Understanding users’ perceptions to improve fallback authentication

Despite receiving a lot of scrutiny and criticism, security questions are still widely adopted. Although new techniques are continuously being proposed to improve fallback authentication (i.e. security questions design), little research investigated users’ security and memorability perceptions. Previous research found that users’ perceptions are important because they can impact the adoption of security techniques. Hence, this research contributes to security questions research by investigating (with a study of n = 30) how users select security questions, what strategies are used to memorize answers, how users perceive the security and memorability of their answers and how a technique which addresses key security weaknesses (but makes them less memorable) impacts users’ perceptions. Our key findings reveal that despite asking participants to select security questions for an online banking scenario, participants who answered security questions with their own answers did not consider security factors. Instead, they selected easy, truthful and certain answers. Memorization strategies were ignored by most participants (even those who used unfamiliar answers). We also found that a technique designed to address key security weaknesses seemed to inspire some kind of security awareness (but would still not be enough). Based on these findings this paper provides recommendations to improve the design of security questions, strengthening fallback authentication mechanisms secure and usable.