Abstract

With the growing prevalence and sophistication of Internet services, user account security has become a critical concern. Security questions, widely adopted as a secondary authentication method, play a pivotal role in various online services. Although research on security questions has a long history, key gaps remain, particularly concerning user perceptions about security questions and the requirements used by websites for selecting and answering security questions. In this thesis, we address these gaps through a two-part study: (1) a comprehensive user survey (N = 292) that captures insights from a diverse and largely representative sample of the US population and (2) an analysis of an extensive set of 26 security requirements across 73 websites, also aiming to uncover security practices and weaknesses in their authentication systems (i.e., answer length restrictions). Additionally, we gather and analyze common online security questions (totaling 1913 questions) across several dimensions, including memorability, consistency, applicability, confidentiality, and specificity.

Our findings reveal previously unreported user misconceptions, such as users' believing that websites already possess correct answers to personal security questions. We also find that many websites allow insecure practices, such as accepting single-character, offering limited question choices, or identical answers for multiple security questions. By addressing both user perceptions and website security requirements, we provide a comprehensive understanding of the weaknesses in current security question practices and contribute to the discourse on improving authentication methods.