Q-A: Towards the Solution of Usability-Security Tension in User Authentication

Users often choose passwords that are easy to remember but also easy to guess by attackers. Recent studies have revealed the vulnerability of textual passwords to shoulder surfing and keystroke loggers. It remains a critical challenge in password research to develop an authentication scheme that addresses these security issues, in addition to offering good memorability. Motivated by psychology research on humans' cognitive strengths and weaknesses, we explore the potential of cognitive questions as a way to address the major challenges in user authentication. We design, implement, and evaluate Q-A, a novel cognitive-question-based password system that requires a user to enter the letter at a given position in her answer for each of six personal questions (e.g. "What is the name of your favorite childhood teacher?"). In this scheme, the user does not need to memorize new, artificial information as her authentication secret. Our scheme offers 28 bits of theoretical password space, which has been found sufficient to prevent online brute-force attacks. Q-A is also robust against shoulder surfing and keystroke loggers. We conducted a multi-session in-lab user study to evaluate the usability of Q-A; 100% of users were able to remember their Q-A password over the span of one week, although login times were high. We compared our scheme with random six character passwords and found that login success rate in Q-A was significantly higher. Based on our results, we suggest that Q-A would be most appropriate in contexts that demand high security and where logins occur infrequently (e.g., online bank accounts).