Quantifying the Security of Preference-based Authentication

Abstract

We describe a technique aimed at addressing a long standing problem for password reset: security and cost. In our approach, users are authenticated using their preferences. Experiments and simulations have shown that the proposed approach is secure, fast and easy to use. In particular, the average time for a user to complete the setup is approximately two minutes, and the authentication process takes only half that time. The false negative rate of the system is essentially 0% for our selected parameter choice. For an adversary who knows the frequency distributions of answers to the questions used, the false positive rate of the system is estimated at less than half a percent, while the false positive rate is close to 0% for an adversary without this information. Both of these estimates have a significance level of 5%.