Project journal
Metrics 15 Feb 2011
The important metrics for a KBA system are follows (Chokhani, 2004) :-
Guessability of factoid
Guessability of KBA
Cost of implementing the system
Interoperability of the system
Cost of researching the facts
Privacy of privacy
Protection from identity theft
Commercial products
Acceptance by users
Ease of use of the system
Ease of administering the system
Reference
Chokhani .S (2004). Knowledge based authentication Metrics. Retrieved on 22 Feb, 2011 from
http://csrc.nist.gov/archive/kba/Presentations/Day%202/Chokhani-KBA%20Metrics.pdf
22 Feb 2011
Dynamic questions based on the application Facebook.
1).How many friend requests were pending for your approval when you last logged into Facebook? ( answer in numbers).
Ans) Acceptable answers – 1.Number only
2). Who was the person you sent a friend request to when you last logged in?
Ans) Acceptable answers - 1.First name only. 2. None
3). Name the person whose friend request you declined when you last logged in?
Ans) Acceptable answers – 1. First name only. 2. None
4). How many friend suggestions were present on your account when you last logged in?
Ans) Acceptable answers- 1. Number. 2. None
5). Which was the latest group invitation received by you when you last logged in?
Ans) Acceptable answer 1. Only first word of the group
6). What were your privacy settings with respect to the visibility of your photos when you last logged in?
Ans) Acceptable answers 1.Everyone 2. Friends 3. Friends of friends
7). Name the person you blocked when you last logged into facebook.
Ans) Acceptable answers 1. First name 2. None
8.) Name the person who poked you when you last logged in to facebook.
Ans) Acceptable answers 1. First name 2. None
9). Which is the recent application you have authorized to interact with your facebook account?
Ans) Acceptable answers 1. First word of application 2. None
10). Who was the person whose message was the most recent read when you last logged in on facebook?
Ans. Acceptable answer 1. First name
11). Who was the person your sent messages displays to whom you sent a message recently when you last logged in?
Ans) Acceptable answer 1. First name
12.) Name the person to whom you had a facebook chat just before logging out recently on facebook.
Ans) Acceptable answer 1. First name 2. None
A good question should be widely acceptable to the user population with a motive that all can answer (Jakobsson, Myers, 2007, p.292). 20 students were surveyed out of the 40 finalized students who will take part in the experiment through phone as well as face to face interaction and not even one had the (none) option as an answer to even half of the proposed questions above. The prototype will authenticate a person if he/she has three continuous none options as an answer. All the answers to these questions cannot be found by any search method available on the internet neither a person who is friends with the person who is getting authenticated can deduce these answers from Facebook.
Reference
Jakobsson,M, Myers,S(2007).New Jersey: John Wiley and Sons. ISBN 100471782459
The prototype.
Facebook is the application and the prototype has been designed based on the above dynamic questions.
The login page prompts the user to enter his/her email id which is already stored in the database. Once the user has entered the email id he is asked interactive questions based on his own application database which has been stored in the database with the help of observation of the user's application (Facebook) for a number of days.
Once the user enters his email id a random question from the above 12 questions is asked. The php code for this is stored in the login.php file and is follows:
5 March 2011
code
<?php
session_start();
require_once ('dblogin.php');
$email = $_POST['email'];
$login_attempt = $_REQUEST['login_attempt'];
if($email){
$getUIDforEmail = "select UID from user where Email = \"$email\"";
$result = mysql_query($getUIDforEmail);
$row = mysql_fetch_array($result);
$uid = $row['UID'];
$_SESSION['uid'] = $uid;
}elseif(isset($_SESSION['uid'])){
$uid = $_SESSION['uid'];
}
if($uid){
$randQID = rand(1,12);
$getQuestionForQID = "select Question from question where QID = $randQID";
$result = mysql_query($getQuestionForQID);
$row = mysql_fetch_array($result);
$question = $row['Question'];
}else{
$response = "You are not a member yet. Please Sign up login";
echo $response;
}
?>
The Sql table is made with the help of Phpmyadmin. UID(User ID) and QID(Question ID) are the columns used to identify the User and the Questions. Once a user enters a correct answer for a question asked he is authenticated. If the user fails to answer the first question then he is presented with a second interactive question. If he/she answers the second question correctly then successful authentication is achieved. If the user fails to answer in the second attempt then he fails to authenticate. The code is made in the success.php file and is as follows:
<?php
require_once ('dblogin.php');
session_start();
if(isset($_SESSION['uid'])){
$uid = $_SESSION['uid'];
}
$answer = $_POST['answer'];
$QID = $_REQUEST['qid'];
$login_attempt = $_REQUEST['login_attempt'];
echo $answer.$QID.$uid;
if($answer){
$getAnswerForQIDandUID = "select answer from answer where QID = $QID and UID = $uid";
$result = mysql_query($getAnswerForQIDandUID);
$row = mysql_fetch_array($result);
$resultAnswer = $row['answer'];
if($answer
$row['answer']){
$response = "Login Successful";
}elseif(mysql_num_rows($result) && $login_attempt
1){
header("Location: login.php?login_attempt=1");
}elseif(mysql_num_rows($result) && $login_attempt
2){
$response = "Authentication unsuccessful. Please try again";
}elseif($row['answer']
'none' && $login_attempt
1){
header("Location: login.php?login_attempt=1");
}elseif($row['answer']
'none' && $login_attempt
2){
$response
"Login Successful";
}
}else{
$response = "Authentication unsuccessful. Please try again";
?>
22 March 2011
Reconsidering the questions for the prototype and colleting more information from users
As the questions proposed earlier for the prototype were not considered suitable, more data was collected from the 30 users using the google applications. The questions asked to the users are as follows:
1) What is your name?
2) Do you use Facebook?
1.yes 2.no
3) How often do you send personal messages on facebook?
1.daily 2.weekly 3.monthly 4.never
4) How often do you receive personal messages on Facebook?
1.daily 2.weekly 3.monthly 4.never
5) How often do you chat with friends on facebook?
1.daily 2.weekly 3.monthly 4.never
6) How often do you visit profiles on facebook?
1.daily 2.weekly 3.monthly 4.never
7) How often do you poke a friend on facebook?
1.daily 2.weekly 3.monthly 4.never
8) How often do you get poked by a friend on facebook?
1.daily 2.weekly 3.monthly 4.never
9) How often do you view photo albums of friends or other’s on facebook?
1.daily 2.weekly 3.monthly 4.never
10) How often do you view videos posted by other’s on facebook?
1.daily 2.weekly 3.monthly 4.never
11) How often do the number of you friend requests pending for your approval change?
1.daily 2.weekly 3.monthly 4.never
12) How often do you block people on facebook?
1.daily 2.weekly 3.monthly 4.never
13) How often do you get application requests on facebook?
1.daily 2.weekly 3. Monthly 4.never
14)How often do you get game requests on facebook?
1.daily 2.weekly 3.monthly 4.never
15) How often do you get event invitations on facebook?
1.daily 2.weekly 3.monthly 4.never
29 MARCH 2011
Results
The results obtained from 30 users are as follows:
1)Do you use Facebook?
A) all 30 users answered yes.
2) How often do you send personal messages on facebook?
A) 16 answered weekly and 14 answered daily.
3) How often do you receive personal messages on facebook?
A) 12 answered weekly and 18 daily.
4) How often do you chat with friends on facebook?
A) 27 answered daily and 3 weekly
5) How often do you visit profiles on facebook?
A) again 27 answered daily and 3 weekly
6) How often do you poke a friend on facebook?
A) 5 said weekly, 2 daily, 12 monthly and 11 never
7) How often do you get poked by a friend on facebook?
A) 6weekly, 1daily, 19 monthly and 4 never.
8) How often do you view photo albums of friends or other’s on facebook?
A) 22 said daily and 8 weekly.
9) How often do you view videos posted by other’s on facebook?
A) 19 said daily, 10 weekly and 1 said monthly.
10) How often do the number of you friend requests pending for your approval change?
A) 13 said weekly, 1 daily, 14 monthly and 2 said never.
11) How often do you block people on facebook?
A) 4 said monthly and 26 said never.
12) How often do you get application requests on facebook?
A) 19 said weekly, 3monthly and 8 said daily.
13) How often do you get game requests on facebook?
A) 13 said daily and 17 said weekly.
14) How often do you get event invitations on facebook?
A) 16 said weekly and 14 said daily.
As discussed earlier the questions should be dynamic and answerable by all. Thus the final questions considered are those which are used either daily or weekly by users.
The questions now being considered for the prototype are as follows:
1) Who was the person to whome you sent a message most recently on Facebook?
2) Who was the person who sent you a message most recently when you last logged into Facebook?
3) Whose profile did you visit most recently on Facebook?
4) Whose photo album did you view most recently on Facebook?
5) Who was the person who sent you a game request most recently on Facebook?
6) Which was the event you were invited to most recently when you last logged into Facebook?
7) How many event invitations did you have when you last logged into Facebook?
Also while answering the questions, users should find it easy to recollect. So again using google applications users are being asked questions about how well they remember the answers.
5 April 2011
Memorability
The questions being asked are as follows:
1)How often do you remember the person to whome you have sent a message most recently on Facebook?
1.most of the time 2.some of the time 3.hardly ever 4.very seldom
2) How often do you remember the name of the person who has sent you a message most recently on facebook?
1.most of the time 2.some of the time 3.hardly ever 4.very seldom
3) How often do you remember the name of the person whose profile you visited most recently on Facebook?
1.most of the time 2.some of the time 3.hardly ever 4.very seldom
4) How often do you remember the name of the person whose photo album you viewed most recently on Facebook?
1.most of the time 2.some of the time 3.hardly ever 4.very seldom
1.most of the time 2.some of the time 3.hardly ever 4.very seldom
6) How often do you remember the name of the event you were invited to most recently on Facebook?
1.most of the time 2.some of the time 3.hardly ever 4.very seldom
1.most of the time 2.some of the time 3.hardly ever 4.very seldom
Applicability and Dynamicity
Research suggests that applicability is an important metric of an authentication system. According to studies, a good challenge question asked to the users for getting authenticated should be widely applicable to the whole user population. ( Jakobsson, Myers, 2007, p.291)
It is very important that the applicability criterion is followed because all questions cannot be answered by the user population. (Just, 2010)
Also questions which are static in nature have some serious security drawbacks (Griffith, Jakobsson, 2005)
Thus a survey was conducted of the same user population to find out which questions are applicable to the user population and which questions are daily or weekly used by the user so that they are dynamic in nature.
1) What is your name?
2) Do you use Facebook?
1.yes 2.no
3) How often do you send personal messages on facebook?
1.daily 2.weekly 3.monthly 4.never
4) How often do you receive personal messages on Facebook?
1.daily 2.weekly 3.monthly 4.never
5) How often do you chat with friends on facebook?
1.daily 2.weekly 3.monthly 4.never
6) How often do you visit profiles on facebook?
1.daily 2.weekly 3.monthly 4.never
7) How often do you poke a friend on facebook?
1.daily 2.weekly 3.monthly 4.never
8) How often do you get poked by a friend on facebook?
1.daily 2.weekly 3.monthly 4.never
9) How often do you view photo albums of friends or other’s on facebook?
1.daily 2.weekly 3.monthly 4.never
10) How often do you view videos posted by other’s on facebook?
1.daily 2.weekly 3.monthly 4.never
11) How often do the number of you friend requests pending for your approval change?
1.daily 2.weekly 3.monthly 4.never
12) How often do you block people on facebook?
1.daily 2.weekly 3.monthly 4.never
13) How often do you get application requests on facebook?
1.daily 2.weekly 3. Monthly 4.never
14)How often do you get game requests on facebook?
1.daily 2.weekly 3.monthly 4.never
15) How often do you get event invitations on facebook?
1.daily 2.weekly 3.monthly 4.never
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
Hypothesis: Thus research shows that users spend a lot of time on Facebook and so more than 50% of the questions will be applicable to the users as well as users will say that they use it daily or weekly.
Statistical Analysis
Results and analysis
Labels used -
No 0
Yes 1
Daily 2
Weekly 3
Monthly 4
Never 5
1. Use of Facebook –
Median= 1 Average= 1 Mode=1 Max= 1 Min=1 Range=1
Thus results show that all the users use Facebook.
2. Send Personal messages on Facebook
Median=3 Average=2.53 Mode= 3 Max=3 Min=2 Range= 1
Results show that all the users send personal messages as well as the median , average and mode suggest that the activities are done daily or weekly and thus very frequent in nature.
3. Messages Received
Median=2 Average=2.4 Mode=2 Max=3 Min= 2 Range=1
Results show that all the users receive personal messages and also the data points out that maximum number of users do it on a weekly basis and thus the dynamicity is obtained.
4. Chat on Facebook
Median= 2 Average= 2.16 Mode=2 Max=3 Min=2 Range= 1
Results again show that all the 30 students under experiment use the chat application. Also results show that they do it on a daily or weekly basis.
5. Visit Profiles on Facebook
Median= 2 Average= 2.1 Mode= 2 Max= 3 Min= 2 Range= 1
Survey shows that all the student’s visit profiles on Facebook as well as the median and average value show that it is most done on a daily basis.
6. Poke a friend on Facebook
Median=4 Average= 4.06 Mode=4 Max=5 Min=2 Range= 3
The results of the survey show that not all of the students use the poke application on Facebook. The statistical values of Median, average and mode also show that the application is used rarely by the students.
7. Get Poked on Facebook
Median= 4 Average= 3.86 Mode=4 Max= 5 Min= 2 Range=3
The survey results point out that not all students get poked on Facebook. Also the statistical values show that this application is related to the user very rarely.
8. View Photo albums on Facebook
Median= 2 Average= 2.26 Mode= 2 Max= 3 Min=2 Range= 1
All of the students who use Facebook visit photo albums as pointed in the survey. Also the values of median, average, mode suggest that they do this activity frequently.
9. View videos on Facebook
Median=2 Average=2.4 Mode= 2 Max=4 Min=2 Range= 2
The survey results show that all of the users use this application on Facebook. But one out of the 30 users said that he/she does it monthly. But statistical data shows that student’s who view videos, do it very frequently.
10. How often do friend requests pending for approval change
Median=3.5 Average=3.53 Mode=3 Max= 5 Min= 2 Range=3
Results of the survey indicate that not all students have pending friend requests. Also the Median and average value indicate that this activity is not frequent.
11. Block people on Facebook
Median= 5 Average= 4.86 Mode= 5 Max= 5 Min= 4 Range= 1
Results of this survey show that all students don’t use this application on Facebook. Statistical data also points out that this activity is very rare on Facebook.
12. Get application requests on Facebook
Median=3 Average=2.83 Mode= 3 Max=4 Min=2 Range=2
Results from the survey indicate that not all students get application requests on Facebook. But results show that students who use this application, use it very frequently.
13. Get game requests on Facebook
Median=3 Average=2.53 Mode= 3 Max=3 Min=2 Range= 1
Results suggest that all of students get game requests on Facebook. Also statistical data suggests that they get game requests frequently.
14. Get event invitations on Facebook
Median= 3 Average=2.53 Mode= 3 Max=3 Min= 2 Range= 1
Results show that all of the students get event invitations. The statistical values of median, average and mode suggest that students get event invitations very frequently on Facebook.
Thus there were some activities which all users did and did it frequently. Also some of the activities like watching videos posted by others was not done by all users but was done frequently by other users. But as the authentication system should have the properties of applicability as well as dynamic in nature only those questions can be selected which satisfy this criteria.
Thus the questions which satisfied the criteria are sending and receiving messages, viewing profiles, viewing photo albums, getting game requests and getting event invitations. Also the hypothesis proved to be correct as around 50% of the total questions asked were applicable as well as used frequently by all users.
Memorability
Memorability Survey:
This survey was conducted to have an idea of how much users can remember the answers which would then help in improving the usability of the system.
1) How often do you remember the person to whom you have sent a message most recently on Facebook?
1. Most of the time 2.some of the time 3.hardly ever 4.very seldom
2) How often do you remember the name of the person who has sent you a message most recently on facebook?
1. Most of the time 2.some of the time 3.hardly ever 4.very seldom
3) How often do you remember the name of the person whose profile you visited most recently on Facebook?
1. Most of the time 2.some of the time 3.hardly ever 4.very seldom
4) How often do you remember the name of the person whose photo album you viewed most recently on Facebook?
1. Most of the time 2.some of the time 3.hardly ever 4.very seldom
1. Most of the time 2.some of the time 3.hardly ever 4.very seldom
6) How often do you remember the name of the event you were invited to most recently on Facebook?
1. Most of the time 2.some of the time 3.hardly ever 4.very seldom
1. Most of the time 2.some of the time 3.hardly ever 4.very seldom
There was a research conducted at the Open University in England where students were tested on their ability to recall names and general concepts. The results pointed out that even after 10 long years, the students were able to remember 25% of the data. (Reed, 2007, p.98)
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined. ( Masteralexis, Barr, Hums, 2011, p.445)
Hypothesis: Thus as Facebook is used extensively by users and students have a good memory towards names and general things. Majority of the users will say they remember the answers to the questions most of the time.
Results of the Survey:
Labels used for the survey
Hardly Ever 1
Very Seldom 2
Some of the time 3
Most of the time 4
Result
1). How often do you remember the person to whom you have sent a message most recently on Facebook?
Median=4 Average=3.73 Mode=4 Max=4 Min=3 Range=1
Results show that students remember the name of the person to whom they have sent a personal message most of the time.
2) How often do you remember the name of the person who has sent you a message most recently on facebook?
Median=3.5 Average=3.43 Mode=4 Max=4 Min=1 Range=3
Results of the survey indicate that students remember the name of the person who has sent them a personal message almost most of the time.
3) How often do you remember the name of the person whose profile you visited most recently on Facebook?
Median=3 Average=2.43 Mode=3 Max=4 Min=1 Range=3
4) How often do you remember the name of the person whose photo album you viewed most recently on Facebook?
Median=3 Average=2.63 Mode=3 Max=4 Min=1 Range=3
5) How often do you remember the name of the person who has sent you a game request on Facebook?
Median=2 Average=1.86 Mode=1 Max=4 Min=1 Range=3
6) How often do you remember the name of the event you were invited to most recently on Facebook?
Median=3 Average=2.76 Mode=3 Max=4 Min=1 Range=3
7) How often do you remember the number of event invitations you had when you last logged onto Facebook?
Median=2.5 Average=2.2 Mode=3 Max=4 Min=1 Range=3
Thus the overall results show that students only remember the name of the person they sent or received a message from. Thus the hypothesis done at the beginning proved to be incorrect.
10 April 2011
Guessability from friends and family
Guess ability Survey
Users were asked to guess the answers of questions related to my profile to see how much they could actually. All the users who guessed the answers were in my friends list and could see daily activities done by me on Facebook.
Q1). Type in your full name.
Q2). Guess the name of the person who sent a recent message to Shouvik Basu on Facebook.
Q3). Guess the name of the person to whom Shouvik Basu sent a recent message on Facebook.
Q4). Guess from the options below the name of the person whose profile Shouvik Basu visited most recently on Facebook.
1.Swabhav Borde 2. Abhishek Gite 3. Dian Leo 4. Anna Bernecka 5. Julia Cox 6.Neha Gupta 7. Thomas James 8.Ramesh Rajshekharan 9. Abdullahi Suleiman 10. Ivneet Kaur
Q5). Guess from the options below the name of the person whose photo album Shouvik Basu recently viewed on Facebook.
1. Pankaj Ghavri 2.Kamal Bajwa 3. Jenny Salmon 4.Sarah Morgan 5. Mohammed Irfan
6. Tayo Ayodale 7. Pau Mei Mei 8. Rajeev Dutta 9. Jaimala Wankhede 10. Ratandeep Singh
Q6). Guess the name of the person who sent a game request to Shouvik Basu most recently on Facebook.
1. Vipin Bidhuri 2.Daljit Singh Oberoi 3. Sohan Karira 4. Neha Gupta 5. Rajeev Rawal 6. Ruhita Sardesai 7. Samikshit Shedge 8. Manmeet Singh Chawla 9. Poorvi Mehrotra 10. Ashish Gupta
Q7). Guess the event Shouvik Basu was invited to most recently on Facebook.
1. Trip to Scotland
2. Liquid and Envy Party
3. Mix and Match Café
4. Trip to Bath
5. Birthday invitation
6. Tiger Tiger Party
7. Black and Yellow@Agenda
8. Pune vs Mumbai
9. Barbeque at the park@Southsea
10. Trip to London
1. 0-1
2. 2-3
3. 4-5
4. 6-7
5. 8-9
6. 10-11
7. 12-13
8. 14-15
9. 16-17
10. 18-19
1). Recent message sent to – Jaswinder Singh
2). Recent message received from – Rohit Udyavar
3). Recent profile viewed – Thomas James
4). Recent photo album viewed – Rajeev dutta
5). Person who has sent me a recent Game request – Samikshit Shedge
6). Recent invitation received by me – Pune vs Mumbai
7). Number of event invitations I have received – 5
Research shows that users can share information which is personal with members of their family as well as friends (Marshall, 2007)
An experiment was conducted in which close friends and family members were asked if they could guess answers to the personal question. Results showed success rates of 50% in some cases. (Hoga, Zuiran, 1991)
Studies also show that guessing a multiple choice question is easier than an open ended question. (Bishop, Parrott, Miller, 2009)
Hypothesis: Thus research shows that there is a high chance of family and friends guessing the answers to personal questions. As research also suggest that guessing free form questions is difficult than multiple choice ones some of the multiple choice questions may be guessed by friends. But as the answers to the questions are changing frequently, there is a less probability of guessing the answers. 20% of the answers may be guessed by family and friends.
Results of the Survey:
None of the friends and family members could guess any of the free form questions. 3 out of 32 people guessed the number of event invitations correctly. 1 out of 32 guessed recent profile visited correctly. 1 out of 32 guessed recent photo album viewed correctly. Again 1 out of 32 guessed the name of the person who sent a game request. 3 out of 32 guessed the event invitation correctly. Thus the maximum friends or family member guessed was 9.3% for the event invitation. But out of 32 friends and family members no one could guess the answer for more than one question correctly out of the asked 7 questions.
22 April 2011
Survey questions designed for evaluating the authentication system
Final survey Questions
1). Please enter your full name.
2). Have you heard about Knowledge based authentication which uses challenge questions to authenticate users?
Explanation and Hypothesis:-
In recent years, there has been an increase in the use of knowledge based challenge questions for recovering and resetting forgotten passwords as well as for authenticating the users. The Royal bank of Canada uses challenge questions to authenticate the users when the users use a different computer to log in into the bank on a computer not registered with the bank before entering their passwords. ( Bablin, Weiss, Kropf, 2007, p. 237)
Many of the applications on the internet as well as financial organizations require the users to enter answers for challenge questions while registering. American bank requires that users fill upon 3 challenge question-answer pairs at the time of registration. These challenge questions are asked when users forget their passwords. (Woori American Bank, 2009)
This is a general question asked to find out whether users have heard of the Knowledge based challenge question system.
Hypothesis: Research shows that there are indeed many applications using this system and hence majority of the users will say yes they have heard about it.
3). Were you able to successfully login using the Knowledge based challenge questions?
Explanation and Hypothesis:-
There was a research conducted at the Open University in England where students were tested on their ability to recall names and general concepts. The results pointed out that even after 10 long years, the students were able to remember 25% of the data. (Reed, 2007, p.98)
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
This question will give an idea of the total number of users who got successfully authenticated and those who failed to authenticate themselves.
Hypothesis: Thus research points out the good memory that students have as well as the heavy use of Facebook by users. Thus majority of the users will manage to get authenticated as the questions are based on transactions and other activities that they do on Facebook.
4). How much had you to think for answering the questions as compared to you think while entering your password for authentication on Facebook?
1. More than Password 2. Same as Password 3. Less than Password
The minimum password length used for general Facebook authentication is 6 characters. ( Help centre Facebook, n.d)
An experiment was conducted on undergraduate and postgraduate students to find out how they choose their passwords. Surveys indicated that 81% of the students used the same password on many applications so that they could remember it and make the process easy. (Gritzalis, p.288, 2010)
Researchers say that users are frustrated of the passwords they use and so to solve the problem they use the same passwords on multiple sites. (Bosworth, Kabay, p.63, 2002)
On the other side research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
Hypothesis: Again research shows that Facebook is used enormously so remembering the data asked should be easy. But as users have to answer 2 questions in the authentication process, they are expected to remember more than a 6 character password used on Facebook for general authentication. Also as research points out that users use the same passwords for multiple applications, there stands a clear chance that they will remember the password better than the dynamic questions whose answers keep on changing with time. Thus majority of the users will choose the option more than passwords as their answer.
5). Will you feel comfortable with personal questions being asked to you during the authentication process on Facebook?
1. Definitely yes 2. Maybe 3. Not at all
Researchers say that processes which collect private information can raise some ethical concerns. ( Just, Aspinall, 2009)
Research also point outs that the challenge questions in Knowledge based authentication systems have a high risk of having grave privacy concerns as they are mainly designed to ask for information that is personal. (Bruce , 2007)
On the contrary, some experiments have shown that once the users are in an online process they don’t monitor as well as control their actions strongly and also issues related to privacy statements have no change in their behavior. (Berendt, Gunther, Spichermann, 2005)
Hypothesis: Thus research suggests that users may be concerned with the use of personal information for authentication. On the contrary research also points out that when users are in an online interaction they don’t pay much attention to personal questions being asked. Thus majority of users may choose the option maybe as their answer.
6). State the time it took for you to get authenticated using challenge questions as compared to the time it takes for you to get authenticated using password on general Facebook.(Answer only if you were successfully authenticated)
1. More than it took for password 2. Same as password 3. Less than it took for password
Research has shown that when authentication is anything other than using passwords, it takes more time to get authenticated. This mainly happens because authentication systems which use other techniques than passwords try to meet a minimum security level and thus increase the authentication time. ( Just , 2010)
Researchers also say that a system which uses challenge questions may use more than one question and answer pair. Using multiple questions always require more time as compared to using passwords. (Cranar, Garfinkel, p.145, 2005)
In systems which use passwords for authentication, the user submits his username and password in one step. Systems in which challenge questions are used require the user to enter his/her username first and only after that the challenge question is retrieved and asked to the user. This process takes more time than just entering the username and password in one step. (Just, 2010)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445). Thus users have a lot of exposure to information in their Facebook account and may remember a lot.
Hypothesis: Thus all the research done supports the fact that challenge questions take more time to answer than passwords. Two challenge questions have been asked to the user to get themselves authenticated. Research on Facebook suggests its heavy usage which supports the fact that users will remember more and answer quickly. Still as two questions are being asked users will have to think twice and hence say that it took more time than it generally takes by entering their password for authentication.
7). How much time can you afford to devote for logging in into social networking websites like Facebook?
1. Very less 2. Moderate amount 3. High amount
Case studies show that Facebook is the most used social networking website globally. Facebook provides a platform for activities which are happening offline. Parties are organized, events are planned as well as political activities are carried on Facebook. Chat, email and other applications have led to people staying in touch even whithout face to face interaction or even calling each other. Interfaces for mobile phones and portable applications have accelerated its use. Facebook has become a part of everyday life for people and there is a term “Facebook addiction” being used nowadays. (Moss, p.150, 2009).
There is a growing concern of the Facebook addiction disorder. People who are suffering from it feel depressed if they are not getting responses such as messages on Facebook. ( Rice, p.104, 2009)
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
Hypothesis: Thus research shows that users are addicted to Facebook. Also going through the average time spent on Facebook it can be said that users wouldn’t mind spending moderate to high time for getting authenticated on Facebook. Thus users will choose the moderate option most followed by high option.
8). Do you feel your friends or family members might know the answers to the challenge questions asked to you during the authentication process?
1. Definitely 2. Maybe 3.Not at all
Research points out that user may share information which is personal. Then subsequently a family member or a close friend of the user may share the personal information with more people. Users are mostly unaware of this fact (Marshall, 2007).
Some research also says that the users may be unaware of attackers who use techniques such as shoulder surfing to get personal information while the users are busy surfing the information (Simpson, Bachman, Corley, 2011, p.442)
Hypothesis: Thus research suggests that most of the users are unaware that their personal information may not remain personal any more. So majority of the users may choose the option not at all.
9). If you are asked to actually use the Knowledge based challenge questions for getting authenticated on Facebook then will the level of your usage of Facebook
1. Increase 2. Remain same 3. Decrease
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
There is a growing concern of the Facebook addiction disorder. People who are suffering from it feel depressed if they are not getting responses such as messages on Facebook. ( Rice, p.104, 2009)
Thus users are addicted to Facebook and spend a lot of time on Facebook. Thus the present level of usage is very high coupled by the addiction to it.
But on the contrary research has shown that when authentication is anything other than using passwords, it takes more time to get authenticated. This mainly happens because authentication systems which use other techniques than passwords try to meet a minimum security level and thus increase the authentication time. ( Just , 2010)
Hypothesis: Research proves the high usage as well as addiction to Facebook. But research also points out the extra time taken for authentication. Also as two questions will be required to be answered correctly, the amount of recall is more than a minimum 6 character password used on Facebook. Thus majority of the users may say that their level of usage will decrease if challenge questions are asked for authentication purpose rather than a password.
10.) What was your experience with the authentication system regarding the usage?
1. Very easy 2. Easy 3. Moderate 4. Difficult 5. Very difficult
Research has shown that when authentication is anything other than using passwords, it takes more time to get authenticated (Just, 2010)
Research suggests that multiple choice questions make it easy for the user to answer. Also many companies now use computer based multiple choice questions for testing users.( Marsky, Harris, Turkington, p.5, 2000)
Answering one multiple choice question is compulsory for the users in this authentication process. Also before designing the authentication system, a survey was conducted of the same users who underwent the authentication and the questions which were asked to them were rated by them as memorable.
Hypothesis: Thus users answered the questions which they themselves rated as memorable as well as research suggests that using multiple choice questions makes it easy for the users. Thus majority of the users will say that the authentication system was easy to use.
11. Please fill in your views about the authentication system (Not a compulsory Question)
References:
Jakobsson M, Myers S.(2007) Phishing and Countermeasures: Understanding the increasing problem of Electronic identity theft. New Jersey. John Wiley. ISBN: 139780471782452
Just. M (2010). Designing and Evaluating Challenge-Question Systems. Retrieved on 10 Feb 2011from www.csun.edu/deb 5331/
Wartman L.K, Aleman M.MA (2009). Online social networking on campus: Understanding what matters in student culture.USA. Routledge. ISBN: 0415990203
Masteralexis P.L, Barr C.A, Hums M.A (2011). Principles and practice for sport management. UK. Jones and Bartletz Learning. ISBN 97807637796075
Reed K.S.(2007). Cognition: Theory and applications. USA. Thomson Wadsworth. ISBN: 0495091561
Bablin G, Weiss M, Kropf P. (2007). E- Technologies: Innovation in an open World. Germany, Springer. ISBN: 3642011861
Woori American Bank. Retrieved on 20 March 2011 from www.wooriamericanbank.com/service/internet_banking.html
Help Centre Facebook. Retrieved on 25 March 2011 from www.facebook.com/help/?page=173
Gritzalis D.(2010). Computer Security – ESORICS. Germany. Springer. ISBN: 3642154964
Bosworth S, Kabay M.E. (2002). Computer Security Handbook. 4th Edition. Canada. John Wiley and Sons. ISBN: 0471412589
Just M, Aspinall D.(2009). Challenge Questions: Authentications weakest Link. ICCS Seminar. Retrieved on 15 March 2011. From http://groups.inf.ed.ac.uk/security/KBA/presentations/ICCSSeminarFinal.pdf
Marshall K.B. (2007). Tips for avoiding bad authentication challenge questions. Retrieved on March 16, 2011 from www.securityps.infosecmedia.com/white papers/tips for avoiding bad questions.pdf
Berendt B.G , Gunther O, Spiehermann. S (2005). Privacy in e-commerce: Stated preferences vs actual behavior. Retreived on March 20, 2011 from www.portal.acm.org
Cranar L.F, Garfinkel S. (2005). Security and Usability. Designing secure systems that people can use. USA. O’ Reilly media. ISBN: 0596008279
Moss.S (2009). The entertainment industry. An introduction. UK. Cambridge University Press. ISBN: 9781845935511
Rice J (2009). The Church of Facebook: How the Hyperconnected are redefining the community. USA. Biblica. ISBN 9781434765345
Simpson T.M, Backman K, Corley J (2011). Hands on Ethical hacking and Network defense. 2nd Edition. USA. Course technology. ISBN: 1435486099
Mersky K, Harris J, Turkington C.(2000). Get ready for Standardized tests. USA. Mc Graw- Hill. ISBN: 0071360123
6 May 2011
Results from the experiment and some analysis
Final survey Questions
Q1). Please enter your full name.
Q2). Have you heard about Knowledge based authentication which uses challenge questions to authenticate users?
1. Not at all 2. Somewhat 3.Absolutely
In recent years, there has been an increase in the use of knowledge based challenge questions for recovering and resetting forgotten passwords as well as for authenticating the users. The Royal bank of Canada uses challenge questions to authenticate the users when the users use a different computer to log in into the bank on a computer not registered with the bank before entering their passwords. ( Bablin, Weiss, Kropf, 2007, p. 237)
Many of the applications on the internet as well as financial organizations require the users to enter answers for challenge questions while registering. American bank requires that users fill upon 3 challenge question-answer pairs at the time of registration. These challenge questions are asked when users forget their passwords. (Woori American Bank, 2009)
This is a general question asked to find out whether users have heard of the Knowledge based challenge question system.
Hypothesis: Research shows that there are indeed many applications using this system and hence majority of the users will say they have somewhat to absolutely heard of it and very few would say they have not.
Results: The statistical values indicate that majority of the students said they had somewhat heard of the knowledge based authentication which uses challenge questions for authenticating. The average number of students answers were between somewhat and absolutely and very few students said they haven’t heard at all what knowledge based authentication was.
On the percentage scale, 16.66% of the students said they did not hear at all what Knowledge based authentication which uses challenge questions is, 40% of the students said they had somewhat heard of it and 43.34% of the students said they had absolutely heard of it.
Thus the hypothesis done before the experiment proved to be correct as majority of the students had heard about this type of authentication before.
Q3).Were you able to successfully login using the Knowledge based challenge questions?
Explanation and Hypothesis:-
There was a research conducted at the Open University in England where students were tested on their ability to recall names and general concepts. The results pointed out that even after 10 long years, the students were able to remember 25% of the data. (Reed, 2007, p.98)
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
This question will give an idea of the total number of users who got successfully authenticated and those who failed to authenticate themselves.
Hypothesis: Thus research points out the good memory that students have as well as the heavy use of Facebook by users. Thus majority of the users will manage to get authenticated as the questions are based on transactions and other activities that they do on Facebook.
Results: Statistical values indicate that majority of the students were able to successfully login using either one or two attempts. The average value of students successfully logging in is also high.
On a percentage scale, 16.66% of the users failed to log in using two attempts and 83.33% were successful in logging in using either one or two attempts.
Thus the hypothesis laid at the beginning of the experiment proved to be absolutely correct as a high percentage of users successfully logged in.
Q4.) How many attempts did it take for you to successfully authenticate?
Results: Out of the students who were able to successfully log in, 60% of them successfully logged in the first attempt and 40% of them had to take the second attempt to log in.
Q5). How much had you to think for answering the questions as compared to you think while entering your password for authentication on Facebook?
1. More than Password 2. Same as Password 3. Less than Password
The minimum password length used for general Facebook authentication is 6 characters. ( Help centre Facebook, n.d)
An experiment was conducted on undergraduate and postgraduate students to find out how they choose their passwords. Surveys indicated that 81% of the students used the same password on many applications so that they could remember it and make the process easy. (Gritzalis, p.288, 2010)
Researchers say that users are frustrated of the passwords they use and so to solve the problem they use the same passwords on multiple sites. (Bosworth, Kabay, p.63, 2002)
On the other side research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
Hypothesis: Again research shows that Facebook is used enormously so remembering the data asked should be easy. But as users have to answer 2 questions in the authentication process, they are expected to remember more than a 6 character password used on Facebook for general authentication. Also as research points out that users use the same passwords for multiple applications, there stands a clear chance that they will remember the password better than the dynamic questions whose answers keep on changing with time. Thus majority of the users will choose the option more than passwords as their answer.
Result: The statistical values clearly indicate that the students had to think more than passwords for getting authenticated.
On a percentage scale, 20% of the students said they had to think the same amount as passwords for answering the questions whereas 80% of the students said they had to think more than passwords for answering the questions asked to them during authentication.
Thus the hypothesis again proved to be correct as majority of the students said they had to think more than passwords for getting authenticated.
Q6). Will you feel comfortable with personal questions being asked to you during the authentication process on Facebook?
1. Not at all 2.Somewhat 3.Definitely yes
Researchers say that processes which collect private information can raise some ethical concerns. ( Just, Aspinall, 2009)
Research also point outs that the challenge questions in Knowledge based authentication systems have a high risk of having grave privacy concerns as they are mainly designed to ask for information that is personal. (Bruce , 2007)
On the contrary, some experiments have shown that once the users are in an online process they don’t monitor as well as control their actions strongly and also issues related to privacy statements have no change in their behavior. (Berendt, Gunther, Spichermann, 2005)
Hypothesis: Thus research suggests that users may be concerned with the use of personal information for authentication. On the contrary research also points out that when users are in an online interaction they don’t pay much attention to personal questions being asked. Thus majority of users may choose the option somewhat as their answer.
Result: The statistical values clearly indicate that majority of the students said they somewhat feel comfortable when personal questions are asked to them during the authentication process. The average value indicates that answers were more tending towards definitely yes rather than not at all.
On the percentage scale, 13.33% off the users said they were not at all comfortable with personal questions being asked to them during authentication, 53.33% said they were somewhat comfortable and 33.34% of them said they were absolutely comfortable.
Thus again, the hypothesis done before this experiment was correct as majority of the users said they were somewhat comfortable with personal questions being asked to them during the authentication process.
Q7). State the time it took for you to get authenticated using challenge questions as compared to the time it takes for you to get authenticated using password on general Facebook.(Answer only if you were successfully authenticated)
1. More than it took for password 2. Same as password 3. Less than it took for password
Research has shown that when authentication is anything other than using passwords, it takes more time to get authenticated. This mainly happens because authentication systems which use other techniques than passwords try to meet a minimum security level and thus increase the authentication time. ( Just , 2010)
Researchers also say that a system which uses challenge questions may use more than one question and answer pair. Using multiple questions always require more time as compared to using passwords. (Cranar, Garfinkel, p.145, 2005)
In systems which use passwords for authentication, the user submits his username and password in one step. Systems in which challenge questions are used require the user to enter his/her username first and only after that the challenge question is retrieved and asked to the user. This process takes more time than just entering the username and password in one step. (Just, 2010)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445). Thus users have a lot of exposure to information in their Facebook account and may remember a lot.
Hypothesis: Thus all the research done supports the fact that challenge questions take more time to answer than passwords. Two challenge questions have been asked to the user to get themselves authenticated. Research on Facebook suggests its heavy usage which supports the fact that users will remember more and answer quickly. Still as two questions are being asked users will have to think twice and hence say that it took more time than it generally takes by entering their password for authentication.
Result: The statistical values clearly indicate that students said they had to devote more time than passwords for answering the questions and getting authenticated. Only one student out of 30 said he had to devote the same time for getting authenticated as compared to passwords. None of the students said that they had to devote less time for getting authenticated as compared to passwords.
In terms of percentage, 96.66% students said it took more time as compared to passwords for getting authenticated.
Thus the hypothesis was proved right as a high amount of users said they had to devote more time for getting authenticated as compared to using passwords on Facebook.
Q8). How much time can you afford to devote for logging in into Facebook?
1. Very less 2. Moderate amount 3. High amount
Case studies show that Facebook is the most used social networking website globally. Facebook provides a platform for activities which are happening offline. Parties are organized, events are planned as well as political activities are carried on Facebook. Chat, email and other applications have led to people staying in touch even whithout face to face interaction or even calling each other. Interfaces for mobile phones and portable applications have accelerated its use. Facebook has become a part of everyday life for people and there is a term “Facebook addiction” being used nowadays. (Moss, p.150, 2009).
There is a growing concern of the Facebook addiction disorder. People who are suffering from it feel depressed if they are not getting responses such as messages on Facebook. ( Rice, p.104, 2009)
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
Hypothesis: Thus research shows that users are addicted to Facebook. Also going through the average time spent on Facebook it can be said that users wouldn’t mind spending moderate to high time for getting authenticated on Facebook. Thus users will choose the moderate option most followed by high option.
Result: The statistical values indicate that majority of the students said they could afford moderate time for logging in into Facebook. The average value indicates that students opted for very less amount of time to moderate amount of time for getting authenticated on the application Facebook.
In terms of percentage, 40% of the students said they could devote very less time for getting authenticated on Facebook, 56.66% said they could devote moderate amount of time and just 3.34% said they could devote high amount of time.
Thus the hypothesis for the moderate option chosen by most of the students was correct, but the hypothesis done that users would say they could devote high amount of time for getting authenticated on Facebook considering the popularity and heavy use of the application went wrong. Instead 40% students said they could afford to devote very less amount of time after majority said moderate amount.
Q9). Do you feel your friends or family members might know the answers to the challenge questions asked to you during the authentication process?
1. Definitely 2. Maybe 3.Not at all
Research points out that user may share information which is personal. Then subsequently a family member or a close friend of the user may share the personal information with more people. Users are mostly unaware of this fact (Marshall, 2007).
Some research also says that the users may be unaware of attackers who use techniques such as shoulder surfing to get personal information while the users are busy surfing the information (Simpson, Bachman, Corley, 2011, p.442)
Hypothesis: Thus research suggests that most of the users are unaware that their personal information may not remain personal any more. So majority of the students may choose the option not at all.
Result: The statistical values indicate that majority of the students said that their friends or family members would not at all know the answers to the questions asked to them during the authentication process. The average value indicates that the responses were between not at all and maybe.
In terms of percentage, 60% of the users felt that their friends and family members would not at all know the answers to the questions asked to them during the authentication process. 36.66% of the students answered maybe whereas just 3.34% of the students were confident and answered definitely yes that their answers would be known by their friends and family.
As predicted in the hypothesis, majority of the students thought their answers to the questions asked would not at all be known by their friends and family members.
Q10). If you are asked to actually use the Knowledge based challenge questions for getting authenticated on Facebook then will the level of your usage of Facebook
1. Increase 2. Remain same 3. Decrease
Recent studies were done on the amount of time students spend on Facebook. The results showed that 6.2 hours are spent per week and on an average students log into the site 6.3 times per day. ( Wartman , Aleman, 2009, p.7)
Research also shows that the total time spent on Facebook is more than the time people spend on Google, Amazon, Yahoo, Wikipedia, and Youtube combined.( Masteralexis, Barr, Hums, 2011, p.445)
There is a growing concern of the Facebook addiction disorder. People who are suffering from it feel depressed if they are not getting responses such as messages on Facebook. ( Rice, p.104, 2009)
Thus users are addicted to Facebook and spend a lot of time on Facebook. Thus the present level of usage is very high coupled by the addiction to it.
But on the contrary research has shown that when authentication is anything other than using passwords, it takes more time to get authenticated. This mainly happens because authentication systems which use other techniques than passwords try to meet a minimum security level and thus increase the authentication time. ( Just , 2010)
Hypothesis: Research proves the high usage as well as addiction to Facebook. But research also points out the extra time taken for authentication. Also as two questions will be required to be answered correctly, the amount of recall is more than a minimum 6 character password used on Facebook. Thus majority of the users may say that their level of usage will decrease if challenge questions are asked for authentication purpose rather than a password.
Result: Statistical data indicates that majority of the students said that if the knowledge based questions replace the passwords on Facebook then their level of usage will remain the same. The average value indicates that the responses were between remain same and decrease and also not even a single user said that their level of usage would increase if the challenge question method was actually implemented on Facebook.
On the percentage scale, 30% students said that their level of usage would decrease and 70% students said that their level of usage would remain the same.
Thus the hypothesis done at the beginning of the experiment was proved wrong as majority of the students said that their level of usage would remain the same even if the knowledge based challenge question system replaced the password authentication on Facebook.
Q11.) What was your experience with the authentication system regarding the usage?
1. Very easy 2. Easy 3. Moderate 4. Difficult 5. Very difficult
Research has shown that when authentication is anything other than using passwords, it takes more time to get authenticated (Just, 2010)
Research suggests that multiple choice questions make it easy for the user to answer. Also many companies now use computer based multiple choice questions for testing users.( Marsky, Harris, Turkington, p.5, 2000)
Answering one multiple choice questions is compulsory for the users in this authentication process. Also before designing the authentication system, a survey was conducted of the same users who underwent the authentication and the questions of free form type which were asked to them were rated by them as memorable.
Hypothesis: Thus users answered the questions which they themselves rated as memorable as well as research suggests that using multiple choice questions makes it easy for the users. Also all the research done on the excessive usage of Facebook indicates that users may find it easy to answer questions. Thus majority of the users will say that the authentication system was easy to use.
Results: The statistical values indicate that majority of the students found the authentication system to be of moderate level regarding ease of usage. Also the values indicate that some users also found the system to be very difficult and none of them said it was very easy. The average value indicates that majority of the responses of the students were mainly between moderate and difficult.
On the percentage scale, 16.66% of the users found the authentication to be easy, 56.66% of the users found it to be of moderate level, 23.33% found it to be difficult and only 3.33% found it to be very difficult.
The hypothesis done at the beginning of the experiment was proved to be incorrect as majority of the users said they found the authentication system to be of moderate level as far as its usage was concerned.
Q12. Please fill in your views about the authentication system (Not a compulsory Question)
12 May 2011
Analysis of the Experiment
Research shows that prior knowledge of things that human beings have help them in doing things when they encounter similar subjects ( Moskowitz, 2005, pg. 111). It was observed from this experiment that 80% of the total students who failed to get authenticated had only somewhat heard of the Knowledge based authentication which uses questions to authenticate. 33.33% of the students who had absolutely heard of this type of authentication before were able to get authenticated. 40% of the students who got authenticated in the first attempt had heard absolutely of this type of authentication before and 26.66% of the users who got authenticated in the first attempt had not at all heard of this type of authentication before. Thus the results indicate that prior knowledge of the system helps in getting a hold of it.
As research suggested, the application Facebook is used extensively and students have got addicted to it. Thus at the beginning of this experiment there was a thinking that it would be quite easy for the students to remember the answers to the questions asked as they were all from the actual accounts that students have on Facebook. Also as it was stated previously in this experiment from research that students have a good power of memory. Results show that 80% of the students said that they had to think more than passwords for getting authenticated and 20% said they had to think the same. It can be seen from the results that 83.33% of the total students who said that they had to think the same amount as passwords took only one attempt to authenticate themselves answering two questions. But evaluations also show that 66.6% of the total students who took one attempt to authenticate themselves said they had to think more than passwords. As the experiment was designed to support the usability aspect, also keeping in mind the security, 2 questions were asked which made majority of the students say that they had to think more than passwords in spite of having good memory and heavy usage of Facebook.
A whopping 96.66% of the students said that it took more time for them to authenticate than it takes for passwords. 100% of the students who took only one attempt to authenticate themselves answering 2 questions said that it took more time for them than passwords. Thus as the research suggested previously in this experiment, even with a minimum of two attempts which were designed for good usability and moderate security took users more time than it generally takes for them entering passwords.
40% of the total students who took part in the experiment said that they could devote very less time for getting authenticated on Facebook. Out of the total students who said they could devote very less time, 91.66% of them also said it took them more time than passwords to get authenticated using questions. Thus time is a factor which is a great concern for students who think they can devote very less time for getting authenticated if they want to change from password authentication to challenge question authentication.
Students who said the authentication system was difficult or very difficult, 100% of them also said they had to think more than passwords for getting authenticated. 12% of the students who were able to successfully log in also said they found the authentication to be difficult or very difficult. 64% students of the total who were able to successfully login found the usage to be of a moderate level. It can also be observed that more than 50% of students who said that they found the authentication system easy or very easy had prior knowledge of this type of authentication system.
Students were observed during the authentication process. Previous research done in this experiment suggested that free form questions are almost equivalent to passwords and the user may face many problems in entering the correct data into them. While designing the authentication system, a survey was taken of the same students who took part in the final authentication and they were asked which of the questions they could recollect well and which of the questions they couldn’t. Only those answers to the questions which the students said they could remember well are the free form questions in this authentication system and others are given multiple choices to improve the usability of the total authentication system. Out of the total students who took one attempt to get successfully authenticated, 73.33% of them had to answer one compulsory free form question and did so successfully. But further analysis shows that out of the total students who failed in the first attempt, 86.66% of them failed because they could not answer the free form question correctly. Further analysis shows that out of the total students who failed in the first attempt due to incorrectly answering the free form questions, 76.92% of them could not recollect their answers and 23.07% of the students entered wrong spellings. Thus even though the same students claimed to remember the answers, they failed to recollect at the time of authentication. Out of the total multiple choice questions asked to the students in either the first or second round, students failed to answer 17.14% of them. Thus overall students were having problems with recollecting free form answers and answering multiple choice questions was easier for them.
On further analysis of the questions, students were having problems with the question which asked them to name the person who sent them a game request on Facebook most recently. Analyzing the home page of the application Facebook, it could be seen that a user should click on the button “Game requests” to actually see the game request and information about who has sent it. Questions such as event invitation and number of event invitations were readily shown on the home page of Facebook and students did not have to click a button to view it. Question’s which asked the students to tell the name of the person who sent them a message or the name of the person whom they sent a message to, required them to click on the “messages” button to view the complete information. There were two questions which tested the students on their capability to remember browsing history which asked them to name the person whose profile they viewed and photo album they viewed most recently on Facebook. Most of the students could answer this question with ease without getting confused. Thus overall, it can be said that students remembered data that was readily available on the home page than remembering data which required them to click a button to view the complete details.
The experiment also tried to find out what students would do if the knowledge based authentication using questions was actually implemented on Facebook. On totality, 70% of the students said their level of usage would remain same and 30% said that their level of usage would decrease. On evaluation, it can be seen that out of the total students who said that their level of usage would decrease, 88.88% of them also said that they had to think more than passwords for answering the questions. Thus it can be said that excessive recollection required may be the result that made students say that their level of usage would decrease. On further analysis it can be see that 100% of the students who said that their level of usage of Facebook would decrease also said that it took them more time to answer the question than it generally takes for passwords. This time is a major factor which contributed to students saying that their level of usage would decrease if this kind of challenge question authentication is actually implemented on Facebook. Also analysis shows that out of the total users who said their level of usage of Facebook would decrease, only 11.11% of them also said that they were not at all comfortable with personal questions being asked to them, 66.66% said they were somewhat comfortable and 22.22% said they were definitely comfortable. Thus majority of the students did not have many problems with personal questions being asked to them and thus it would not affect much on their level of usage. Further analysis shows that students who said their level of usage would decrease, not even a single student out of them thought that the question asked to them during authentication would be definitely known by their families or friends. 55.55% of the students who said that their level of usage would decrease on Facebook also said that they think their friends and family members will not at all know the answers to the questions asked to them. 44.44% of the students who said their level of usage would decrease also said they were not sure if their answers were known by their families and friends. Thus asking personal questions or students feeling about friends or families knowing their answers did not affect much on them saying their level of usage would decrease.
Comparing the Question based authentication with password authentication on Facebook.
An experiment was conducted on undergraduate and postgraduate students to find out how they choose their passwords. Surveys indicated that 81% of the students used the same password on many applications so that they could remember it and make the process easy. (Gritzalis, p.288, 2010)
Researchers say that users are frustrated of the passwords they use and so to solve the problem they use the same passwords on multiple sites. (Bosworth, Kabay, p.63, 2002)
To find the reality about how users use passwords, a survey was conducted with some students at the library of the University of Portsmouth. Students were asked about the length of their passwords, how often do they use the option (remember my password) on the browser, how often do they forget passwords and how often do they change the password for the same application.
Analysis of the results shows that 51.61% of the students said that their password was 6 to 8 characters, 25.80% said that their password was 8 to 10 characters, 16.12% students said their password was more than 10 characters. Students who said that their password is less than 6 characters can be ignored as mostly all commercial applications including Facebook require a minimum of 6 characters to build a password. The average length of the answers in the challenge question authentication which use free form questions was calculated from the database. The average length was found to be of 11.06 characters. Therefore brute force attackers would require to try more for cracking the answers to the free form questions asked in this challenge response authentication system designed than cracking the passwords as the survey showed that few students had their password length of more than 10 characters. But multiple choice questions pose a great threat of guessing as compared to passwords so passwords are anytime secure than multiple choice questions. Security and usability don’t go hand in hand.
As research has shown, to avoid hassles user uses remember my password option on their browser. Students were asked the same question on how often they use remember my password option on their browser. 45.16% of the users said they sometimes use remember my password option on their browser, 25.80% of the students said they use it very frequently and only 29.03% of the students said they never use this option. Analyzing the database used for this experiment it can be seen that answers for the challenge questions change frequently. Thus the dynamic nature of the answers in the knowledge based challenge question system prove to be more secure in this case when compared to users remembering passwords on the browser.
Users use the same password again and again which may easily help the attacker to listen in (Daswani, Kern, Kesavan, 2007, p.8). Students were asked on how often they changed their passwords for the same application. 3.2% users said they do it weekly, 6.45% said they do it once a month, 22.58% said they do it every 6 months, 29.03% said they did it every year and 38.70% said they never changed their password. Thus majority of the users did not change their password frequently which is a big risk. Answers to the challenge questions are dynamic and frequently changing as the databases suggest and hence hold a big advantage when compared to passwords in terms of security.
Research also shows that users tend to write down passwords because they find it difficult to remember it (Deal, 2005, p.112). Again as the answers to the questions in a Knowledge based authentication system keep on changing frequently, it is very difficult for the attacker to find it anywhere saved or written.
Comments
Students were also asked to comment on their experiences with the authentication system. Justin Pang and Christine Liau said that they found it to be good and interesting. Pankaj Ghavri an MBA student at the University of Portsmouth said that “Why should I do this. Password authentication is quicker”. Ajay from the Electronic and Computer department said that he could not recollect anything and said his memory wasn’t good at all. Rajesh a student of Civil Engineering from the University said that it was quite good but time consuming. Jaimala Wankhede an MBA student from the University said that “Why should I answer 2 questions when I get authenticated in seconds using the passwords”. Ratandeep Singh, a student of Computer Networks from the University said that it required some efforts to answer the questions. Kushal a student of Pharmacy from the University said that multiple choice questions helped him answer well. Vaibhav and Abdulrazzaq, students of electronic engineering from the University said that the time required for logging in is too much. Mayura an MBA student said that answering without options was very difficult for her as she did not manage to recollect the information. Anush and Varsha from the same University found the authentication to be interesting.
Survey on use of Passwords
12 May 2011
An experiment was conducted on undergraduate and postgraduate students to find out how they choose their passwords. Surveys indicated that 81% of the students used the same password on many applications so that they could remember it and make the process easy. (Gritzalis, p.288, 2010)
Researchers say that users are frustrated of the passwords they use and so to solve the problem they use the same passwords on multiple sites. (Bosworth, Kabay, p.63, 2002)
To find the reality about how users use passwords, a survey was conducted with some students at the library of the University of Portsmouth. Students were asked about the length of their passwords, how often do they use the option (remember my password) on the browser, how often do they forget passwords and how often do they change the password for the same application.
Analysis
14 May 2011
Analysis of the results shows that 51.61% of the students said that their password was 6 to 8 characters, 25.80% said that their password was 8 to 10 characters, 16.12% students said their password was more than 10 characters. Students who said that their password is less than 6 characters can be ignored as mostly all commercial applications including Facebook require a minimum of 6 characters to build a password. The average length of the answers in the challenge question authentication which use free form questions was calculated from the database. The average length was found to be of 11.06 characters. Therefore brute force attackers would require to try more for cracking the answers to the free form questions asked in this challenge response authentication system designed than cracking the passwords as the survey showed that few students had their password length of more than 10 characters. But multiple choice questions pose a great threat of guessing as compared to passwords so passwords are anytime secure than multiple choice questions. Security and usability don’t go hand in hand.
As research has shown, to avoid hassles user uses remember my password option on their browser. Students were asked the same question on how often they use remember my password option on their browser. 45.16% of the users said they sometimes use remember my password option on their browser, 25.80% of the students said they use it very frequently and only 29.03% of the students said they never use this option. Analyzing the database used for this experiment it can be seen that answers for the challenge questions change frequently. Thus the dynamic nature of the answers in the knowledge based challenge question system prove to be more secure in this case when compared to users remembering passwords on the browser.
Users use the same password again and again which may easily help the attacker to listen in (Daswani, Kern, Kesavan, 2007, p.8). Students were asked on how often they changed their passwords for the same application. 3.2% users said they do it weekly, 6.45% said they do it once a month, 22.58% said they do it every 6 months, 29.03% said they did it every year and 38.70% said they never changed their password. Thus majority of the users did not change their password frequently which is a big risk. Answers to the challenge questions are dynamic and frequently changing as the databases suggest and hence hold a big advantage when compared to passwords in terms of security.
Research also shows that users tend to write down passwords because they find it difficult to remember it (Deal, 2005, p.112). Again as the answers to the questions in a Knowledge based authentication system keep on changing frequently, it is very difficult for the attacker to find it anywhere saved or written.
Reference:
Deal. A.R.(2005).Cisco router firewall security.USA:Cisco Press. ISBN: 1587051753
Daswani.N, Kern.C, Kesavan.A.(2007).Foundation of security.What Every programmer needs to know.USA:Apress.ISBN 1590597842 Gritzalis D.(2010). Computer Security – ESORICS. Germany. Springer. ISBN: 3642154964
15 May 2011
Strengths of KBA system from results
1. As there were some concerns about personal question being asked, experimental results prove that majority of the users do not have a problem with them. Thus asking personal questions in a KBA system is absolutely fine if prior consent is taken.
2. The Knowledge based system uses dynamic question to authenticate its users and this is the biggest security advantage which was discovered in this experiment. When comparing with other authentication systems like passwords, there is no chance of writing down the answers of knowledge based questions as they are changing frequently. Also using same questions for many applications is not possible as questions depend on the particular application. Free form answers to challenge question are stronger than passwords as proven in this experiment.
3. The high success rate of authentication indicates that the system is not that difficult and some training and time will make the system easy to follow.
4. Asking fact based personal questions which are of dynamic nature helps usability which was proven by the high success rate of students who managed to get authenticated
Weaknesses
1. Time required for getting authenticated is more than traditional techniques like passwords which affects usability
2. Recollecting answers is not that difficult using multiple choices answers but when compared to traditional techniques recollection required is more as more than 1 question needs to be answered for primary authentication.
3. Chances of guessing increase when multiple choice options are presented thus affecting the security of the system.
4. Affordability is a big issue for applications which have a very large user base to design and maintain the software and database which tracks and stores every activity of the user.
20 May 2011
Performance metrics evaluation
Scale used for rating the metric
Excellent 5
Very Good 4
Good 3
Fair 2
Poor 1
Security Metrics
Guessability
Research done earlier in this experiment pointed out that Knowledge based authentication is susceptible to guessing by friends and family members. Before starting the experiment, a guessability survey was done where friends and family members were asked to guess the answers for questions from my Facebook profile itself. None of the friends and family members could guess any of the free form questions. 3 out of 32 people guessed the number of event invitations correctly, 1 out of 32 guessed recent profile visited correctly, 1 out of 32 guessed recent photo album viewed correctly. Again 1 out of 32 guessed the name of the person who sent a game request, 3 out of 32 guessed the event invitation correctly. Thus the maximum friends or family member guessed was 9.3% for the event invitation. But out of 32 friends and family members no one could guess the answer for more than one question correctly out of the asked 7 questions. Survey can be seen in APPENDIX C.
To evaluate the metric further, students at the University of Portsmouth Library were asked to guess the answers to questions for the profile of Rajesh Aradhulya, who is a Masters student of Civil Engineering at the University of Portsmouth and who also took part in the authentication experiment. Now all the students who tried guessing the answers of Rajesh were complete strangers and were given the liberty to guess the data using information from Rajesh Aradhulya’s Facebook account wall, photos and whatever information was available to them, as they were not added in his friend’s list. The data that was supposed to be guessed is the same one available in the 3rd week database which was used to authenticate Rajesh. Nobody could guess the messages sent or received as they were free form one without any options. 2 students guessed profile viewed, 1 guessed the photo album viewed, 1 guessed game request received from, 1 student guessed event invitation received and none could guess the number of event invitations. There was one student who guessed answers to two questions correctly out of 7. Free form questions were impossible to guess whereas multiple choice questions were quite susceptible to guessing. Contrary to the research done, strangers guessed a bit more than friends and family members could.
As the designed authentication system is an experimental one and in the real scenario answers to the questions would be changing frequently, multiple guesses by users was not a practical solution to evaluate this metric for the designed authentication system. Also this system was designed to get blocked after two unsuccessful attempts; multiple guessing was not a feasible solution.
To evaluate the metric further Ratandeep Singh, a masters student of Computer Networks was requested to spare some free time and help me further evaluate this metric. Ratan was given the username of every user and asked to try logging in to his/her account using 2 attempts and his guessing abilities and advantage of knowing every user. Except logging in successfully to his account, he failed to log in to any other account using 2 attempts.
Thus some of the friends as well as strangers were able to guess some of the answers for the multiple choice questions. Thus the designed authentication system is not fully safe against guessing from an attacker as it contains some multiple choice questions. Thus this metric is being given a fair grade with 2 points.
Observation difficulty
To further evaluate the security metric, evaluating the observation difficulty was of prime importance. Firstly as research suggests, evaluating if the data can be found easily online or from records is very important. To evaluate this as part of the security metric an online search was done using msn, google and ask search engines to see if some data could be found. As Facebook is a secure network, as expected none of the information could be retrieved.
Research done prior in this experiment suggested that shoulder surfing attacks are common nowadays where friends and family members can easily observe the information entered into or browsed through the application. On evaluating the experimental system it can be observed that the answers entered by the users are not obscured and can be easily read and identified using shoulder surfing attacks for example fitting a spy camera in the room to observe the answers entered or the browsing activity performed. Thus observation difficulty in regards to shoulder surfing attacks is a concern for the security metric and can be given a fair grade with 2 points.
Minimum Entropy
Formula = LOG base 2(1/p) where p is the probability of choosing the likely value in the distribution. To calculate this security metric each question is being considered.
Q1. Messages sent to and received from (free form questions)
Analysis: From the database it can be seen that majority of the students sends or receives messages to or from users present in their friends list. The average amount of friends each user had in the experiment is nearly about 300. Thus probability of the likely value is p=0.003.
So minimum entropy = LOG base 2 (1/0.003) = 8.380 bits
Q2. Profile viewed, Photo album viewed, Game request received, Event invitation received (Multiple choice questions)
Analysis: All these questions had 10 options each for answering them. So probability of answering the correct answer is p=0.1
So minimum entropy = LOG base 2 (1/0.1) = 3.321 bits
Thus multiple choice questions have low minimum entropy than the free form ones. This security metric can be given a rating of good with 3 points.
Uniqueness
For measuring this metric, every answer to every question is being compared and then each question is being rated.
Q1. Name the person whom you sent a most recent message to.
Result: Comparing the databases for the 3rd week which was the information used to uniquely authenticate the students, it can be seen that two students sent message to the same person. So percentage of non unique data used to authenticate was 6.6%. Therefore uniqueness metric for this particular question used can be rated as good with 3 points.
Q2. Name the person who has sent most recent message to you.
Result: Comparing the data in the database for the 3rd week which was used to authenticate users for this particular question, two students received messages from a single person. Therefore again the non unique data used to authenticate users in the complete experiment for this particular question is 6.6%. Therefore uniqueness metric for this particular question can be rated as good with 3 points.
Q3. Name the person whose profile you visited most recently on Facebook.
Result: Analyzing the data for the 3rd week used to authenticate students for this particular question, it can be seen that 2 students viewed a common profile on Facebook. Therefore again non unique data used to authenticate users for this question was 6.6% for the entire experiment. Therefore the uniqueness metric for this particular question can be rated as good with 3 points.
Q4. Name the person whose photo album you viewed most recently.
Result: Analyzing the database for week 3 it can be observed that none of the data used to authenticate users for this question is non-unique. Therefore the uniqueness metric for this particular question is excellent and can be given 5 points.
Q5. Name the person who sent a game request to you most recently.
Result: Analyzing and comparing the data for week 3 for this particular question, it can be observed that the data used to authenticate each student was 100% unique. Therefore the uniqueness metric for this particular question can be given an excellent rating with 5 points.
Q6. Name the event invitation received most recently on Facebook.
Result: Analyzing the data for week 3, it can be seen that 3 students have received a same event invitation from Tiger High Portsmouth. This amounts to 10% non unique data used to authenticate the students. Thus the uniqueness metric for this question took a hit and can be rated as fair with 2 points.
Q7. Number of event invitations received.
Result: Analyzing the database for this question for week 3, it can be seen that a number of students had event invitation ranging from 1 to 15 and many had common number of event invitations. Thus again the uniqueness metric for this question has taken a hit and can be rated as bad with 1 point.
Usability metrics
Applicability
Before designing the authentication system, a survey was done of the user’s who took part in the experiment regarding the content they use on Facebook. Only after evaluating the survey, questions were finalized which were applicable to all the students who took part in the experiment. Also observing the students during the authentication process, all questions asked to them were 100% applicable to each user. Thus the designed authentication system in term of applicability is rated as Excellent with 5 points.
Memorability
Results show that 83.33% of the students were successful in logging in using one or two attempts. 60% of the students who were successful in logging in logged in at the first attempt and 40% logged in at the second attempt. Analysis shows that students were having problems recollecting free form questions. Out of the total students who failed answering free form questions in the first attempt, 76.92% of them could not recollect their answers. But the same students had said in a pre survey that they remember the answers to these questions quite well and so no options were provided for these questions. Out of the total multiple choice questions asked in the experiment, students failed to answer just 17.14% of them because they could not remember them. Thus the memorability of answers for free form questions was very low compared to the multiple choice ones. Also it can be said that the answers to the multiple choice questions is a combination of recall and recognition. Also as the user has to compulsorily answer the second question as a multiple choice one, chances of forgetting are less as compare to free form ones. Thus for the designed authentication system on a totality, the memorability metric can be given a rating of good with 3 points.
Ease of Use
The users who took the authentication experiment were also asked how they felt about the level of usage. None of the users who used it said it was very easy. Just 16.66% of the users found the authentication system to be easy, 56.66% of the users found it to be of moderate level, 23.33% of the user’s found it to be difficult and only 3.33% found it to be very difficult. Thus the ease of use in the usability metric is being given a good with 3 points.
Privacy
The survey which followed the authentication asked the users whether they were comfortable with personal questions being asked to them during the authentication process. Only 13.33% of the users said that they were not at all comfortable with personal questions being asked to them, 53.33% of the students said they were somewhat comfortable and 33.34% of the students said they were absolutely comfortable with personal questions being asked to them. Also research done previously in this experiment suggests that when users are in an online transaction, they do not bother much about personal questions being asked. Therefore it can be said that the designed authentication system does not offend the user’s privacy much and so this usability metric can be given a rating of good with 3 points.
Time to authenticate
A stop watch was used to measure the time to authenticate for students who took the authentication. Time for 10 students is being considered for this measurement of the students who were able to successfully authenticate themselves in the first attempt. The average time to enter the email address, get one question and answer it, get the second question and answer it was 43.1 seconds. Same students were told to enter their email address and password on their actual Facebook account and the time was noted. They took 6.6 seconds on an average to do so. Also all students who took the authentication were asked how much time they intend to devote for getting authenticated on Facebook. 40% of the students said they could devote very less time, 56.66% said they could devote moderate time and only 3.34% said they could devote high amount of time. The average time it took for getting authenticated answering the questions was almost more than 7 times it took by entering the password. Also this average time for answering the challenge questions has been considered for only those who took only one attempt to authenticate themselves. If it was taken into consideration the time others took to get authenticated, it would be worse. Thus this metric for usability is being given a fair rating with 2 points. The fair rating is because only 2 questions were asked considering the usability over security. 3 questions or more would have further degraded the usability and time to authenticate.
Affordability
Facebook has more than 500 million plus users worldwide. The first step to setting up challenge question authentication for Facebook would be to design software which analyzes every activity of every user on a daily basis and generates valuable data that can be used for authentication. Thus initial costs for setting this software up are quite high keeping in mind the volume of the users on Facebook. A centralized database needs to be set up where the answers for all the questions would be stored. Management of such a huge database of 500 million users would incur additional costs. As the designed authentication system blocks after two incorrect attempts to limit guessing, students may not follow the retrieval email sent to them and contact customer care which would incur additional costs. If the application would have been a bank or a small organization, cost for implementing the system would have been less considering the low volume of users compared to that on Facebook. Also if Facebook plans to employ a 3rd party for collecting and maintaining the information database, it would add up to the costs. But once the system is set up, the only costs to worry about would be that of the customer support. As compared to other multifactor authentication systems, the cost of implementation and management is less in challenge question authentication, but when compared to password authentication, initial software designing costs would be more. Thus the affordability metric for the Knowledge based challenge question authentication can be said to be fair with 2 points.
Cost of researching factoids
The cost of researching data that can help getting authenticated on Facebook is actually bribing either a Facebook employee or a friend of the target user. Cost of getting the information from a Facebook employee itself is very high and cost of getting factoids from a friend of the target user is moderate. Therefore this metric can be given a rating of good with 3 points.
False rejection
After designing the application prototype, the prototype was tested for its operability and successfully authenticated when correct answers were entered. Also during the experiment, none of the users who entered the correct answer got rejected. For further evaluating this, the authentication system was tried n number of times with answers that users had given from the 1st and 2nd week of this experiment. There was 100% acceptance for correct answers entered into the system. Therefore this metric can be given an excellent rating with 5 points in respect to the acceptance.
