Automatic Generation of Authentication Questions from Private Messages

by Ming Li, Keishi Tajima


In this paper, we propose a method for automatically generating authentication questions in social network services (SNSs) and mail account services. When a malicious user obtains a password of some SNS or mail account, the malicious user can access private messages posted/sent to or from the account, and also messages posted in closed SNS groups the account participates in. In order to prevent it, many systems pose additional questions when a suspicious user tries to login to an account or try to access messages in a closed group. Our method automatically generates such authentication questions for an account or group by using the messages in that account or group. Our method shows one of the messages with substituting one noun with a blank, and ask the accessing user what word was there. To detect fake users, we need to select a noun that is sufficiently difficult for fake users to infer based on general knowledge and information on the Web. We select a noun based on two factors. First, for each candidate noun, we compute its co-occurrence degrees on the Web with other words in the same message. If a noun has high co-occurrence degrees with other words in the message, the noun is probably easy for fake users to infer. Second, our system collects coordinate terms (co-hyponyms) of each candidate noun, and calculate the same co-occurrence degrees of them. If there are coordinate terms that have higher co-occurrence degrees than a candidate noun, we expect that the noun is difficult for fake users to infer because those coordinate terms seem to them more likely to be the answer. We developed four methods of noun selection based on these two factors. Our preliminary experiment shows that the former factor produces more difficult questions than the latter, but it often produces questions that are too difficult even for authentic users.

Full Text: pdf

Slides: pdf

BibTex entry


social network service; SNS; mail account; knowledge-based authentication; KBA
Published in Proc. of IEEE/WIC/ACM WI, pp.505-510, Singapore, 2015

tajima@i.kyoto-u.ac.jp / Fax: +81(Japan) 75-753-5978 / Office: Research Bldg. #7, room 404