Codes v. People: A Comparative Usability Study of Two Password Recovery Mechanisms

  • Vlasta Stavova
  • Vashek Matyas
  • Mike Just
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9895)


Password recovery is a critical, and often overlooked, requirement of account management. Currently popular solutions, such as security questions and out-of-band communications, have recognized security and usability issues. In this paper we evaluate two alternate recovery solutions considered by our industrial partner, using backup codes and trusted people, in order to determine their suitability as a viable password recovery solution. In this paper we focus on the usability evaluation of these two representative recovery methods, and not on the specifics of their design – while our evaluation results do indirectly point to general design enhancements. Our study determined that participants felt that backup codes (implemented as a QR-code in our solution) offer levels of usability and security that are acceptable to users for securing their “ordinary” accounts. For accounts perceived to require more security (e.g., online banking) more security was preferred by participants, resulting in a preference for trusted party recovery compared to backup codes. Our results also suggest that further research and deployment considerations should be given to options for other methods of password recovery, such as backup codes and trusted parties (Full details and paper supplementary materials can be found at



The authors acknowledge the support of the Masaryk University (MUNI/M/1052/ 2013). Authors would like to thank Department of social studies for a help with a data analysis.


  1. 1.
    Smart phone thefts rose to 3.1 million in 2013 (2014). Accessed 15 Jun 2016
  2. 2.
    How do i enable two-step verification on my account? (2015). Accessed 15 Jun 2016
  3. 3.
    I forgot my password. How do i reset it? (2015). Accessed 15 Jun 2016
  4. 4.
    I’m having trouble resetting my password (2015). Accessed 15 Jun 2016
  5. 5.
    Security and your Apple ID (2015). Accessed 15 Jun 2016
  6. 6.
    Set up a recovery phone number or email address (2015). Accessed 15 Jun 2016
  7. 7.
    Bonneau, J., Bursztein, E., Caron, I., Jackson, R., Williamson, M.: Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google. In: Proceedings of the 24th International Conference on World Wide Web, pp. 141–150. International World Wide Web Conferences Steering Committee (2015)Google Scholar
  8. 8.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS (2010)Google Scholar
  9. 9.
    Corder, G., Foreman, D.: Nonparametric Statistics: A Step-by-Step Approach. Wiley, New York (2014)zbMATHGoogle Scholar
  10. 10.
    Cubrilovic, N.: The Anatomy of the Twitter Attack (2009). Accessed 15 Jun 2016
  11. 11.
    Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (in)security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 365–383. Springer, Heidelberg (2014)Google Scholar
  12. 12.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)Google Scholar
  13. 13.
    Gong, N.Z., Wang, D.: On the security of trustee-based social authentications. IEEE Trans. Inf. Forensics Secur. 9(8), 1251–1263 (2014)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Hamerník, J.: Autentizační metody používané k obnově přihlašovacího hesla, Master thesis (in Czech), Masaryk University (2014). Accessed 15 Jun 2016Google Scholar
  15. 15.
    Honan, M.: How Apple and Amazon Security Flaws Led to My Epic Hacking (2012). Accessed 15 Jun 2016
  16. 16.
    Just, M., Aspinall, D.: Personal choice and challenge questions: a security and usability assessment. In: Proceedings of the 5th Symposium on Usable Privacy and Security, p. 8. ACM (2009)Google Scholar
  17. 17.
    Lee, Y.S., Kim, N.H., Lim, H., Jo, H., Lee, H.J.: Online banking authentication system using mobile-OTP with QR-code. In: 2010 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), pp. 644–648. IEEE (2010)Google Scholar
  18. 18.
    Liao, K.C., Lee, W.H.: A novel user authentication scheme based on QR-code. J. Netw. 5(8), 937–941 (2010)Google Scholar
  19. 19.
    Moallem, A.: Did you forget your password? In: Marcus, A. (ed.) HCII 2011 and DUXU 2011, Part II. LNCS, vol. 6770, pp. 29–39. Springer, Heidelberg (2011)Google Scholar
  20. 20.
    Rabkin, A.: Personal knowledge questions for fallback authentication: security questions in the era of Facebook. In: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 13–23. ACM (2008)Google Scholar
  21. 21.
    Schechter, S., Brush, A.B., Egelman, S.: It’s no secret. Measuring the security and reliability of authentication via secret questions. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 375–390. IEEE (2009)Google Scholar
  22. 22.
    Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM (2009)Google Scholar
  23. 23.
    Wikipedia: Sarah Palin email hack — Wikipedia, The Free Encyclopedia (2015). Accessed 15 Jun 2016

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic
  2. 2.School of Mathematical and Computer SciencesHeriot-Watt UniversityEdinburghUK

Personalised recommendations