Automatic Generation of Authentication Questions from Private Messages
by Ming Li, Keishi Tajima
Abstract
In this paper, we propose a method for automatically generating
authentication questions in social network services (SNSs) and mail
account services. When a malicious user obtains a password of some
SNS or mail account, the malicious user can access private messages
posted/sent to or from the account, and also messages posted in closed
SNS groups the account participates in. In order to prevent it, many
systems pose additional questions when a suspicious user tries to
login to an account or try to access messages in a closed group. Our
method automatically generates such authentication questions for an
account or group by using the messages in that account or group. Our
method shows one of the messages with substituting one noun with a
blank, and ask the accessing user what word was there. To detect fake
users, we need to select a noun that is sufficiently difficult for
fake users to infer based on general knowledge and information on the
Web. We select a noun based on two factors. First, for each
candidate noun, we compute its co-occurrence degrees on the Web with
other words in the same message. If a noun has high co-occurrence
degrees with other words in the message, the noun is probably easy for
fake users to infer. Second, our system collects coordinate terms
(co-hyponyms) of each candidate noun, and calculate the same
co-occurrence degrees of them. If there are coordinate terms that
have higher co-occurrence degrees than a candidate noun, we expect
that the noun is difficult for fake users to infer because those
coordinate terms seem to them more likely to be the answer. We
developed four methods of noun selection based on these two factors.
Our preliminary experiment shows that the former factor produces more
difficult questions than the latter, but it often produces questions
that are too difficult even for authentic users.