1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication

July 16, 2009 by Richard Conlan

http://cups.cs.cmu.edu/soups/2009/proceedings/a9-schechter.pdf
Stuart Schechter and Robert Reeder

What to do when the user forget their password?  A common method is to provide security questions.  Unfortunately, an initial analysis of the most commonly used security questions found that none were all that great, suffering from either poor memorability or poor security.  What about e-mail based recovery?  This doesn’t work well in the important case that the user has forgotten their e-mail password!  What other options are available?  Some other mechanisms available are social authentication using trustees, SMS message to mobile phones, printed shared secrets kept in safe places, and remembering old passwords.

If none of these are trusted in isolation, then what combination is sufficient?  In particular, how should the UI be designed that communicates to the user which combinations are sufficient?  For example, answering a single secret question is fairly weak evidence, but getting an SMS message sent to your cellphone is fairly strong evidence.  One metaphor that the researchers examined was an examine metaphor in which the different identificaiton methods are worth differing numbers of points with an indication of the total number of points necessary to “pass” the exam.  Another metaphor examined was to present the same information sorted into Strong, Medium, and Weak evidence, with a list of evidential requirements such as saying a Strong piece of evidence combined with any other type of evidence, two Medium pieces of evidence, etc., would suffice. 

The study had eighteen participants - ten with college degrees and eight without.  They showed each participant a series of screenshots depicting Live ID’s default UI versus the two proposed UIs and asked the participants to answer whether Jane Doe would be able to get back into her account given a set of information she had available.  The first comparison was the default Live ID UI vs.  the Exam metaphor.  Users were very confused by the Live ID UI, whereas there was good understanding of the Exam metaphor.  They then presented the Short Exam vs.  the Long Exam, and surprisingly found that people actually did better for the Long Exam.  Finally, they compared the Long Exam vs.  the Evidence Scale, and found that the Exam was better understood than the Evidence scale.