This Article 
 Bibliographic References 
 Add to: 
When the Password Doesn't Work: Secondary Authentication for Websites
March/April 2011 (vol. 9 no. 2)
pp. 43-49
Robert W. Reeder, Microsoft Trustworthy Computing
Stuart Schechter, Microsoft Research
Nearly all websites today use passwords as the primary means of authenticating users. Because passwords can be lost or stolen, most websites also provide secondary authentication: a means to allow users unable to provide the correct password to regain access to their accounts. The consequences of failure - either falsely rejecting the account owner or falsely accepting an impostor - are significant. If the secondary authentication mechanism is the user's last resort, a false reject can mean permanent account loss. If the mechanism's vulnerability to false accepts isn't as strong as that of passwords, the secondary authentication mechanism becomes the weakest link and limits account's security. The authors highlight results of prior work on secondary authentication mechanisms, emphasizing the larger problem of assembling an arsenal of mechanisms that can be customized to fit each user's security and reliability needs.

1. N. Hines, "Sarah Palin's Private E-Mail Account Accessed by Hacking Group Anonymous,", 18 Sept. 2008; us_electionsarticle4780133.ece .
2. N. Cubrilovic, "The Anatomy of the Twitter Attack," TechCrunch, 19 July 2009; .
3. M. Just, "Designing Authentication Systems with Challenge Questions," Security and Usability, L.F. Cranor, and S. Garfinkel eds., O'Reilly, 2005, pp. 143–155.
4. M. Zviran, and W.J. Haga, "User Authentication by Cognitive Passwords: An Empirical Assessment," Proc. 5th Jerusalem Conf. Information Technology (JCIT 90), IEEE CS Press, 1990, pp. 137–144.
5. S. Schechter, A.J. Bernheim Brush, and S. Egelman, "It's No Secret: Measuring the Security and Reliability of Authentication via 'Secret' Questions," Proc. 2009 IEEE Symp. Security and Privacy, IEEE CS Press, 2009, pp. 375–390.
6. A. Rabkin, "Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook," Proc. 4th Symp. Usable Privacy and Security (SOUPS 08), ACM Press, 2008, pp. 13–23.
7. M. Just and D. Aspinall, "Personal Choice and Challenge Questions: A Security and Usability Assessment," Proc. 5th Symp. Usable Privacy and Security (SOUPS 09), ACM Press, 2009.
8. M. Jakobsson et al., "Love and Authentication," Proc. 26th Ann. SIGCHI Conf. Human Factors in Computing Systems (CHI 08), ACM Press, 2008, pp. 197–200.
9. S.L. Garfinkel, "Email-Based Identification and Authentication: An Alternative to PKI?" IEEE Security & Privacy, vol. 1, no. 6, 2003, pp. 20–26.
10. C.K. Karlof, "Human Factors in Web Authentication," PhD thesis, Electrical Engineering and Computer Sciences Department, Univ. of California, Berkeley, 6 Feb. 2009.
11. J. Brainard et al., "Fourth-Factor Authentication: Somebody You Know," Proc. 13th ACM Conf. Computer and Comm. Security (CCS 06), ACM Press, 2006, pp. 168–178.
12. S. Schechter, S. Egelman, and R.W. Reeder, "It's Not What You Know, but Who You Know: A Social Approach to Last-Resort Authentication," Proc. 27th Ann. SIGCHI Conf. Human Factors in Computing Systems (CHI 09), ACM Press, 2009, pp. 1983–1992.
13. S. Schechter and R.W. Reeder, "1 + 1 = You: Measuring the Comprehensibility of Metaphors for Configuring Backup Authentication," Proc. 5th Symp. Usable Privacy and Security (SOUPS 09), ACM Press, 2009.

Index Terms:
authentication, passwords, password reset, security question, trustees
Robert W. Reeder, Stuart Schechter, "When the Password Doesn't Work: Secondary Authentication for Websites," IEEE Security & Privacy, vol. 9, no. 2, pp. 43-49, March-April 2011, doi:10.1109/MSP.2011.1
Usage of this product signifies your acceptance of the Terms of Use.