Despite receiving a lot of scrutiny and criticism, security questions are still widely adopted. Although new techniques are continuously being proposed to improve fallback authentication (i.e. security questions design), little research investigated users’ security and memorability perceptions. Previous research found that users’ perceptions are important because they can impact the adoption of security techniques. Hence, this research contributes to security questions research by investigating (with a study of n = 30) how users select security questions, what strategies are used to memorize answers, how users perceive the security and memorability of their answers and how a technique which addresses key security weaknesses (but makes them less memorable) impacts users’ perceptions. Our key findings reveal that despite asking participants to select security questions for an online banking scenario, participants who answered security questions with their own answers did not consider security factors. Instead, they selected easy, truthful and certain answers. Memorization strategies were ignored by most participants (even those who used unfamiliar answers). We also found that a technique designed to address key security weaknesses seemed to inspire some kind of security awareness (but would still not be enough). Based on these findings this paper provides recommendations to improve the design of security questions, strengthening fallback authentication mechanisms secure and usable.

尽管受到了很多审查和批评，但安全问题仍被广泛采用。尽管不断提出新技术来改进后备身份验证（即安全性问题设计），但很少有研究调查用户的安全性和可记忆性感知。先前的研究发现，用户的感知很重要，因为它们会影响安全技术的采用。因此，本研究通过调查（对n的研究= 30）用户如何选择安全性问题，使用什么策略来记忆答案，用户如何看待答案的安全性和可记忆性以及解决关键安全弱点（但使它们难以记忆）的技术如何影响用户的感知。我们的主要发现表明，尽管要求参与者为在线银行业务场景选择安全性问题，但是用自己的答案回答安全性问题的参与者并未考虑安全性因素。相反，他们选择了简单，真实和某些答案。大多数参与者（甚至那些使用不熟悉答案的参与者）都忽略了记忆策略。我们还发现，旨在解决关键安全漏洞的技术似乎可以激发某种安全意识（但仍然不够）。