Preference and Question Based Security
Gunnar Peterson has a short posting about a different way of verifying user identity. We are all familiar with The Security Question† which myself and others have written of before, as well as some possible ways to enhance that method. ††
But what Jakobsson, Yang, and Wetzel call “Preference based Authentication” goes a bit farther, but perhaps not as deep. I’ve only skimmed some sections so maybe there *is* depth here after all. It looks very good. I can’t wait to tear into it this evening.
† “What is your mothers maiden name” will get you smacked with a medium-sized trout, unless your answer is amusing and cheeky, like “She Who Must Not Be Named” or similar geek fair.
†† I have suggested answering questions in a non-sequitur -ist manner, e.g. “What is your favorite color?” can be answered with “Herringbone” or “Houndstooth” and “Do you expect me to talk?” can be answered with “No Mr. Bond, I expect you to die. HAHahahaha.” These depend on whether you must answer a set list of questions, or if you can enter your own questions. Usefulness decreases severely if the authentication mechanism let’s the actor choose the answer from a list, rather than enter a response. (Think the Sesame Street childrens program… ‘One of these things is not like the others, one of these things does not belong…’)
