This research provides interesting hints for researchers and educational institutions concerned with the security of online learning environments. The authors tackle the problem of impersonation via challenge questions, to find an approach that combines good usability and high security. The potential of image-based challenge questions is also investigated. The paper reports the results of two studies. In the first study, data to evaluate usability (efficiency, effectiveness, and memorability) was collected in a real online course of 70 students. In the second study, a simulation was conducted in which participants attempted impersonation.
From the first study, the main conclusion is that the algorithm used has a strong impact on text-based questions, which are subject to spelling mistakes, syntactic variations, and other factors that lead to differences between the initial answers provided by the students and the answers during authentication. Image-based questions eliminate these issues and lead to increased effectiveness, although a more relaxed evaluation algorithm in text-based questions also produces increased correct answer rates. Regarding image-based questions, recognition questions provide increased effectiveness when compared to recall questions.
The second study demonstrates that the success of the attack increases with the amount of information previously shared by the student, particularly if impersonators have direct access to this information during the authentication process. If correct answers have to be memorized by impersonators, increasing the number of challenge questions to be remembered has a positive effect on security.
It was interesting to learn that challenge questions are insufficient to avoid impersonation unless the online examination is monitored or the time to answer questions is restricted (to limit the capability to search for the correct answer). Further research is also suggested on finding ways to minimize the ability to share credentials.