8.2. Criteria for Building and Evaluating a Challenge Question SystemWe begin our introduction to the design of challenge question systems by introducing criteria that are helpful in both their design and evaluation. These criteria relate to the privacy, security, and usability of the challenge question system. 8.2.1. Privacy CriteriaIn environments that use personal information, it should be common practice to follow recognized privacy principles to protect answers to challenge questions.[1] For the use of challenge questions and answers to authenticate users, one principle in particular seems relevant: collection limitation. This criterion serves to limit the collection of personal user information to what is necessary for the purpose of authenticating an individual. Adherence to this principle helps to ensure that only information necessary to support a suitable level of security and usability is maintained.
Designers should give particular caution to using questions that ask for personal information, such as "What is your mother's maiden name?", because the answer, while possibly obscured (hashed), will be stored at the account server. Preference should be given to asking nonpersonal questions, provided that they offer sufficient security and usability. In addition, answers to challenge questions should be used only for the purpose of recovering user access to one's accountconforming to a use limitation principle. If challenge questions are to be used for other purposes, individuals should be notified and their consent obtained. Furthermore, care should be taken when asking for answers that users may find sensitive. Therefore, best practice involves offering as much choice as possible (while maintaining a suitable security level) to individuals for question selection, allowing individual control over the answers that are provided. 8.2.2. Security CriteriaThe security of a challenge question system is related directly to the confidentiality of the challenge question answers. Other properties such as integrity and availability are also important to the security of the overall system, but are not the focus of our framework. The following security criteria apply primarily to the content of individual questions and answers:
For an authentication system that consists of multiple questions, additional criteria should be considered, including the total guessing and observation difficulty for the entire set of questions. In addition, answers should be unrelated so that both their availability and entropy can be maintained independently when multiple questions are used. One way to support answer independence is to use independent questions (questions that would encourage the submission of independent answers). 8.2.3. Usability CriteriaThe usability of a challenge question system is concerned with providing a user-friendly experience at the stages of both answer registration and subsequent answer presentation. The following usability criteria should be used when evaluating a challenge question system:
Additional usability issues include the number of questions and answers stored and the number of answers required to authenticate. These issues are discussed further in the next section. |