New results on the backup authentication problem

Stuart Schechter


When a user forgets the password to a website account she can use a backup authentication mechanism -- such as a 'secret' question or an alternate email address -- to regain access, or at least try to do so. I'll discuss new usability results related to backup authentication. I'll start by presenting results from a study in which we measured the security and reliability of authentication via 'secret' questions. I'll then present a new backup authentication mechanism in which users rely on previously-selected trustees to help authenticate them. We examined the security of this approach by exposing trustees, who were unaware that they were participating in a study, to simulated attacks. As we expect more backup authentication options to be made available to users in the future, I'll present early results on efforts to help users understand how these options might work together. This work is joint research with A.J. Bernheim Brush (Microsoft Research), Serge Egelman (CMU), and Rob Reeder (Microsoft).


Stuart Schechter is a man of few accomplishments and so, the reluctant reader should be pleased to hear, his biography is correspondingly short. Stuart has worked on systems security, security economics, and has spent the last few years developing and applying new methodologies for measuring users' security behavior. Since joining Microsoft Research, Stuart has focused on building and measuring the efficacy of new mechanisms for backup authentication and on projects that simplify and streamline permissioning. Stuart received his B.S. from Ohio State, Ph.D. from Harvard's School of Engineering and Applied Sciences, and previously worked at MIT Lincoln Laboratory.

Time and Place

May 22 2009 (Friday) at 1600 hrs
Gates 4B (opposite 490)