Building robust authentication systems with activity-based personal questions

A recent study found that the widely-used secret questions for Web authentication can easily be guessed. The study focused on making secret questions easier to remember for the user and harder to break by others. Our approach is authentication through the use of an individual's personal and dynamic Internet activities. We hypothesize that frequently-changing secret questions will be hard for attackers to guess. We propose three major categories of questions that are based off of user activities: network activities (e.g., browsing history, emails); physical events e.g., planned meetings, calendar items); conceptual opinions (e.g., opinions as derived from browsing, emails). Our preliminary results are encouraging and show that this new direction is promising. To improve the usability, in particular nonintrusiveness, of such a dynamic secret-question system, we also describe a concrete client-server architecture and security model for automating our authentication systems through utilizing existing artificial intelligent techniques.