Knowledge-Based Authentication: Evaluating and Improving

Authentication is central to computer security and almost every use of computerised systems. With the explosion of online e-commerce, banking, social web sites and governmental services, the problem of finding secure, usable and efficient authentication systems is more acute than ever. The risks of security failure are obvious, and unusable or inefficient systems additionally risk loss of customers or overly expensive support services managing password recovery.Despite the obvious importance of everyday authentication and the widespread adoption of improved mechanisms such as challenge questions, there is a surprising lack of underpinning published research for these methods. Comparative studies, measures of usability and recoverability costs, scientifically justified guidelines for efficient implementation, are all lacking.This research proposes to understand and assess existing practice with authentication systems using 'known information' such as with challenge questions, and make recommendations for improvement. We expect that the results will have a widespread impact across many sectors, both inside and outside of the UK. The research will be undertaken by Principal Investigator Dr. David Aspinall of the University of Edinburgh, and Visiting Fellow Dr. Michael Just who is the world leader in Knowledge-Based Authentication (KBA), and responsible for the KBA mechanism used in the Government of Canada's online e-government solution, serving 3 million accounts. We anticipate that the results of our research will contribute positively to the security and usability of many applications, both inside and outside of the UK.