1 Introduction
-
examine the usability of text-based and image-based questions in a real online learning course.
-
examine the effect of sharing different numbers of challenge questions in an impersonation using varying database sizes.
-
examine the effect of using memory, printed and electronic sources when answering challenge questions during impersonation.
2 Background and related work
2.1 Academic dishonesty and collusion
-
Impersonation (Operated by a Third Party Impersonator): This type of attack happens when a student invites a third party helper to impersonate and take an online test on his or her behalf. Impersonation can happen in different ways described below:
-
Email (Asynchronous): A student shares access credentials with a third party impersonator via email asynchronously, when they are unable to interact during an online examination in real-time due to implementation of locking and monitoring mechanisms (Kitahara et al. 2011).
-
Smart Phone (Real-time): Students are authenticated using a dynamic mechanism e.g. code texted on a mobile phone in real-time. To circumvent this security, a student and a third party share access credential in real time via instant messaging e.g. Skype, Viber, WhatsApp, Phone, SMS (Church and De Oliveira 2013) etc.
-
Remote Desktop Sharing: In this case, a student logs in to an online test and shares his or her screen with an impersonator remotely.
-
-
Abetting (Operated by a Student Aided by a Third Party): A student takes an online test, while a third party helper shares answers. This type of attack can happen in the different ways described below:
-
Same Location: A student takes a test while a third party helps with solving the exam questions based in the same location (Rowe 2004).
-
2.2 Authentication approaches
-
Accessibility: To ensure that the method can be used and accessed by a wide range of online participants using standard input devices. This frees users from a need to have access to special purpose devices that can limit implementation. Advances in mobile technology increase demand for accessible authentication approaches.
-
Cost Effectiveness: The need for a cost effective approach is essential and this factor relates to the cost of development, implementation and maintenance. Bailie and Jortberg (2009) state that cost is an important consideration for technical and academic professionals in designing identity verification.
-
Security: It is important to ensure that a method provides adequate protection to online examinations against the identified threats.
-
Usability: Security mechanisms can only offer the intended protection, if usable. It is important to ensure that a method is reliable in terms usability. It describes the ability of authentication mechanisms to meet usability standards. The common attributes defined by the International Organization for Standards (ISO) (Iso9241-11 1998) which contributes to the usability includes efficiency and effectiveness.
2.2.1 Knowledge-based authentication
2.3 Challenge question authentication
2.3.1 Previous research
Study | Usability | Security | ||
---|---|---|---|---|
S. no | Efficiency | Effectiveness | Guessing | |
1 | NA | 70–74% | 33–39% | |
2 | Just and Aspinall (2009c) | NA | 82% | 8.3% Low |
3 | Just and Aspinall (2009a) | NA | 75% | 46% Low |
4 | Schetcher et al. (2009) | NA | 80% | 10–13% |
5 | Ullah et al. (2014a) | 15.7 s | 58–76% | 12%/29% |
6 | Bailie and Jortberg (2009) | NA | 92% | NA |
7 | Renaud and Just (2010) | NA | 68% | NA |
8 | Renaud and Just (2010) | NA | 77% | 38% |
9 | Babic et al. (2009) | 0 s | 2.23 (1–3) | NA |
10 | Ullah et al. (2015) | 0 s | 68% | NA |
-
Questions with clarity, relevance and ambiguity issues were less usable. This influenced efficiency, effectiveness and memorability.
-
Weak question design could lead to successful guessing.
2.4 Multiple-choice image-based questions
-
Recall Image-based Questions: Recall is the ability to memorize items without help. Shephard (1967) indicates that humans are better at recalling images than words, which is driven by the “picture superiority effect”. This system requires a user to recall and select their previously chosen images.
-
Recognition Image-based Questions: These rely upon an individual’s ability to judge whether he/she has seen or selected an image before. It has been used in various studies by asking users to select previously chosen images from a large subset with distraction images (Brostoff and Sasse 2000; Hayashi et al. 2011; Ullah et al. 2015).
-
Cued Recall Image-based Questions: This approach relies upon an individual’s ability to recall an image, however, it is aided with a cue to stimulate recollection of a previous selection (Hayashi et al. 2011). This approach can be implemented using text-based information stored by a user (Rabkin 2008) or automated cues created programmatically (Wiedenbeck et al. 2005).
3 Research methodology
3.1 Study phase – I usability evaluation
3.1.1 Usability test approach (methodology)
-
Efficiency: It is a usability metric defined by ISO, which can be evaluated by measuring the completion time of each task and sub-tasks separately (Seffah et al. 2001). A system is considered efficient, if users are able to complete tasks in a reasonable time. In the context of this work, challenge questions completion time is measured to compute the efficiency of the proposed approach.
-
Effectiveness: It is an important usability factor which indicates a degree of completeness with which users achieve a specified task in a certain context (Seffah et al. 2001). The effectiveness of questions was analyzed on the number of correct and incorrect answers to challenge questions in order to report the completion of authentication task and error rate.
-
Recall or Memorability: An answer can be classified as memorable if it can be easily recalled (Just 2004). In the context of this work, memorability was evaluated based on the answers recalled during the authentication process. If a user’s answer did not completely match with a previously registered answer, it is considered to be the result of recall or memorability failure.
3.1.2 Usability testing using an online course (process)
-
Questions Design: Questions reported with usability and security issues in a previous study (Ullah et al. 2014a) were replaced with alternatives giving a careful design consideration to reduce ambiguity and clarity issues. Text-based and image-based questions were classified into five themes: academic, favourite, personal, date and image. Image based questions were further classified into recall and recognition questions as shown in Fig. 2. Text-based questions were based on the most common types implemented by leading email providers for credential recovery. For example AOL utilizes favourite and personal questions, Google uses a small set of personal questions and Microsoft and Yahoo implement a combination of personal and favourite questions (Schechter et al. 2009).As shown in Fig. 2, recall image questions were presented as multiple-choice questions and students were required to choose an answer during the learning process, which was used for authentication during the examination. Recognition image questions were also presented as multiple-choice questions. However, a student was required to identify his/her previously chosen image, which was presented with multiple distraction images.
-
Course Setup: An online course in PHP and MYSQL was setup and deployed in the MOODLE Learning Management System (LMS) on a remote web server. The course contents were released on a daily basis to engage participants and increase their interest and number of visits. A weekly online multiple-choice question (MCQ) quiz was set up as a summative online examination. Participants were recommended to invest 10 h weekly learning effort for 25 days in a span of 5 weeks.
-
Participants Recruitment: An earlier study was conducted in a simulation environment. However, to understand the usability attributes in a real situation, an online course was organized and offered free of cost on the University of Hertfordshire online portal to attract students who were already enrolled on other distance learning courses. Participants were required to have basic programming knowledge in order to enroll. 70 students were recruited. The distribution of participants was not uniform across countries and cities, but there was a good representation from a diverse group of students from 9 countries. Of the 70 students, 50 (71%) students were from the United Kingdom. 11(16%) students from Pakistan, 2(4%) students from Malta and Nigeria, 1(1%) each from Ireland, Greece, India, Trinidad and Tobago, and Togo took part. One of the disadvantages of the above distribution is drawing conclusion using characteristics of the sample population. However, the study was directed to a specific user group involved in distance learning.
-
Student Registration: Guidance notes and an enrolment key for registration were emailed to all participating students. Registration was a standard MOODLE sign up process, which was essential to create login credentials to access the course. Upon successful registration, students received their login-identifier and password.
-
Online Learning Weeks 1–5: The course was presented over a period of 5 weeks. To collect data for the evaluation of usability and security, the transactional information including completion time of profile questions and challenge questions authentication results were stored in a database.
-
Examination Weeks 1–5 Quizzes: The online course contained 5 quizzes released on a weekly basis towards the end of each week. Only students completing the quizzes were able to continue their study. Students were authenticated against their individual profiles recorded earlier.
3.2 Study phase – II collusion abuse case
3.2.1 Risk based security assessment (methodology)
-
Identify Functions: The focus of challenge questions authentication in this study was the security of online examinations; therefore, weekly quizzes in an online course were identified as secure assets.
-
Identify Risks: The ISO definition of risk is the “probability of occurrence of harm and its effect on objectives” (Purdy 2010). The security test in this study focused on the risk of collusion attacks when the challenge questions authentication is implemented.
-
Identify Abuse Case: A collusion abuse case scenario was created and simulated using a web-based application in order to evaluate the security of the challenge questions approach, which is described later in this study.
3.2.2 Abuse case scenario simulation (process)
-
Designing Challenge Questions: A total of 50 text-based challenge questions were created to simulate an impersonation abuse case scenario. A subset of these text-based questions was implemented in Phase –I of this research and the number of questions was increased for better results.
-
Online Simulation Databases: An online challenge questions database and web-based application was setup to simulate impersonation. 50 challenge questions designed above were uploaded to the web based database application. The web based database application containing three different database sizes i.e. 20, 30, and 50, were hosted on a web server.
-
Participants Recruitment: A total of 15 participants from four universities i.e. University of Hertfordshire, Southampton University, Cardiff University, University of South Wales and Institute of Management Sciences Pakistan volunteered to take part in the simulation abuse case tests. Although, this represents a small sample size, however, security testing is a specialist task and therefore, researchers involved in computer science were invited to collaborate. The participants were invited to help with simulating the impersonation attack and make a genuine effort to test the security of challenge questions approach.
-
Simulated Abuse Case Scenario: The following collusion abuse case scenario was simulated sharing different number of questions and database sizes:
Given the above scenario, this study simulated the following sharing on database sizes containing 20, 30, and 50 questions. Different number of profile questions and answers were shared as shown in Table 2:“A student is registered on an online course. The course uses challenge questions approach for authentication of students in online examinations. The student is due to write his final semester online test. He or she wants to boost his/her grades and recruit a third party to impersonate and take the test. However, to satisfy the challenge questions authentication, the student is required to share his/her challenge questions and answers with the third party helper in order to help with the impersonation. The third party helper would use the shared information to answer the randomly presented challenge questions for authentication”
Database size (50) | |
1) 0 or no sharing: | A student is unable to share any questions with a third party impersonator. In an attempt to impersonate and access the online examination, the third party helper uses random guessing to answer the challenge questions. This attack was simulated on the largest database size (50). |
Database size (20) | |
2) Share 8 questions | A student shares 8 questions and answers of his Database size (20) with a third party impersonator. |
3) Share 12 questions | A student shares 12 questions and answers of his Database size (20) with a third party impersonator. |
4) Share 20 questions | A student shares 20 questions and answers of his Database size (20) with a third party impersonator. |
Database size (30) | |
5) Share 12 questions | A student shares 12 questions and answers of his Database size (30) with a third party impersonator. |
6) Share 18 questions | A student shares 18 questions and answers of his Database size (30) with a third party impersonator. |
7) Share 30 questions | A student shares 30 questions and answers of his Database size (30) with a third party impersonator. |
Database size (50) | |
8) Share 20 questions | A student shares 20 questions and answers of his Database size (50) with a third party impersonator. |
9) Share 30 questions | A student shares 30 questions and answers of his Database size (50) with a third party impersonator. |
10) Share 50 questions | A student shares 50 questions and answers of his Database size (50) with a third party impersonator. |
4 Usability results and analysis
4.1 Efficiency
Visit No. | Completion time in seconds | ||
---|---|---|---|
Mean | SD | N=Visitors | |
1 | 74.87 | 59.48 | 70 |
2 | 62.28 | 61.77 | 60 |
3 | 53.22 | 63.52 | 54 |
4 | 43.26 | 47.92 | 50 |
5 | 32.07 | 15.13 | 44 |
6 | 45.18 | 41.37 | 40 |
7 | 43.05 | 38.15 | 38 |
8 | 44.42 | 41.98 | 38 |
9 | 46.11 | 34.20 | 35 |
10 | 47.32 | 38.84 | 34 |
11 | 37.93 | 23.43 | 29 |
12 | 43.50 | 30.18 | 24 |
13 | 42.50 | 67.65 | 23 |
14 | 40.57 | 31.08 | 19 |
49.59 | 47.13 | 558 |
4.2 Effectiveness of text-based questions
Questions theme | Equality algorithm | Failure reason | Relaxed algorithm | |
---|---|---|---|---|
Correct/Incorrect N (%) N = number of answers | Syntactic variation | Recall | Correct/Incorrect N (%) N = number of answers | |
Text-based questions | ||||
Academic | 117(64%) / 67 (36%) | 15 (22%) | 52 (78%) | 130 (71%) / 54 (29%) |
Favourite | 301(65%) / 162(35%) | 31(19%) | 131(81%) | 321 (69%) / 142 (31%) |
Personal | 109 (66%) / 56 (34%) | 17 (30%) | 39 (70%) | 128 (78%) / 37 (22%) |
Date | 56 (72%) / 22 (28%) | 21 (96%) | 1 (4%) | 77 (99%) / 1 (1%) |
Total | 583(66%) / 307(34%) | 84(27%) | 223(73%) | 656 (74%) / 234(26%) |
Question description | Type | Correct /Incorrect N (%) N = number of answers |
---|---|---|
Recall based image questions | ||
Pen | Object | 15 (79%) / 4 (21%) |
Book | Object | 7 (70%) / 3 (30%) |
Pen & Inkpot | Object | 10 (63%) / 6 (38%) |
Examination | Logo | 15 (100%) / 0 (0%) |
Science | Logo | 18 (100%) / 0 (0%) |
Online learning | Logo | 16 (94%) / 1 (6%) |
Graduation | Logo | 24 (73%) / 9 (27%) |
Internet security | Logo | 10 (53%) / 9 (47%) |
Peace | Logo | 17 (89%) / 2 (11%) |
Fish | Nature | 20 (100%) / 0 (0%) |
Flower | Nature | 12 (86%) / 2 (14%) |
Deer | Nature | 20 (77%) / 6 (23%) |
Bird | Nature | 8 (62%) / 5 (38%) |
Sub total | 192(80%)/47(20%) | |
Recognition based image questions | ||
Select an image you’ve previously seen/chosen | Mixed | 197 (90%) / 21 (10%) |
Sub total | 197 (90%) / 21 (10%) | |
Grand total | 389 (85%) / 68 (15%) |
4.3 Effectiveness of image-based questions
4.4 Comparison of effectiveness between text-based and image-based questions
5 Security results and analysis
Database size (50) | Database size (20) | Database size (30) | Database size (50) | |||||||
---|---|---|---|---|---|---|---|---|---|---|
P# | 0 *n = 50 | 8 n = 5 | 12 n = 5 | 20 n = 5 | 12 n = 5 | 18 n = 5 | 30 n = 5 | 20 n = 5 | 30 n = 5 | 50 n = 5 |
1 | 3(6%) | 2(40%) | 5(100%) | 5(100%) | 1(20%) | 3(60%) | 5(100%) | 2(40%) | 2(40%) | 5(100%) |
2 | 1(2%) | 1(20%) | 5(100%) | 5(100%) | 2(40%) | 4(80%) | 5(100%) | 2(40%) | 2(40%) | 5(100%) |
3 | 1(2%) | 3(60%) | 4(80%) | 5(100%) | 1(20%) | 2(40%) | 5(100%) | 1(20%) | 3(60%) | 5(100%) |
4 | 2(4%) | 2(40%) | 2(40%) | 5(100%) | 2(40%) | 2(40%) | 5(100%) | 1(20%) | 1(20%) | 5(100%) |
5 | 1(2%) | 2(40%) | 4(80%) | 5(100%) | 2(40%) | 3(60%) | 5(100%) | 0(0%) | 2(40%) | 5(100%) |
6 | 1(2%) | 2(40%) | 3(60%) | 5(100%) | 3(60%) | 2(40%) | 5(100%) | 2(40%) | 3(60%) | 5(100%) |
7 | 3(6%) | 2(40%) | 2(40%) | 5(100%) | 1(20%) | 2(40%) | 5(100%) | 2(40%) | 2(40%) | 5(100%) |
8 | 1(2%) | 3(60%) | 3(60%) | 5(100%) | 2(40%) | 3(60%) | 5(100%) | 2(40%) | 2(40%) | 5(100%) |
9 | 3(6%) | 2(40%) | 3(60%) | 5(100%) | 2(40%) | 2(40%) | 5(100%) | 1(20%) | 2(40%) | 5(100%) |
10 | 1(2%) | 2(40%) | 2(40%) | 5(100%) | 2(40%) | 2(40%) | 5(100%) | 2(40%) | 3(60%) | 5(100%) |
17(3%)
|
21(42%)
|
33(66%)
|
50(100%)
|
18(36%)
|
25(50%)
|
50(100%)
|
15(30%)
|
22(44%)
|
50(100%)
|
Database size (50) | Database size (20) | Database size (30) | Database size (50) | |||||||
---|---|---|---|---|---|---|---|---|---|---|
P# | 0 *n = 50 | 8 n = 5 | 12 n = 5 | 20 n = 5 | 12 n = 5 | 18 n = 5 | 30 n = 5 | 20 n = 5 | 30 n = 5 | 50 n = 5 |
1 | 1(2%) | 2(40%) | 3(60%) | 2(40%) | 2(40%) | 0(0%) | 4(80%) | 1(20%) | 1(20%) | 3(60%) |
2 | 1(2%) | 2(40%) | 2(40%) | 1(20%) | 1(20%) | 1(20%) | 2(40%) | 2(40%) | 2(40%) | 1(20%) |
3 | 0(0%) | 1(20%) | 2(40%) | 3(60%) | 1(20%) | 3(60%) | 2(40%) | 2(40%) | 3(60%) | 3(60%) |
4 | 2(4%) | 2(40%) | 1(20%) | 1(20%) | 2(40%) | 1(20%) | 2(40%) | 2(40%) | 2(40%) | 2(40%) |
5 | 3(6%) | 2(40%) | 3(60%) | 2(40%) | 1(20%) | 4(80%) | 2(40%) | 2(40%) | 3(60%) | 3(60%) |
7(2.8%)
|
9(36%)
|
11(44%)
|
9(36%)
|
7(28%)
|
9(36%)
|
12(48%)
|
9(36%)
|
11(44%)
|
12(48%)
|
5.1 The effect of “number of questions shared” on impersonation
5.2 The effect of “database size” on impersonation attacks
P# | Database (20) | Database (30) | Database (50) |
---|---|---|---|
1 | 12(80%) | 9(60%) | 9(60%) |
2 | 11(73%) | 11(73%) | 9(60%) |
3 | 12(80%) | 8(53%) | 9(60%) |
4 | 9(60%) | 9(60%) | 7(47%) |
5 | 11(73%) | 10(67%) | 7(47%) |
6 | 10(67%) | 10(67%) | 10(67%) |
7 | 9(60%) | 8(53%) | 9(60%) |
8 | 11(73%) | 10(67%) | 9(60%) |
9 | 10(67%) | 9(60%) | 8(53%) |
10 | 9(60%) | 9(60%) | 10(67%) |
104(69%)
|
93(62%)
|
87(58%)
|
5.3 The effect of answering challenge questions from memory
P# | Database (20) | Database (30) | Database (50) |
---|---|---|---|
1 | 7(47%) | 6(40%) | 5(33%) |
2 | 5(33%) | 4(27%) | 5(33%) |
3 | 6(40%) | 6(40%) | 8(53%) |
4 | 4(27%) | 5(33%) | 6(40%) |
5 | 7(47%) | 7(47%) | 8(53%) |
Total | 29(39%) | 28(37%) | 32(43%) |