Security questions that websites use when you forget your password have a lot of problems, poor choice of question, easy to guess answer (for the attacker), hard to remember answer (for the user), and so on. All of this conspires to add another weak link into the already weak chain of end user authentication.
There is an interesting alternate approach by Markus Jakobsson, Liu Yang, and Susanne Wetzel called "Preference based Authentication" and it works like this.
The user selects eight topics from a list of items like Interests, Sports, Food and so on, and then categorizes each into a "Like" or "dislike" category. So you might "Like" Mexican food, Poetry, Knitting and "Sophie's Choice"; and then "Dislike" GMOs, Curry, Hockey, and Flying.
It strikes me that this would improve the ability of the user to remember and would also be harder to guess the answer than many of the question on the Web sites now.
Hmm... is this really mathematically more challenging? It seems you're removing a somewhat-less-guessable answer and replacing it with a bunch of binary choices that are then more easily brute-forced, no?
Posted by: Ben | November 24, 2010 at 06:45 AM
Preferences change. Yesterday, my favorite color was blue; today, its chartreuse. If I don't have a strong affinity to one or the other, will I remember when I see it again?
Posted by: JohnB | November 24, 2010 at 07:24 AM
At first I though "great idea".
Seconds later I realised all of this information, and more, is available on questionnaires that people fill out and publicly display on their myspace, facebook etc.
So it fails for me on that basis.
Posted by: Ntcoding | November 26, 2010 at 05:46 AM