That's Not Me! Designing Fictitious Profiles to Answer Security Questions

TL;DR

This paper explores designing customizable fictitious profiles to improve the usability and security of security questions, addressing current limitations by empirically investigating user preferences and system requirements.

Contribution

It identifies key elements influencing fictitious profile design and suggests enhancements for security questions to better support these profiles.

Findings

Users prefer to customize profiles to be relatable and memorable.

Security questions need to be adapted for fictitious profile use.

Empirical insights from 20 structured interviews.

Abstract

Although security questions are still widely adopted, they still have several limitations. Previous research found that using system-generated information to answer security questions could be more secure than users' own answers. However, using system-generated information has usability limitations. To improve usability, previous research proposed the design of system-generated fictitious profiles. The information from these profiles would be used to answer security questions. However, no research has studied the elements that could influence the design of fictitious profiles or systems that use them to answer security questions. To address this research gap, we conducted an empirical investigation through 20 structured interviews. Our main findings revealed that to improve the design of fictitious profiles, users should be given the option to configure the profiles to make them relatable, interesting and memorable. We also found that the security questions currently provided by websites would need to be enhanced to cater for fictitious profiles.