RISK ANALYSIS OF THE DISCOVERABILITY OF PERSONAL DATA USED FOR PRIMARY AND SECONDARY AUTHENTICATION

Abstract

Personal data are frequently leveraged to create passwords for password based authentication systems. Personal data are also used in secondary authentication systems, particularly those based around a question and answer format. The use of personal data in authenticators is believed to be driven, to some degree, by usability. The antinomic proposition of usable system authentication, an easily remembered and usable scheme for the proper user which is simultaneously unknown and unusable to any other entity, historically proves to be an elusive goal. While alternative propositions for authentication protocols are numerous, lacking in literature is foundational work directly relating potential authenticators with the discoverability of personal data online. This dissertations investigates the discoverability of personal data, particularly whether another human is able to purposefully find particular personal data commonly used in authentication protocols. Between fifty and sixty participants provide search results for specific personal data regarding four additional participants. The four participants acted as a source for the personal data, consented to the web search and validated the accuracy of data supplied by the data seeking participants. Analyses of the results reveals consistent patterns in the personal data discovered. The results lay a foundation for the improvement of current authentication systems and provide a significant step in both methodology and recommendations to guide the development of alternatives with a goal towards the creation of usable, secure authentication systems. Furthermore, the results provide insight into the nature of privacy, user control of data and the availability of personal data on Web sources.