Work in Progress: A Comparative Long-Term Study of Fallback Authentication

Philipp Markert, Maximilian Golla, Elizabeth Stobert, Markus Dürmuth

Workshop on Usable Security and Privacy (USEC '19). San Diego, California, February 24, 2019


Fallback authentication, the process of recovering access to an account if the primary authenticator is forgotten or lost, is of significant importance in real-world applications. A variety of mechanisms are deployed, ranging from secondary channels (such as email and SMS), over personal knowledge questions (such as the "mother's maiden name") to social authentication (such as vouching-based approaches). One central difference with primary authentication is that the elapsed time between enrollment and authentication can be much longer, typically in the range of years. However, few of the mechanisms used today have been studied over such long time-spans, making claims about their usability difficult to generalize to real-world applications. Additionally, most past studies have considered one or two mechanisms only, and deriving a meaningful comparison of a relevant number of mechanisms from the individual data-points is not easy.

In this work in progress paper, we report on the design of a usability study that we will use to study the usability of authentication mechanisms over a more realistic time-frame of up to 18 months, and will provide a fair comparison of the four most widely used fallback authentication schemes. We present results of a pre-study with 74 participants that ran over 4 weeks and indicates that schemes based on email and SMS are more usable. Mechanisms based on designated trustees and personal knowledge questions, on the other hand, fall short, both in terms of convenience and efficiency.

Tags: fallback authentication, password recovery, password reset, personal knowledge question, Usability