pith. sign in

arxiv: 1907.00998 · v1 · pith:YXCBPILFnew · submitted 2019-07-01 · 💻 cs.HC · cs.CR

Geographical Security Questions for Fallback Authentication

Alaadin Addas , Julie Thorpe , Amirali Salehi-Abari This is my paper

Pith reviewed 2026-05-25 11:31 UTC · model grok-4.3

classification 💻 cs.HC cs.CR
keywords fallback authenticationsecurity questionsgeographical datausability studyaccount recoveryauthentication security
0
0 comments X

The pith

Geographical Security Questions using personal location memories give stronger protection for account fallback authentication than common alternatives.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper designs GeoSQ, an Android app that asks users questions drawn from their own past locations as a backup when primary login fails. A two-session lab study with 36 participants measured how well this resists guessing attacks compared with standard security questions, email resets, and SMS resets. Results showed higher security, though login took longer than the alternatives. If correct, this would reduce successful account takeovers that currently exploit weak fallback methods.

Core claim

GeoSQ exceeds the security of its counterparts, while its usability (specifically login time) has room for improvement.

What carries the argument

GeoSQ system that authenticates by asking autobiographical questions about the user's past geographical locations.

If this is right

  • Fallback authentication would become harder for attackers to bypass without the user's personal location knowledge.
  • Accounts could stay secure even after primary credentials are lost or compromised.
  • Login time would need reduction before widespread adoption for daily use.
  • The method could be deployed on mobile devices where location history is readily available.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • GeoSQ might combine well with other signals such as device location at login time to further raise the bar.
  • Long-term memory of locations could degrade over years, requiring periodic updates to questions.
  • The approach might transfer to non-mobile platforms if users maintain location diaries.

Load-bearing premise

The two-session lab study with 36 participants accurately measures real-world security against determined attackers and everyday usability.

What would settle it

A real-world deployment where attackers successfully guess or obtain users' location answers at rates equal to or higher than traditional security questions.

Figures

Figures reproduced from arXiv: 1907.00998 by Alaadin Addas, Amirali Salehi-Abari, Julie Thorpe.

Figure 1
Figure 1. Figure 1: GeoSQ Interface; (a) Default map mode, users can set/remove markers and navigate [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: ROC Graph for GeoSQ with varying thresholds (t). Note that t=10 and t=9 are not [PITH_FULL_IMAGE:figures/full_fig_p010_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Login Time; (a) Average login time for GeoSQ for each question (n = [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Correct/incorrect responses by legitimate users; (a) total number of correct and incorrect [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: GeoSQ Usability Likert Scale questions [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗
read the original abstract

Fallback authentication is the backup authentication method used when the primary authentication method (e.g., passwords, fingerprints, etc.) fails. Currently, widely-deployed fallback authentication methods (e.g., security questions, email resets, and SMS resets) suffer from documented security and usability flaws that threaten the security of accounts. These flaws motivate us to design and study Geographical Security Questions (GeoSQ), a system for fallback authentication. GeoSQ is an Android application that utilizes autobiographical location data for fallback authentication. We performed security and usability analyses of GeoSQ through an in-person two-session lab study (n=36,18 pairs). Our results indicate that GeoSQ exceeds the security of its counterparts, while its usability (specifically login time) has room for improvement.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes Geographical Security Questions (GeoSQ), an Android app for fallback authentication that uses autobiographical location data. It reports results from an in-person two-session lab study (n=36, 18 pairs) claiming that GeoSQ provides better security than existing methods such as security questions while noting usability limitations, particularly longer login times.

Significance. If the security advantage holds under realistic conditions, GeoSQ could address documented weaknesses in deployed fallback mechanisms. The empirical user study provides direct evidence on both security and usability dimensions, which is a positive feature of the work.

major comments (2)
  1. [§4] §4 (User Study): The security evaluation models attackers as other study participants given limited time and no external information sources. This setup does not address determined adversaries who may use public records, social media, or repeated attempts, which directly undercuts the central claim that GeoSQ exceeds the security of counterparts.
  2. [Abstract, §5] Abstract and §5 (Results): The abstract states that GeoSQ exceeds counterpart security without reporting statistical details, effect sizes, attacker success rates, or exclusion criteria. The small sample (n=36) and lab setting limit the strength of the generalization to real-world security.
minor comments (2)
  1. Clarify the exact definition of 'counterparts' (e.g., which security questions or reset methods) and how they were implemented for comparison.
  2. Provide more detail on the location data collection process and any privacy safeguards in the GeoSQ implementation.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the two major comments below, proposing revisions to clarify limitations and improve reporting while maintaining the integrity of our lab-study findings.

read point-by-point responses

  1. Referee: [§4] §4 (User Study): The security evaluation models attackers as other study participants given limited time and no external information sources. This setup does not address determined adversaries who may use public records, social media, or repeated attempts, which directly undercuts the central claim that GeoSQ exceeds the security of counterparts.

    Authors: We acknowledge that our attacker model—limited to other participants with no external information and constrained time—is narrower than real-world determined adversaries. This is a recognized constraint of controlled lab studies in authentication research, enabling direct head-to-head comparison with counterparts under identical conditions. The results show GeoSQ outperforming in this setting. We will revise §4 and the discussion section to explicitly describe the attacker model, state its limitations, and qualify the security claims to avoid implying superiority against all possible attacks. revision: partial

  2. Referee: [Abstract, §5] Abstract and §5 (Results): The abstract states that GeoSQ exceeds counterpart security without reporting statistical details, effect sizes, attacker success rates, or exclusion criteria. The small sample (n=36) and lab setting limit the strength of the generalization to real-world security.

    Authors: We agree the abstract should be more precise. We will revise it to report attacker success rates, note the sample size (n=36), and reference the lab setting. The full results in §5 already contain success rates and comparisons; we will ensure effect sizes and any exclusion criteria are highlighted. We will also add an explicit limitations paragraph addressing the small sample and lab constraints on generalization. revision: yes

Circularity Check

0 steps flagged

Empirical user study with no derivation chain or fitted predictions

full rationale

The paper reports results from a two-session in-person lab study (n=36) measuring security and usability of GeoSQ against counterparts. No equations, parameters, predictions, or first-principles derivations appear in the provided text. Claims rest on direct participant data rather than any self-referential construction, self-citation load-bearing step, or renaming of inputs as outputs. This is a standard empirical evaluation with no circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Empirical HCI/security study; no mathematical derivations, fitted parameters, axioms, or invented entities are described in the abstract.

pith-pipeline@v0.9.0 · 5649 in / 853 out tokens · 23258 ms · 2026-05-25T11:31:30.321235+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 45 canonical work pages · 1 internal anchor

  1. [1]

    Analyzing 4 million real-world personal knowledge questions (short paper)

    Maximilian Golla and Markus Dürmuth. Analyzing 4 million real-world personal knowledge questions (short paper). InProceedings of the 9th International Conference on Passwords, pages 39–44, 2015

    work page 2015

  2. [2]

    Email-based identification and authentication: An alternative to pki? IEEE Security & Privacy, 99:20–26, 2003

    Simson L Garfinkel. Email-based identification and authentication: An alternative to pki? IEEE Security & Privacy, 99:20–26, 2003

    work page 2003

  3. [3]

    Exploiting the weaknesses of ss7.Network Security, 2017:17–19, 2017

    Bill Welch. Exploiting the weaknesses of ss7.Network Security, 2017:17–19, 2017

    work page 2017

  4. [4]

    Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at google

    Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at google. In Proceedings of the 24th International Conference on World Wide Web (WWW’15), pages 141–150, 2015

    work page 2015

  5. [5]

    A comparative long-term study of fallback authentication

    Philipp Markert, Maximilian Golla, Elizabeth Stobert, and Markus Dürmuth. A comparative long-term study of fallback authentication. page 8. 14

    work page

  6. [6]

    Exploring capturable everyday memory for autobiographical authentication

    Sauvik Das, Eiji Hayashi, and Jason I Hong. Exploring capturable everyday memory for autobiographical authentication. InProceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp’13), pages 211–220, 2013

    work page 2013

  7. [7]

    I know what you did last week! do you?: Dynamic security questions for fallback authentication on smartphones

    Alina Hang, Alexander De Luca, and Heinrich Hussmann. I know what you did last week! do you?: Dynamic security questions for fallback authentication on smartphones. InProceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI’15), pages 1383–1392, 2015

    work page 2015

  8. [8]

    Evaluating smartphone-based dynamic security questions for fallback authentication: A field study.Human-Centric Computing and Information Sciences, 6:16, 2016

    Yusuf Albayram and Mohammad Maifi Hasan Khan. Evaluating smartphone-based dynamic security questions for fallback authentication: A field study.Human-Centric Computing and Information Sciences, 6:16, 2016

    work page 2016

  9. [9]

    Personal choice and challenge questions: A security and usability assessment

    Mike Just and David Aspinall. Personal choice and challenge questions: A security and usability assessment. InProceedings of the 5th Symposium on Usable Privacy and Security (SOUPS’09), pages 8:1 – 8:11, 2009

    work page 2009

  10. [10]

    Personal information leakage during password recovery of internet services

    Mordechai Guri, Eyal Shemer, Dov Shirtz, and Yuval Elovici. Personal information leakage during password recovery of internet services. InProceedings of the 2016 European Intelligence and Security Informatics Conference (EISIC’16), pages 136–139, 2016

    work page 2016

  11. [11]

    Web password recovery—a necessary evil? In Proceedings of the Future Technologies Conference 2018 (FTC’18), 2018

    Fatma Al Maqbali and Chris J Mitchell. Web password recovery—a necessary evil? In Proceedings of the Future Technologies Conference 2018 (FTC’18), 2018

    work page 2018

  12. [12]

    Imsi catchers: Hacking mobile communications.Network Security, 2017:5–7, 2017

    Andy Lilly. Imsi catchers: Hacking mobile communications.Network Security, 2017:5–7, 2017

    work page 2017

  13. [13]

    Ss7 hack tutorial, https://fedotov.co/ss7-hack-tutorial-software-video, site ac- cessed June 2018

    work page 2018

  14. [14]

    Episodic memories.Neuropsychologia, 47:2305–2313, 2009

    Martin A Conway. Episodic memories.Neuropsychologia, 47:2305–2313, 2009

    work page 2009

  15. [15]

    Know your enemy: The risk of unauthorized access in smartphones by insiders

    Ildar Muslukhov, Yazan Boshmaf, Cynthia Kuo, Jonathan Lester, and Konstantin Beznosov. Know your enemy: The risk of unauthorized access in smartphones by insiders. InProceedings of the 15th international Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI’15), pages 271–280, 2013

    work page 2013

  16. [16]

    Behavioral and policy issues in information systems security: The insider threat.European Journal of Information Systems, 18:101–105, 2009

    Merrill Warkentin and Robert Willison. Behavioral and policy issues in information systems security: The insider threat.European Journal of Information Systems, 18:101–105, 2009

    work page 2009

  17. [17]

    The password thicket: Technical and market failures in human authentication on the web

    Joseph Bonneau and Sören Preibusch. The password thicket: Technical and market failures in human authentication on the web. Inproceedings of the 9th Workshop on the Economics of Information Security (WEIS’10), 2010

    work page 2010

  18. [18]

    On semantic patterns of passwords and their security impact

    Rafael Veras, Christopher Collins, and Julie Thorpe. On semantic patterns of passwords and their security impact. Inproceedings of the 2014 Network and Distributed System Security Symposium (NDSS’14), 2014

    work page 2014

  19. [19]

    Password cracking using probabilistic context-free grammars

    Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. Password cracking using probabilistic context-free grammars. InProceedings of the 30th IEEE Symposium on Security and Privacy (IEEE S&P’09, pages 391–405, 2009. 15

    work page 2009

  20. [20]

    Omen: Faster password guessing using an ordered markov enumerator

    Markus Dürmuth, Fabian Angelstorf, Claude Castelluccia, Daniele Perito, and Chaabane Abdelberi. Omen: Faster password guessing using an ordered markov enumerator. In Proceedings of the 2015 International Symposium on Engineering Secure Software and Systems (ESSoS’15), 2015

    work page 2015

  21. [21]

    Fast, lean, and accurate: Modeling password guess- ability using neural networks

    William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Fast, lean, and accurate: Modeling password guess- ability using neural networks. InProceedings of the 25th{USENIX} Security Symposium (USENIX’16), pages 175–191, 2016

    work page 2016

  22. [22]

    Van Oorschot

    Robert Biddle, Sonia Chiasson, and P.C. Van Oorschot. Graphical passwords: Learning from the first twelve years.ACM Computing Surveys (CSUR, 44:19:1–19:41, 2012

    work page 2012

  23. [23]

    Passpoints: Design and longitudinal evaluation of a graphical password system.International Journal of Human-Computer Studies, 63:102–127, 2005

    Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. Passpoints: Design and longitudinal evaluation of a graphical password system.International Journal of Human-Computer Studies, 63:102–127, 2005

    work page 2005

  24. [24]

    Graphical password authenti- cation using cued click points

    Sonia Chiasson, Paul C Van Oorschot, and Robert Biddle. Graphical password authenti- cation using cued click points. InEuropean Symposium on Research in Computer Security (ESORICS’07, pages 359–374, 2007

    work page 2007

  25. [25]

    Influencing users towards better passwords: Persuasive cued click-points

    Sonia Chiasson, Alain Forget, Robert Biddle, and Paul C Van Oorschot. Influencing users towards better passwords: Persuasive cued click-points. InProceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction, pages 121–130, 2008

    work page 2008

  26. [26]

    Robust discretization, with an application to graphical passwords.IACR Cryptology ePrint Archive, 2003:168–177, 2003

    Jean-Camille Birget, Dawei Hong, and Nasir Memon. Robust discretization, with an application to graphical passwords.IACR Cryptology ePrint Archive, 2003:168–177, 2003

    work page 2003

  27. [27]

    Sonia Chiasson, Jayakumar Srinivasan, Robert Biddle, and P. C. van Oorschot. Centered discretization with application to graphical passwords (full paper). InProceedings of the 1st Conference on Usability, Psychology, and Security (UPSEC’08), pages 6:1–6:9, 2008

    work page 2008

  28. [28]

    Graphical passwords: A survey

    Xiaoyuan Suo, Ying Zhu, and G Scott Owen. Graphical passwords: A survey. In21st Annual Computer Security Applications Conference (ACSAC’05), pages 472–481, 2005

    work page 2005

  29. [29]

    Amirali Salehi-Abari, Julie Thorpe, and P. C. van Oorschot. On purely automated attacks and click-based graphical passwords. InProceedings of the 2008 Annual Computer Security Applications Conference (ACSAC’08), pages 111–120, 2008

    work page 2008

  30. [30]

    Julie Thorpe and P. C. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. InProceedings of 16th USENIX Security Symposium (SS’07), pages 8:1–8:16, 2007

    work page 2007

  31. [31]

    The presentation effect on graphical passwords

    Julie Thorpe, Muath Al-Badawi, Brent MacRae, and Amirali Salehi-Abari. The presentation effect on graphical passwords. InProceedings of the 2014 SIGCHI Conference on Human Factors in Computing Systems (CHI’14), pages 2947–2950, 2014

    work page 2014

  32. [32]

    Picture gesture authentication: Empirical analysis, automated attacks, and scheme evaluation.ACM Transactions on Information and System Security (TISSEC), 17:14, 2015

    Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. Picture gesture authentication: Empirical analysis, automated attacks, and scheme evaluation.ACM Transactions on Information and System Security (TISSEC), 17:14, 2015. 16

    work page 2015

  33. [33]

    Video-passwords: Advertising while authenticating

    Julie Thorpe, Amirali Salehi-Abari, and Robert Burden. Video-passwords: Advertising while authenticating. InProceedings of the 2012 New Security Paradigms Workshop (NSPW’12), pages 127–140, 2012

    work page 2012

  34. [34]

    Locked your phone? buy a new one? from tales of fallback authentication on smartphones to actual concepts

    Alina Hang, Alexander De Luca, Emanuel Von Zezschwitz, Manuel Demmler, and Heinrich Hussmann. Locked your phone? buy a new one? from tales of fallback authentication on smartphones to actual concepts. InProceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI’15, pages 295–305, 2015

    work page 2015

  35. [35]

    Usability and security evaluation of geopass: A geographic location-password scheme

    Julie Thorpe, Brent MacRae, and Amirali Salehi-Abari. Usability and security evaluation of geopass: A geographic location-password scheme. InProceedings of the 9th Symposium on Usable Privacy and Security (SOUPS’13), pages 14:1–14:14, 2013

    work page 2013

  36. [36]

    An exploration of geographic authen- tication schemes.IEEE Transactions on Information Forensics and Security, 11(9):1997–2012, 2016

    Brent MacRae, Amirali Salehi-Abari, and Julie Thorpe. An exploration of geographic authen- tication schemes.IEEE Transactions on Information Forensics and Security, 11(9):1997–2012, 2016

    work page 1997

  37. [37]

    Mahdi Nasrullah Al-Ameen and Matthew K. Wright. A comprehensive study of the geopass user authentication scheme.CoRR, abs/1408.2852:6, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  38. [38]

    Multiple-password interference in the geopass user authentication scheme

    Mahdi Nasrullah Al-Ameen and Matthew Wright. Multiple-password interference in the geopass user authentication scheme. Inproceedings of the 2015 Network and Distributed System Security Symposium (NDSS’15), pages 1–6, 2015

    work page 2015

  39. [39]

    Where have you been? using location-based security questions for fallback authentication

    Alina Hang, Alexander De Luca, Matthew Smith, Michael Richter, and Heinrich Hussmann. Where have you been? using location-based security questions for fallback authentication. In Proceedings of the 11th Symposium On Usable Privacy and Security (SOUPS’15), pages 169–183, 2015

    work page 2015

  40. [40]

    Location request, https://developers.google.com/android/reference/com/google/ android/gms/location/LocationRequest, site accessed June 2018

    work page 2018

  41. [41]

    Evaluating the effectiveness of using hints for autobiographical authentication: A field study

    Yusuf Albayram and Mohammad Maifi Hasan Khan. Evaluating the effectiveness of using hints for autobiographical authentication: A field study. Inproceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15), pages 211–224, 2015

    work page 2015

  42. [42]

    Designing challenge questions for location-based authentication systems: A real-life study.Human-centric Computing and Information Sciences, 5:17, 2015

    Yusuf Albayram, Mohammad Maifi Hasan Khan, Athanasios Bamis, Sotirios Kentros, Nhan Nguyen, and Ruhua Jiang. Designing challenge questions for location-based authentication systems: A real-life study.Human-centric Computing and Information Sciences, 5:17, 2015

    work page 2015

  43. [43]

    The quest to replace passwords: A framework for comparative evaluation of web authentication schemes

    Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (IEEE S&P’12), pages 553–567, 2012

    work page 2012

  44. [44]

    Statistics canada - commuting statistics,https://www12.statcan.gc.ca/nhs-enm/2011/ as-sa/99-012-x/99-012-x2011003_1-eng.cfm , site accessed February 2019

    work page 2011

  45. [45]

    It’s no secret

    Stuart Schechter, AJ Bernheim Brush, and Serge Egelman. It’s no secret. measuring the security and reliability of authentication via “secret” questions. InProceedings of the 30th IEEE Symposium on Security and Privacy (IEEE S&P’09), pages 375–390, 2009. 17 Appendix A Memorywise-Effortless Scalable for Users Nothing to Carry Physically Effortless Easy to Lea...

    work page 2009