryk University, Brno, Czech Republic [email protected], [email protected] School of Mathematical and Computer Sciences, Heriot-Watt University, Edinburgh, UK [email protected]

Abstract. Password recovery is a critical, and often overlooked, requirement of account management. Currently popular solutions, such as security questions and out-of-band communications, have recognized security and usability issues. In this paper we evaluate two alternate recovery solutions considered by our industrial partner, using backup codes and trusted people, in order to determine their suitability as a viable password recovery solution. In this paper we focus on the usability evaluation of these two representative recovery methods, and not on the specifics of their design – while our evaluation results do indirectly point to general design enhancements. Our study determined that participants felt that backup codes (implemented as a QR-code in our solution) offer levels of usability and security that are acceptable to users for securing their “ordinary” accounts. For accounts perceived to require more security (e.g., online banking) more security was preferred by participants, resulting in a preference for trusted party recovery compared to backup codes. Our results also suggest that further research and deployment considerations should be given to options for other methods of password recovery, such as backup codes and trusted parties (Full details and paper supplementary materials can be found at http://crcs.cz/papers/wistp2016.).

1

Introduction

Nearly every website that enables users to create an account also provides a process to recover the account, in case of a forgotten password, for example. This process is referred to by many names, such as account recovery, password recovery, password reset, secondary authentication and last-resort authentication [8,16,22]. The recovery process should be usable, and as secure as the access to the account via the primary authentication. Researchers have shown that passwords, as a primary form of authentication, are indeed forgotten or lost, so that some form of recovery is required [12,19]. Though current recovery solutions, such as the answers to challenge questions, are proven not to be reliable and secure enough [7]. Moreover, there are several c IFIP International Federation for Information Processing 2016  Published by Springer International Publishing Switzerland 2016. All Rights Reserved S. Foresti and J. Lopez (Eds.): WISTP 2016, LNCS 9895, pp. 35–50, 2016. DOI: 10.1007/978-3-319-45931-8 3

36

V. Stavova et al.

examples of attackers gaining access to an account due to weak password recovery [10,15,23]. There are several ways in which password or account recovery can be performed, including the use of challenge questions, out-of-band communications (using email or SMS), calling a help-desk operator, using password hints or backup codes, or using a trusted person. Research in 2010 indicated that out-of-band communications and challenge quest

Recommend Documents

ByPass: Reconsidering the Usability of Password Managers

169 60 34MB

Laparoscopic vs. open pancreaticoduodenectomy: a comparative study in elderly people

161 90 720KB

A Comparative Usability Analysis of Handheld Game Consoles

156 6 81MB

A Head Mouse Alternative Solution Proposal for People with Motor Impairments: Design and Usability Assessment Study

120 69 119MB

Two families of subfield codes with a few weights

160 89 263KB

Comparative study between double inversion recovery (DIR) and fluid-attenuated inversion recovery (FLAIR) MRI sequences

134 73 1MB

A Comparative Study of Wireless Technologies Coexistence Mechanisms in IoT: A Survey

152 11 29MB

The Blended Learning Concept: Comparative Study of Two Universities

180 96 31MB

Whistleblowing - A Comparative Study

197 23 4MB

Supraspinatus tendon transosseous vs anchor repair surgery: a comparative study of mechanical recovery in the rabbit

144 64 962KB

A Tale of Two Testbeds: A Comparative Study of Attack Detection Techniques in CPS

106 41 8MB

An Efficient Password-Only Two-Server Authenticated Key Exchange System

175 23 486KB