Abstract
Fallback authentication recovers user access in case a user is unable to log back in or has forgotten the password. Security questions are one of the means for fallback authentication. However, security questions are not as robust as we think and can cause a security breach by enabling unauthorized access. Along with security, usability is a growing concern for the effective use of security questions. It is crucial to expose the vulnerability of security questions and establish a new approach to improve its usability. We conduct an online user survey to validate user opinions for the usability of text-based security questions. We then conduct another on-campus study in a span of six weeks to specifically examine the memorability aspect of security questions. There are several known attacks against security questions, such as man-in-the-middle (MITM) attacks, brute force attacks, or keystroke logging attacks. We implement a password reset MITM simulation that exploits user accounts by either answering their security questions or compromising the OTP (one-time-passwords) sent to the victims’ phones or email addresses. The project also proposes an alternative knowledge-based security question mechanism based on recognition rather than recall. We adopt a hybrid approach to make the validation more robust. Furthermore, we suggest how security question guidelines can be adapted to enhance its usability.