A Comparative Long-Term Study of Fallback Authentication Schemes

Fallback authentication, the process of re-establishing access to an account when the primary authenticator is unavailable, holds critical significance. Approaches range from secondary channels like email and SMS to personal knowledge questions (PKQs) and social authentication. A key difference to primary authentication is that the duration between enrollment and authentication can be much longer, typically months or years. However, few systems have been studied over extended timeframes, making it difficult to know how well these systems truly help users recover their accounts. We also lack meaningful comparisons of schemes as most prior work examined two mechanisms at most. We report the results of a long-term user study of the usability of fallback authentication over 18 months to provide a fair comparison of the four most commonly used fallback authentication methods. We show that users prefer email and SMS-based methods, while mechanisms based on PKQs and trustees lag regarding successful resets and convenience.


INTRODUCTION
Fallback authentication (also called account recovery, backup, emergency, or recovery authentication) is the mechanism for restoring access to an account if the primary authenticator becomes unavailable.It plays a central role in real-world account management, i.e., a study by Bonneau et al. showed that almost all account owners of the surveyed sample needed to reset their primary authenticator at least once [13].Administrators have to deal with forgotten passwords and lost security tokens regularly [41,75,82], highlighting the need for usable mechanisms.Manual account recovery is usually a last resort as it comes at the highest cost for providers [23].
Fallback authentication creates another means by which an account can be accessed, so its security requirements are equivalent to those of primary authentication systems.Even if the primary mechanism is secure, a weak fallback can compromise the security of an account.For example, attackers have abused the password reset function to gain access to lucrative cryptocurrency wallets [24,63].
The most common fallback authentication mechanism is an emailed reset link sent to the user [53].By clicking on the link, the user is directed to a page where a new password can be set.Other approaches require a reset code sent via SMS or answer previously set personal knowledge questions (PKQs).A diferent approach to fallback authentication is social authentication: in these schemes, peers of the account owner help to prove the owners' legitimacy, e.g., by providing codes they receive to their emails, which the account owner must collect and provide to complete the reset.
Several papers have studied the usability of fallback authentication schemes, but very few have examined more than a single scheme, making meaningful comparisons difcult [46,77].Additionally, research has usually focused on short periods of time [46,81].However, long spans between registration and reset are a central challenge of fallback authentication, as it can take months, if not years, until a reset is needed.Bonneau et al. [13] studied the usage of fallback authentication in the wild and found a nearly linear relation between the time passed and the share of fallback claims.After approximately 150 days (4.9 months), 30 % of the analyzed accounts initiated a reset, while 50 % did after 330 days (10.9 months), and 70 % after 540 days (17.8 months).Based on those observations, the following three research questions arise.
Given identical conditions and diferent realistic recall times: RQ1 How do diferent fallback authentication schemes perform in terms of successful resets?RQ2 How long do resets take for each scheme?RQ3 How do users assess the schemes '

usability and what issues
arise?To answer these questions, we conducted a long-term user study with 97 participants comparing the usability of four common reset schemes: (1) email, (2) SMS, (3) personal knowledge questions, and (4) trusted contacts.The structure of the study is shown in Figure 1.We used a between-subjects design with each participant using one of the schemes and had them reset their password after 6, 12, or 18 months.To provide a realistic study setting, we disguised the study as a test analyzing changes in spatial reasoning ability over time.
This work extends a work in progress report from 2019 titled, "A Comparative Long-Term Study of Fallback Authentication" [56] that outlines the study protocol (see Section 3.1) and focuses on preliminary results from our pilot study (see Section 3.5).
Our study showed that email resets were the most usable, as all participants successfully reset their passwords, and none reported any major issues.Similarly, most participants who used SMS resets did not report any problems and described the system as convenient.However, a few participants were unable to reset their password as they could not access the code sent to them.Finally, fallback authentication based on PKQs and designated trustees had the worst usability.Users had trouble remembering the answers to their PKQs, and successful resets in the designated trustee groups took a prohibitively long time if they were successful at all.Based on the results, we outline considerations service providers should make when providing fallback options to their users to allow for successful and convenient resets even after months or years.

BACKGROUND
Fallback authentication is used when the primary authenticator is unavailable, such as when a password is forgotten or an account is compromised.Even though fallback authentication is often the last resort before losing account access, most research was conducted between 2005 and 2017, and it has received little attention from the research community since then [13].In fact, fallback authentication is considered a problematic issue even in the latest authentication schemes like Web Authentication (passkeys and FIDO2) [10,51].Often, resets are based on clicking a link in an email, which creates chains of trust and domino efects, causing problems for email providers and services or users that cannot use out-of-band communication like email or SMS [18,50,53].Some research has evaluated fallback mechanisms on a high level.Maqbali et al. suggested a framework for systematically evaluating fallback authentication schemes from a security and usability standpoint [3].AlHusain et al. conducted an extensive literature review with 70 articles but concluded that there is a lack of frameworks allowing proper comparison of fallback mechanisms [5].

The Fallback Setting
As fallback authentication is considered a last resort, it is not intended for daily usage but rather must be functional over long periods of time.Moreover, a fallback is expected to always work as no other option is left, and the danger of losing access is a stressful experience for users.These factors pose diferent requirements for the fallback authentication mechanism than there are for regular primary authentication schemes like passwords: (1) Long-Term: The time between enrollment and authentication is almost always longer for fallback authentication.In contrast to passwords, knowledge-based fallback authentication sufers from poor memorability or outdated contact information that services often try to counter by prompting users to confrm their recovery details regularly.(2) Reliability: As a last resort method, there is no other backup in place, underlining the need to register multiple recovery options and ofer alternatives.In contrast to primary authentication, a failed fallback authentication can result in an unrecoverable state or create the need to contact a helpdesk and provide so-called soft factors to regain access, which is an error-prone and costly process for both the end user and the service provider.(3) Authentication Time: Fallback authentication is intended to be a relatively infrequent action, thus, the required time for authentication can be longer than for primary authentication.Of course, there is a limit to what users are willing to endure and go through, and this may be correlated with the value of the account they are trying to recover.
A combination of those aspects is expressed by the success rate, i.e., the percentage of users that are able to recover their account, which can be used to benchmark diferent schemes.Additional protection mechanisms like CAPTCHAs or throttling (limiting the number of failed attempts), and obstacles such as temporal lockouts and the strictness of string verifcations can further impact usability.The following section provides a comprehensive overview of common fallback authentication schemes.

Secondary Channel
One of the most common techniques is to use a secondary channel.For schemes that operate this way, the requirement is that the fallback is set up while the user still has access to the account.
Email.Email is by far the most common secondary channel and is used by over 90% of popular websites [53].If access to the account is lost, the account recovery can be initiated using only the account name.The service provider sends an email containing reset information (e.g., a link, reset code, or even the password itself) to the registered email address.Clicking on the link or typing the code on the recovery website allows the user to set a new password.Strict rate-limiting is typically used alongside these mechanisms to prevent replay attacks, with codes and hyperlinks only being valid once or for a short time frame.Little research has explicitly focused on the usability of email as a fallback mechanism.Over the years, several studies have pointed out the various threats that come with the approach.Still, an extensive analysis by Li et al. in 2018 found that over 80% of popular websites employ no additional measures to prevent account access if an attacker has compromised the victim's email account, making it a single point of failure [53].Others have shown that trusting the email ecosystem can be dangerous [78] as it usually mandates the proper confguration of security extensions and support of modern email authentication (SPF, DKIM, DMARC) and encryption technologies (TLS).Maqbali et al. [54] manually coded 50 popular English websites to identify potential issues with the emails, fnding that many have poor instructions, email headers leak confdential information, and issues with spam flters.

SMS.
Using text messaging (or Short Message Service (SMS)) as a secondary channel is very similar to email-based recovery, but instead of an email address, a phone number is linked to the account.An SMS is sent for account recovery, usually containing a reset code or, less commonly, links or temporary passwords.This approach can be less efcient than email-based authentication since users might need to type access codes manually.Additionally, this scheme requires possession of the phone, hence, a user whose phone is out of reach cannot use SMS for account recovery.In 2015, Bonneau et al. [13] did an extensive analysis of the memorability and security of Personal Knowledge Questions (PKQs) (see Section 2.3) with a Google dataset.Briefy, they compared PKQs' account recovery success rates (53%) to the success rates of SMS and email, revealing that the SMS-based scheme showed the highest recovery success (81%), followed by email as a close second (75%).Since their work focused on PKQs, Bonneau et al. provided no further insights into potential reasons for these diferences.Our study extends this work by testing all methods in a controlled and comparable environment, reporting in-depth results about details, e.g., authentication timings, user perceptions, usability ratings, and reasons for potential errors.Other research studied the SMS-based approach's security from a theoretical perspective, pointing out concerns with network coverage in rural areas and SMS not being an inherently secure channel that can be spoofed [3].The NIST also discourages the use of SMS as a second factor for primary authentication [30], yet it remains widely used for fallback authentication [53].

Knowledge-Based Authentication
Knowledge-based authentication describes a class of mechanisms that rely on something the user knows, i.e., known personal information like preferences or secrets.
Personal Knowledge Questions.The most common knowledgebased fallback authentication are "cognitive passwords, " introduced by Zviran and Haga [94] in 1990.Nowadays they are known as security or personal knowledge questions (PKQs).They test the legitimacy of the user by asking them to answer questions with set responses about past experiences or demographic information.Typically, the questions are selected from a predefned list during account registration.Some services allow users to create security questions themselves as well.For account reset, the questions need to be answered whereby a certain variation may be allowed to tolerate diferent spellings.The initial research by Zviran and Haga [94] demonstrated a higher recall rate compared to a conventional password and found a low recall rate by even closely related persons.However, this conclusion originates from a time before social media and easily searchable online information.Newer studies [46,67,71,76] show that many of the answers to PKQs are indirectly posted on the internet and that this approach cannot provide the initially claimed level of security.
This was further confrmed by Golla et al., who analyzed answers to 4 million PKQs from a leaked data set, concluding that the security level is low overall [27].Just et al. proposed a framework for a systemic evaluation of security and memorability aspects of PKQs [45].Others studied the general perception and creation behavior of PKQs concluding that users are mostly honest in their answers and disregard security in favor of memorability [13,60].The same studies also showed that the usability, in particular, the memorability of answers is concerningly low with 18% being unable to recall answers after only 20 days [46] and 40% after one year [13].This is particularly concerning as long-term availability is a key requirement of fallback authentication.In an attempt to address the social media-induced security concerns with regular PKQs, a number of studies have explored the feasibility of PKQs about autobiographical information based on phone usage and sensor data [4,34,92].Others explored using geographical information to generate dynamic PKQs [1,35] or used nudging and memorization techniques to enhance memorability and security [7].
Recovery Codes, Keys, and Phrases.A relatively small number of services like Apple, Microsoft, and ProtonMail ofer recovery code-based fallback authentication.While still having access to the account, the user receives an up to 28 character long recovery code that can be used to regain access in case the password has been forgotten.All companies recommend to "print this out and keep it in a safe place or take a picture of it, " in order not to lose it [9].

Social Authentication
Social authentication describes mechanisms that rely on "who you know, " i.e., information about one's social graph.Several variations of social authentication exist.Alomar et al. summarized those techniques in an extensive literature review [6].In the following, we focus on techniques that have found real-world application.
Trust-based Techniques.The most prominent trust-based technique are designated trustees, frst proposed in 2006 by Brainard et al. [15].For setup, the user selects several contacts while still having access to the account.For account recovery, the trustees receive reset codes, and to regain access, the user needs to present a subset of the codes.Schechter et al. studied the same idea, but used email addresses to contact the designated trustees [77].Their study suggested that the scheme is less efcient than other mechanisms [77].Still, the new approach had a high success rate, with 17 out of 19 participants being able to complete the recovery process.
In October 2011, Facebook introduced Trusted Friends [19] which allowed users to select trusted contacts from active Facebook friends after the access was lost.Each of those contacts received instructions on how to obtain a reset code, three of which the user had to provide to regain access.However, the feature proved vulnerable to attacks that utilized recently added fake friends under attacker control [29,43].Thus, alternatively, Facebook introduced Trusted Contacts in May 2013 [20], which allowed selecting trustees only prior to recovery.This feature is discontinued since July 2022 as well [21].Apple ofers a trustee-based fallback called Account Recovery Contact [8] since September 2021.They recommend adding "someone you trust" like friends or family members who own an Apple device and can be easily reached either in person or via phone.
Research has explored further trust-based techniques such as using secondary information like PINs or biometrics to increase security or implicitly inferring users' trust relationships instead if users choosing trustees themselves [80,91].Guo et al. explored the usability and acceptability of video-call-based social authentication, fnding major contextual infuences of mood, location, and trust [31].Stavova et al. compared trustee-based authentication to backup codes, fnding that for higher-value accounts (i.e., online banking) trusted party recovery was preferred over codes [81].
Knowledge-based Social Authentication.A second group of social authentication schemes requires users to answer questions about their social environment, which ideally only the legitimate owner knows.The most common knowledge-based approach leverages photo-based information.Yardi et al. [90] frst proposed the idea in 2008, basing a prototype implementation on Facebook.The system uses the social graph and other information like photos with tags of the shown persons to authenticate users.This is done by presenting photos from the user's database and asking questions, for example, the names of the photographed persons or the date the photo was taken.In 2011, Facebook adopted the idea to provide an additional barrier in case a suspicious login is detected.The fundamental concept is that an attacker, even if they manage to acquire the account password, would be unable to answer questions correctly as they do not possess knowledge of the associated social graph.
Several works have raised security concerns ranging from close friends being able to answer the questions as well [49] to automated attacks exploiting face recognition techniques [69,93].To enhance the resilience of photo-based methods against automated attacks, Polakis et al. [68] developed a countermeasure that reduces image quality to outperform recognition algorithms while the user's ability to recognize it is retained.Jain et al. [42], suggested utilizing other forms of social knowledge by creating challenge questions based on three elements representing the social graph.
Help Desk.As a last resort, some services ofer help desks for those struggling with fallback mechanisms [23].However, employing support personnel and maintaining help desks is costly [41,73] and soft factors used for authentication are prone to targeted attacks [40].Common soft factors are name, address, date of birth, parts of registered credit card numbers (Microsoft), account usage details like the account registration date (Google), or, "contacts you've recently sent emails to." Parkin et al. showed that users prefer self-service online password resets over help desk interactions despite a 4:1 ratio of failed-to-successful account recoveries [64].
Browser Fingerprinting.Browser fngerprints consist of details about the user's browser, location, and device confgurations (i.e., IP address, language settings, screen resolution, hashes of browser plugins).On every website visit, fngerprints are compared to previous sessions, assuming an attacker cannot precisely mimic real sessions.Despite browser fngerprints being considered short-lived (only stable for 3 to 6 weeks [70]), with limited utility for fallback authentication, in 2018 Google disclosed using them to drive authentication decisions [62].They recommend users to "use a device where [they]'ve signed in before" and "choose a familiar Wi-Fi network, such as at home or work" when resetting passwords [12].
Proactive Measures.Services employ various tools to improve the success rate of fallback authentications proactively.Up-2-date checks, deployed by eBay, GitHub, and Yahoo, prompt users with "Don't get locked out!Review your account recovery info." to confrm that the stored account recovery information, i.e., phone number or email address, is still correct.Others utilize opportune moments, such as account security checkups, asking to register additional alternative recovery options, like a recovery phone number, alternative email address, or security key, "in case you accidentally get locked out" (Google).Finally, notifcations for account security-related updates like password changes or registrations of new recovery options create awareness and help users notice potential account compromise and regain access [57].

Long-Term Studies
Bonneau et al. compared several recovery schemes [14], including email, SMS, designated trustees, and PKQs but only synthesized individual analyses [15,76,85].A subsequent comparative work by Bonneau et al. [13] demonstrated a higher recovery rate for SMS (81%), and email (75%) than for PKQs (61%).However, they disregarded the time between account creation and recovery claim.Raponi et al. compared whether websites adapted password management and fallback policies in a long-term evaluation but did not run a user study [72].Research on the usability of fallback mechanisms mostly considered only one scheme at a time and covering durations of 3 months or less [4,32,38,46,92] or at most half a year [76].

METHOD
This study aims to provide the missing comparison of fallback authentication schemes' efectiveness and usability over realistic recall times of 6 to 18 months.We explain the protocol of the long-term study, the selected schemes and their implementation details, the recruitment process, and the participants' demographics.
We also provide details on the primary task (mental rotation test), closing with limitations and ethical implications of the research.

Study Protocol
The study consisted of three stages: registration, a short-term callback after 2 weeks, and a long-term callback after 6, 12, or 18 months where participants used their assigned fallback authentication scheme.We limited the study to participation via desktop devices to provide identical and ideal conditions for each reset scheme.For example, typing is usually more cumbersome on mobile devices, which could afect certain schemes negatively.Importantly, the study was disguised as a measurement of long-term performance trends in a mental rotation test (MRT), justifying the need to log into the MRT website multiple times during the study [79,86].The full survey instrument can be found in Appendix A.
Stage 1: Registration After consenting, participants created an account on our study website using an email address and a password.Participants were then assigned round-robin to one of four fallback authentication schemes (see Section 3.2) and one of the three callback times-6 months, 12 months, or 18 months-which defned the time span between the second and third stage.The time spans were chosen following fndings from Bonneau et al. [13], who measured that 33%, 50%, and 75% of the analyzed sample had started an account recovery after the mentioned periods.Some groups (SMS, trustee, and PKQ-see Section 3.2 for refernece) had to provide further details, which we explained by saying that the long duration of the study might make fallback authentication necessary.After the registration, participants completed fve initial mental rotation tests.A demographic questionnaire (S1-D1-S1-D4) and an honesty question (S1-H) concluded the frst stage.
Stage 2: Two-Week Callback After two weeks all participants were emailed to return and complete another mental rotation test.They had to log in using their email address and password combination but could also reset their password using the respective fallback authentication mechanism.This stage was included to remind participants about the study, select participants who will be more likely to return after an extended time, and give further incentives to follow through the entire study.Additionally, it gave us another data point after two weeks.
Stage 3: 6/12/18-Month Callback Depending on their condition, participants were emailed to return after 6, 12, or 18 months.When logging in, we enforced a password reset claiming internal re-confgurations to be the reason.With this approach, we could measure how many participants correctly remembered their password and, more importantly, how many successfully completed the fallback authentication.At this point, we constantly monitored if participants initiated the reset but struggled to complete it.If this was the case, we manually emailed them a link to reset their password to ensure that we also collected results from unsuccessful fallback procedures.
After resetting the password, participants logged in and completed the primary task a third time before we debriefed them about the real purpose of our study.No participants withdrew from the study after the debriefng.Participants who did not complete the study were debriefed via email.After the debriefng, we asked participants to complete a usability questionnaire regarding the reset process, consisting of a set of tailored questions for each scheme and the system usability scale (SUS), including an attention check, as a metric for direct comparison [17].Finally, participants again answered the demographic questions from Stage 1 to detect any changes before we asked them about potential dishonesty (S3-H).We emphasized that indicating dishonesty would only exclude their data from the analysis but not afect their payment.

Selected Schemes & Implementations
From the diferent real-world implementations, we selected four fallback authentication schemes (cf.Table 1) to test in our study.Figure 2 shows screenshots of the diferent enrollments.

3.2.1
Email.This scheme is often easy to implement as users provide an email address during account registration anyway, which can then also be used for fallback authentication.In our study, we did just that.Like all participants, the email reset group had provided their email address during account setup and was thus not asked for further information.Updating the email address was possible at any time during the study.For recovery, participants provided their email address and received an email containing a unique link directing them to the password reset page (see Figure 6 in Appendix B.1).

SMS.
During account setup, we asked for the user's mobile phone number, explicitly stating account recovery as the reason.To confrm that participants can access the phone number, we In case you cannot access your account, we will send an email to your trusted contacts containing a security code.Your trusted contacts should make sure it is you before giving you the codes.
Enter the codes from your trusted contacts, and you will be able to access your account.
To begin, provide the email addresses of three trusted contacts that you can call for help if there is ever a problem with your account.For your security, we will notify all contacts you are going to add; however, you may change the trusted contacts at any time, and we will not notify anyone you remove from the list.2a was the standard form that all participants had to complete to create an account.
asked them to input a code we sent to the provided number.The same confrmation process took place if the phone number was changed, which was possible at any time during the study.To reset the password, we frst asked participants for their email address and then redirected them to a form where they had to provide a six-digit reset code, which we sent to the linked phone number.On this page, participants were also able to initiate re-sending the SMS.
The SMS was written in line with best practice [26].Figure 7a in Appendix B.2 shows the exact wording.We did not disclose the phone number during the reset for privacy reasons.

Personal Knowledge
Qestions.For the reset scheme based on personal knowledge questions (PKQs), participants had to select and answer three questions.Our set of PKQs consisted of 4 "classical" questions that have been used for a long time but are known to be insecure and easy to guess [27,71], • "What is your mother's maiden name?" • "What is your city of birth?" • "What is your favorite sports team?" • "What is the name of your high school?"and 4 questions with reportedly better security properties [13]: • "What is the name of the street where you grew up?" • "What is the frst name of your best friend?" • "Who was your favorite flm star or character in school?" • "What is the last name of your favorite elementary school teacher?" For account recovery, two out of the three registered questions were randomly selected (see Figure 11 in Appendix B.4), which participants both had to answer correctly.When matching the originally set answers to the given ones, we ignored capitalization following practice by Apple, PayPal, and eBay and removed spaces like Apple and eBay do.In line with all of those services, we did not allow any edit distance.

Designated
Trustees.We designed our designated trustee scheme as a variation of Schechter et al.'s approach [77] and the implementation of Apple [8].During account creation, participants were asked to provide email addresses of three contacts, again explicitly stating recovery as the reason.All trusted contacts received an email informing them about their role (see Figure 8 in Appendix B.3), which we also used to check the existence of the email addresses.Updating the list of trustees was possible at any time.We emphasized that we do not inform trustees about being removed to prevent reluctance to adjust the list due to social concerns.
For recovery, participants had to provide their email and were then presented with a form to submit the reset codes (see Figure 10a in Appendix B.3).For a successful recovery, two out of three codes were required.Due to privacy reasons, we did not directly display the email addresses of the trusted contacts.Instead, we ofered to reveal the list by providing the email address of one trusted contact correctly (see Figures 10b and 10c in Appendix B.3).
If a reset was initiated, the three trustees received an email with a six-digit reset code, and instructions to relay the code to the owner of the account.As part of these instructions, we provided the participant's email address and explicitly told trustees only to pass the code once they verifed the participant's identity.Figure 9 in Appendix B.3 shows the email's exact wording.Directly sending the reset codes to the trustees is diferent from the initial proposal by Schechter et al. [77].They required the designated trustees to complete several steps before obtaining a code, among others, a pledge, to minimize the risk of an account takeover.As we wanted to minimize the risk of trustees not completing such a multi-step protocol, we decided on a simplifed version, which is also more in line with the implementation by Apple [8], where the reset codes are shown in the trustees' iOS settings.

Recruitment and Demographics
We recruited participants using diferent channels, including mailing lists at the university, as well as websites and social media groups where researchers who are looking for participants can post their surveys.We were unable to use services like Amazon Mechanical Turk and Prolifc for recruitment as we needed to collect data like email addresses and phone numbers.Overall, 201 participants completed Stage 1 of which 142 participants returned to complete Stage 2. A total of 105 participants completed the third long-term stage, of which 8 failed attention checks and were removed (S3-AC).The fnal number was = 97.Since the three stages all difered in their duration, and we wanted incentives for returning to the longterm stage, we paid diferent compensations: In Stage 1 participants received $1.80 for an average of 3.5 minutes.The second stage took 1.5 minutes and was compensated with $0.90, whereas the fnal, long-term stage took 6 minutes and was compensated with $3.60.
Table 2 shows the demographics.Our sample included a slight majority of female-identifying (56%) and non-technical (53%) participants.Our participants were mostly younger, with 85% aged between 18 and 34, and were relatively educated, 32% with a Bachelor's or Master's, respectively.This comes as no surprise considering the described recruitment channels.

Primary Task
To disguise the real purpose of our study, we used a Mental Rotation Test [79,86] as the "primary task."The layout and exact wording of the study's implementation can be seen in Figure 3.The purpose of the primary task was to distract the participants from the real purpose of the study and to increase the ecological validity of the authentication task.Framing the long-term nature of the study as being a study of cognitive ability over time allowed us to justify the length of the commitment without revealing our interest in the authentication step.The MRT is also a strong cognitive distractor  and should suitably prevent participants from remaining focused on the authentication task.

Pilot Study
Our pilot study intended to minimize the risk of technical issues during the main study and ensure questions were understood as intended.We recruited 74 students from our university, of which 44 completed all three stages.As testing our implementation was the primary purpose of this study, we reduced the time span between the frst and second stage to 1 week, as well as the period between stages two and three to 3 weeks.Most importantly, we identifed the need to reduce the use of fctional email addresses for the designated trustees scheme.Thus, we decided to send information emails to the trustees after enrollment to check the existence of the addresses.If we received an "Undelivered Mail Returned to Sender" error, we marked the respective address and asked the participant for a new one at the beginning of the second stage.At this point, we highlighted the importance of providing valid trusted contacts for account recovery and the long time span between the second and third stage.This is diferent from Schechter et al. [77], who did not send emails to trustees during enrollment but also did not face the described problem to the same extent, since participants in Schechter et al. 's study used their actual Microsoft accounts.Similarly, Apple's account recovery contacts [8] are selected from a user's contact list and must be associated with an Apple ID.In contrast, our participants created an account for the study to which they presumably do not assign a high value and are thus more likely to provide fctional email addresses.This limitation, which we extend in Section 3.6, is shared by all studies with a similar methodology.
Please decide for each pair whether the two drawings portray objects with the same shape and size, i.e., are congruent with respect to three-dimensional shape, or depict objects of different three-dimensional shapes.

Same Different
Figure 3: Example of the Mental Rotation Test (MRT), which is used as a distractor task in the study.

Limitations
This study aims to compare fallback schemes after realistic reset times given identical conditions for all resets, yet some confning aspects exist.First, participants needed to create an account for the study, and we assume the perceived value of the account to be comparatively low.This could have negatively impacted the reset rates of the trusted contacts and PKQ scheme if participants stated made-up email addresses or random answers, which prevented them from resetting the password.As described earlier, we added a checkup as a countermeasure to minimize the consequences for the trusted group.Nevertheless, dealing with incorrect information and accounts not being as important as others is a problem that other studies with a similar methodology must manage, as well as regular service providers.Additionally, we acknowledge that results could have been infuenced by biases regarding how questions are formulated and participants' tendency provide socially desirable answers.Finally, due to the recruitment channels, our participants were mostly younger and more educated-results could difer for more diverse recruitment samples.

Ethical Considerations
Our study received clearance from our institutional review board.We took a number of steps to minimize the risk of ethical harm to participants.Although we concealed the true focus of the work until the end of the study, the authentication steps were always visible to participants.To clarify the true purpose of the study, participants were debriefed during the fnal session.Participants who did not return for the last stage received the debriefng via email.Finally, participants were educated about the data collected in this study and that it was stored and processed per the General Data Protection Regulation (GDPR).We also took care of the data entrusted to us during the study.All personally identifable information (PII), such as participants' email addresses, phone numbers, or trusted contacts, was deleted after the study.

RESULTS
Below, we present the results of our user study, including results from the reset processes and more general usability aspects.First, we address research question RQ1, i.e., participants' ability to reset the password with the fallback scheme after the assigned recall time.Afterward, we focus on the time spans needed for the resets for each scheme and recall time (RQ2).We close by answering RQ3, i.e., how participants perceive the usability of the reset processes and show which issues arise for the schemes after 6, 12, or 18 months.Table 3 details the results for each combination of the independent variable's reset scheme and recall time.When referencing participants, e.g., for quotes, we use an identifer composed of the abbreviated treatment name (EM, SMS, PKQ, DT ), the recall time (6,12,18), and the ID within the reset group.

RQ1: Successful Password Resets
The most important measure of usability for a fallback authentication mechanism is whether users are able to successfully access their accounts.Regarding the schemes, email was the leading option: all 21 participants (100%) successfully reset their passwords.This is followed by the SMS group, where 24 of 26 resets (92%) were completed.For the designated trustees scheme, 24 of 29 (83%) participants were able to reset their password.Participants who reset their password using personal knowledge questions had by far the lowest success rate, with only 12 of 21 (57%) being successful.The results of Fisher's exact test ( < .001)indicated a signifcant diference in the number of successful password resets between the reset schemes.Using a posthoc test, Bonferroni corrected for multiple comparisons, we observed signifcant diferences between the email (100%) and PKQ (57%) scheme ( < .01)as well as SMS (92%) and PKQ ( < .05).
For the callback times, reset rates after 6 and 12 months are very similar, 80% and 79%, respectively.Reset success after 18 months is slightly higher (87%), yet, Fisher's exact test ( = .681)did not indicate any signifcance here.
When looking into why resets fail, we fnd that one of the two failures in the SMS group was due to the participant not residing in the US at the time of the reset and not having service: "I don't have service to that phone number in this country, as i am studying abroad" (SMS-6-P9) The other participant described having a new SIM card altogether.While similar situations can occur at any time, chances for the latter may increase over time.
Issues reported by the trusted contacts participants include being unable to remember who they selected as a trustee, trustees not responding, or not having access to their email accounts: "One of my trusted contacts' email account was not active anymore" (DT-12-P26) Following the pilot study, where many participants provided nonexistent email addresses, we added a check to account for this issue (see Section 3.5).After the main study, we can conclude that this approach was benefcial: We caught three errors, two typing errors, and one participant, who initially provided a random email string, corrected it to a valid email address after being prompted.All three successfully reset their password at the beginning of the third stage.
Of the people who failed to regain access using PKQs, two could not remember the exact spelling of their answer (e.g., "St." vs. "Street") and seven users said they failed to remember one or both of their answers entirely.One participant described how their coping strategy failed: Table 3: The rate of successful resets, the median reset time, and the SUS scores for the four fallback schemes.We also depict two sub-groups for the designated trustees scheme based on whether participants were dependent on others for their reset or could complete it autonomously."I thought I wrote the answers down somewhere, but I couldn't fnd them" (PKQ-18-P4) As an exploratory posthoc analysis, we examined two sub-groups for the designated trustees scheme: dependent and autonomous.These two groups are defned by the number of trusted contacts that are email accounts owned by the participants (see Question S3-DT1).If 2 or 3 contacts were actually the participant's email accounts, the reset could be performed autonomously.In the other case, the participant was dependent on others.For the ratio of successful/failed, we observe a stark discrepancy between the dependent and autonomous sub-groups of the designated trustees scheme.While roughly every third participant (4/11; 36%) who had to rely on actual trusted contacts failed the password reset, only 1 of 18 participants (6%) of those who stated 2 or 3 own email accounts did.Further investigation of the latter failure revealed that 2 of the 3 email accounts were non-existent and fagged by our system as "Undelivered Mail Returned to Sender."Disregarding our instruction, the participant provided them again when prompted for new trusted contacts in Stage 2.

RQ2: Password Reset Times
In addition to knowing if participants were able to reset their passwords, we also wanted to know how long it took them to complete the process.For this analysis, we measured the time span from initiating a reset to successfully setting a new password.We removed extreme outliers from the collected reset times using Tukey fences with = 3, i.e., values greater than 3 times the interquartile range.Figure 4 shows the results for each of the four reset schemes and the two sub-groups of the designated trustees.
Resets from the PKQ scheme were the fastest, with 30 s as the median.Note that while reset times were low, we previously saw that signifcantly fewer participants in the PKQ group could reset their passwords at all.Email resets were comparably fast with a median of 31 s.The SMS scheme ranked third in reset times ( = 52 ).Lastly, participants who used the designated trustees scheme spent the longest time resetting their passwords, with a median reset time of 111 s.However, an interquartile range of 247 s highlights that some participants in this group took substantially longer than others.Using a Kruskal-Wallis H test, as the data was not normally distributed, we saw that there was a signifcant diference in the reset time between the schemes, 2 (3) = 34.53,< .001.The Bonferroni-corrected posthoc Dunn's test indicated that the reset times of email, SMS, and PKQ are all signifcantly shorter than those of the designated trustees scheme ( < .001* * ).
We also separately compared the fallback schemes for each callback time.The Kruskal-Wallis H test indicated that there is a signifcant diference after 6 ( 2 (3) = 11.8, = .008),12 ( 2 (3) = 9.78, = .021),and 18 months ( 2 (3) = 10.06,= .018).For each of them, the posthoc Dunn's test using a Bonferroni corrected of 0.0083 indicated that the PKQ and trustee resets are signifcantly diferent.Taking just the callback time as the independent variable, a Kruskal-Wallis H test indicated that there is a non-signifcant diference between the reset times, 2 (2) = 0.51, = .775.Both analyses suggest that the callback time does not infuence the time needed to reset the password.
In the PKQ group, where resets were the fastest, 9 of the 12 participants got their answers correct on the frst try.Of the remainder, two took a second attempt, and one took three tries due to diferent spelling or typos.As reset times were low, we initially suspected participants digitally saving answers (i.e., in a password manager), but found that all answers were typed, refuting this assumption.
The situation for the email-based resets is similar, yet outliers are more notable.One participant named the delivery of the email as a cause for the delay: "The mail took 30 sec.longer than expected."(EM-6-P12) For the SMS scheme, an interquartile range of 22 s suggests that the reset experience was consistent for most participants, which is further underlined by the fact that no one mistyped their code, and only two participants requested more than one reset SMS.Question S3-SMS3 asked if participants usually have their phone within reach when surfng the web to understand if the accessibility of the phone posed a hurdle during the reset.It did not, at least for our comparably young population (see Section 3.6), with 92% saying they "often" or "always" have their phone within reach when surfng the web.
Resets for the designated trustees group took signifcantly longer, which is reasonable, considering that participants had to get in touch with others to reset their passwords.One participant whose reset took more than a day described the situation as follows: "My contacts and I weren't online simultaneously such that collecting all codes took rather long."(DT-18-P1) For the designated trustees scheme, we show two additional plots where we separated participants into those who used the scheme in a dependent or autonomous way.For the sake of clarity, we limited the x-axis to 600 s.The median and average for the dependent sub-group are 27 min and 62 min, respectively.
To better understand the reset process for this scheme, we investigated how participants got in contact with their designated trustees.
Of the 11 participants who provided actual contacts, most (6) interacted with them using an instant messenger.Fewer participants (4) sent an email, and 3 participants met their trusted contact in person.The least participants called their trusted contacts (2) or sent an SMS (1).While the popularity of instant messengers comes as little surprise as they depict an efcient way to communicate the reset codes, it must be noted that their confdentiality and authenticity are not guaranteed.Certain messengers like Signal or WhatsApp do provide end-to-end encryption and mutual authentication, yet those mechanisms are often poorly understood by users [22,37,87,89].Phone calls, in turn, can be spoofed, further simplifed by the advances in artifcial intelligence [16,83], and the insecurity of SMS or email as communication channels has also been proven repeatedly [44,55].Hence, in-person meetings depict the highest security level possible, as the trusted contacts can be sure that the code is only shared with the account owner.For this reason, Schechter et al. 's original proposal also prompted trustees and account owners to get in touch physically [77].Again, we performed an exploratory analysis of the diferences between the dependent and autonomous sub-groups of the designated trustees scheme.In stark contrast, even to the combined designated trustees scheme, the average reset for the dependent group took 62 minutes (3734 s); the median reset time was 1,602 s or 27 minutes.As seen in Figure 4, participants' resets were substantially faster if they could complete the protocol autonomously, averaging at only 113 s ( = 97 ).The results of a Mann-Whitney U test also indicate that these diferences are signifcant, = 2.6308, = .009.Hence, in addition to increasing the success rate of resets, this unintended deviation from the protocol utilized by some participants also decreases reset times: "Since all the accounts belonged to me, it was alright (if not tedious) but I think if I used accounts belonging to other people I wouldn't have been able to log in [...] I would've had to contact at least two people asking them to check their email and wait for a response, which, knowing the kinds of people I'd use as a 'trusted contact, ' would've taken at least a day."(DT-12-P25)

RQ3: Perceived Usability
We used the System Usability Scale (SUS) [17] for a standardized and comparable assessment of the four reset schemes.The email-based reset ranked the highest, with an average score of 80 ( = 83).Based on the adjective rating by Bangor et al. [11], which provides an informative description of SUS scores, most participants ranked the email scheme as "excellent." The SMS scheme's usability, on the other hand, was assessed as "good" by participants with an average SUS score of 74 ( = 83) -ranking the second highest among all schemes.An average score of 63 ( = 60) put the PKQ's usability between "OK" and "good", with some participants' scores even ranging to "poor." The overall greatest range in scores was seen for the designated trustees scheme.While the average SUS score of 60 ( = 58) was only marginally lower than that of the PKQ scheme, some participants rated the system as "worst imaginable." A Kruskal-Wallis test indicated that there is a signifcant diference in the SUS scores of the diferent schemes, 2 (3) = 18.07, < .001.Using a posthoc Dunn's test with a Bonferroni corrected of 0.0083, we were able to observe signifcant diferences between the following schemes: email/PKQ, email/trustees, and SMS/trustees.
The separate analysis of the subgroups of the designated trustees scheme who used it in a dependent or autonomous way was in line with the fndings about the success rate of resets and the required time, yet the diferences in SUS scores were not as substantial: While the average rating of the dependent group was 53 ( = 54), it increased to only 64 ( = 65) for the autonomous group.
An explanation for the lower SMS ratings compared to the email scheme may be the lower success rate and more efort required to reset as a code needs to be copied instead of clicking a link.Similarly, for the PKQ schemes.Examining the 12 participants who were able to successfully reset their password, the average score was 80 ( = 84), making it comparable to the email scheme.In contrast, the average across the nine participants who failed to reset their password was only 43 ( = 43).In the group of trusted contacts, low scores were not solely given by participants

SUS Score
Figure 5: Scores of the System Usability Scale (SUS) for the diferent fallback authentication schemes.For the designated trustees scheme, we show two additional plots where we separated participants into those who used the scheme in a dependent or autonomous way.To provide additional context, we added the adjective ratings from Bangor et al. [11].
who failed the reset: Those who did fail gave an average SUS score of 44 ( = 48), but the score for those who successfully reset their password is only slightly higher at 63 ( = 65).
Kruskal-Wallis H tests for each callback time indicated that there is a signifcant diference in the SUS scores after 18 months ( 2 (3) = 14.29, < .003).A posthoc Dunn's test using a Bonferroni corrected of 0.0083 indicated that the SUS scores of email (90) and trustee (53), as well as SMS (84) and trustee (53), are signifcantly diferent.This highlights that the longer the callback time is, the worse the perceived usability of the trusted contacts scheme becomes.This is reasonable, as two of the described issues, not remembering the contacts and not having access to their email account, may become more likely over time.

Results Summary
Below, we summarize our fndings for each scheme following the three research questions.We also contextualize the results to provide a ranking.4.4.1 Email.The email scheme showed the best overall usability.All participants in this group were able to successfully reset their passwords, the SUS scores were the highest out of all four schemes, and reset times were also not signifcantly longer than those of the other schemes.Generally, participants were very positive and did not report any negative aspects about this type of reset.

SMS.
Compared to email, SMS-based password resets showed only marginally worse results in our study.This fallback scheme ranked second in all measured categories, and in each case, the diferences from the best ranking scheme were not statistically signifcant.Only two participants encountered problems in this condition: (1) one participant changed their phone number without updating the number associated with the account and (2) the SMS could not be transmitted due to technical reasons.
Personal Knowledge Questions.The results for the PKQs were mixed, but the overall usability evaluation was rather negative.While the average successful reset took only 32 seconds, which was the quickest across all schemes, the number of participants who could not complete the reset at all was by far the highest.SUS scores were also low, especially among those participants who could not recall their answers and failed the reset.We did not observe any notable usability or success-rate diferences between the traditional set of questions, which are often easy to guess [27,71] and the more modern ones with slightly better security properties [13] (see Section 3.2.3).
Additionally, we highlight that some users employ strategies to compensate for usability issues and security concerns with the scheme.Websites should be aware that some users intentionally provide random answers or answer untruthfully, attempting to increase security, also observed by related work [13].Others do not want to share the personal information that the PKQs ask them for.While some users might take note of their random answers (for example by storing it in a password manager [2] or writing it down in a notebook [65]), enabling them to reset their passwords later on, some may forget their random answer, making the reset impossible, as happened to one of our participants: "I couldn't remember the answer for my favorite teacher, because I somehow forgot all my elementary teachers.[. . .] I might have even given some wrong answers because I do not trust sensible information on other websites.The exception is on online banking websites."(PKQ-12-P15) Designated Trustees.Overall, this reset scheme ranked last as it had the most drawbacks.However, the results varied based on whether participants provided actual contacts or just used multiple of their own email accounts.If the scheme was used in the intended way (dependent), reset rates were among the lowest, reset times were tremendously higher than for the other schemes, and the system's usability was perceived as low.In the other case (autonomous usage), the reset procedure is more similar to the email-based scheme, and usability ratings were more similar to the other schemes.These fndings are infuenced by the implementation, which in our case required users to provide two of three reset codes.Other confgurations may perform diferently, e.g., requiring only one reset code would potentially decrease the efort.

DISCUSSION
Next, we discuss the takeaways and give recommendations.

Email as the Magic Bullet?
Throughout our analysis, resets based on email proved to be the most favorable option.Even after 18 months, all participants successfully reset their passwords in a reasonable time and did not report any usability issues.There are multiple ways to explain this positively outstanding result.
Apart from the very few steps required and the short (but not shortest) reset time, it could be argued that an email reset has the highest familiarity.By now, email has essentially become a digital identity [53], and fallback authentication mechanisms that rely on it only strengthen that association.Most people use emails frequently and may thus be very accustomed to the idea that this is how to cope with account issues.Still, it needs to be taken into account that the email-based scheme might not be deployable in every case, most prominently for the recovery of the primary email account.Moreover, the over-reliance on email creates a single point of failure [53].While the login to an email account can theoretically be secured using two-factor authentication or passwordless schemes like FIDO2 and passkeys, which are not susceptible to most online attacks, those mechanisms are used infrequently [48,62,66].Additionally, email has little protection against intimate attackers, like a partner or family members [25,36,58,84].This allows for trivial password resets to all linked accounts, not only locking the original owner out but also allowing account access for those with malicious intent.Therefore, email resets should not be recommended without restrictions, despite their many advantages, as certain aspects may confne applicability.Interestingly, in contrast to our results, Bonneau et al.'s work [13] reported SMS having a slightly higher recovery success rate than email.In the context of only slightly worse usability ratings for SMS compared to email in our study, this may indicate that both email and SMS are generally similarly favorable.

Another Nail in the Cofn
As many others have proven before, we can confrm that the memorability and perceived usability for PKQs is low, especially compared to the alternatives, and for realistic callback times in the range of months and years.This holds for both the traditional set of questions [27,71] and the more secure ones [13] (see Section 3.2.3).Moreover, people sometimes provide random answers intentionally, either for privacy reasons or because they falsely believe that this increases security [13].Despite extensive multi-year research efforts to improve the approach of PKQs by using dynamic [4,34,92], location-based [1,35], or simply "harder to know" [13] question types, they proved to be an unsuitable approach once again.As there are neither arguments from the users' perspective [13,46] nor the security side [27,46,67,71,76], we strongly recommend services cease the use of PKQs.

Cheating as a Solution?
Our fndings were very diverse for the social authentication approach (designated trustees), where participants had to provide two of three reset codes.Participants who correctly followed the instructions and provided actual contacts described the usability as poor.Participants who "cheated" by stating their own email addresses ("autonomous" usage) rated the usability as tolerable.
From a security standpoint, cheating on the system also sabotages its security.The security of the scheme is grounded in the trustees' ability to check the legitimacy of the person requesting the reset codes [77].However, when using the "autonomous" way, the security is essentially reduced to multiple email-based resets.While we fully acknowledge the aforementioned security shortcomings of email, we can also not disregard that it is the de-facto standard, and we lack compelling alternatives.Hence, requesting users to provide multiple email addresses owned by them that need to be accessed for account recovery only slightly decreases the usability and authentication times.At the same time, it could be an easily deployable improvement that reduces the risk of one email account being a single point of failure.Of course, this requires the password of those email accounts to be diferent and may only marginally increase the security against intimate attackers [25,36,58,84].

Users Find Their Shortcuts
As advocated for by many, and laying at the core of usable security, systems must be usable to provide the intended security [74,75].Our participants circumventing the trusted contacts systems is a prime example of this behavior and once more stresses the importance of designing for usability and, at best, designing secure systems without users having to play a role in the "securing." Moreover, the security of the trusted contacts scheme relies on the authenticity and confdentiality of the communication channel.This may enable certain attackers to intercept [22,37,44,87,89] or spoof the reset process [16,55,83].To prevent this, the original proposal by Schechter et al. prompts trustees and account owners to get in touch physically [77], which is very demanding, assuming that account parties could reside in diferent cities, states, or even countries.
In the case of trusted contacts, getting in touch with others can even add a level of social anxiety or concern, considering that one has to tell others that something potentially embarrassing like losing access to their account has happened.Relying on others might also not be viable for people who do not know "enough" people for whom they have email addresses or trust closely.

Resets in a Passwordless Future
With ongoing eforts to eliminate the password overall, one may argue that password resets will become obsolete eventually.Still, the necessity of a backup authentication mechanism will remain a topic of utter importance [10,51].In fact, the lack of a standardized fallback solution is considered one of the biggest obstacles when it comes to modern passwordless authentication based on FIDO2 and passkeys [52].The FIDO Alliance recommends (purchasing), registering, and safely storing a second authenticator in case access to the primary gets lost [28].However, they themselves acknowledge that this is just a quick fx recommended in default of better alternatives.Microsoft's alternative is a so-called Temporary Access Pass (TAP), which is a time-limited single-use passcode, comparable to the 6-digit security code that we sent via SMS.Users are asked to enter their TAP (e.g., received via SMS) when they register their frst passwordless authenticator.While the scheme is intended to be used during account creation, Microsoft states that "this method can also be used for easy recovery when the user has lost or forgotten their authentication factor" [61].These examples indicate that the fndings of our study will likely remain relevant even with the progression of FIDO2 passwordless authentication.

Recommendations
We want to close with recommendations based on the study's result for the four analyzed fallback schemes and the three callback times we considered: Email and SMS Recommendable options should sustain usability criteria for frictionless resets, reducing cost-intensive manual reviews.Schemes based on email and SMS meet these requirementsbeing sufciently reliable (see Section 4.1) and perceived as usable (see Section 4.3).Trusted contacts could fulfll the requirements to some extent if used in a modifed, autonomous way.The original protocol showed multiple drawbacks, similar to Personal Knowledge Questions, which are also not recommended.Authentication Time is Less Relevant For authentication, login times are an important criterion.Our results indicate that login times are generally comparable between fallback schemes, and the diferences only partially infuence the overall usability of a system (see Section 4.2).Thus, services can, to a certain extent, sacrifce quick recovery in favor of availability and security.Using hybrid systems might be an option, such as letting users provide multiple fallback emails to which reset codes are sent.Provide & Encourage Multiple Reset Options No fallback method is perfect and universally accessible to everyone.Thus, services should always provide multiple reset options for users to choose from.Users should be made aware of the diferent security levels available, ideally promoting schemes that ofer a usability and security level similar to email and SMS.Additionally, services should promote multiple enrollments to ensure continuous account access in case one reset mechanism fails (see Section 4.1).As resets lay months or years in the future, users likely cannot foresee situations requiring a reset when creating an account.Thus, services should inform users that registering multiple methods increases the chances of regaining access.Ensure Up-To-Date Information Services should regularly remind users to review their reset information.Our study showed that information like email addresses or trusted contacts are subject to change even after only 1.5 years (see Section 4.1).Real-world accounts are usually held much longer than that, increasing the potential for changes.Regularly ensuring information is up-to-date increases the ability to complete resets, even after years.Moreover, since email addresses and phone numbers are subject to reassignment, it ensures that only the intended person can perform a reset.

B.3 Designated Trustees
Hi, We are researchers conducting a study about changes in spatial reasoning ability over time.The person who uses the email address participant-1@gmail.com is participating in this study and selected you as a trusted contact.As a trusted contact you will help our participant to get back into their account for the study in case the password needs to be reset.
With this email, we are just informing you about this role.You do not have to do anything at all.However, if you want to learn more about our study, feel free to visit our website https://mental-rotation.com.
Thank you!The MRT Team

Password Reset
The person who uses the email address participant-1@gmail.com is participating in our study about changes in spatial reasoning ability and wants to reset the password for the account used in the study.
You are receiving this email because we use "Trusted Contacts" for the password reset.That means our participants state the email addresses of trusted contacts and each of those contacts receives a security code when a password reset is initiated.By providing these codes, the participant confirms the identity and is able to set a new password.
Therefore, we kindly ask you to provide the following code in case the person reaches out to you: 123456 To prevent any malicious activity, please ensure that the person who receives the code has access to the email address participant-1@gmail.com.
If you want to learn more about our study, feel free to visit our website https://mental-rotation.com.
Thank you for your help!The MRT Team

2 Security Question 3
Please create an account by providing the data in the fields below.You need to create an account because we want to track and compare the changes over time.When we invite you to the second and third stage, you will use this information to log into your account.Next StepEmailPassword ************ Confirm Password participant-1@gmail.com ************ (a) Email/Signup Form Please choose three different security questions and answer them.If you cannot access your account because you forgot your password, we will use this information to help you get back in.Next Step Security Question 1 What is the first name of your best friend?Security Question What is the last name of your favorite elementary school teacher?What is the name of the street where you grew up?What is the name of your high school?What is your city of birth?What is your favorite sports team?What is your mother's maiden name?Who was your favorite film star or character in school?Jo Please provide your phone number below.If you cannot access your account because you forgot your password, we will use this information to help you get back in.Next Step Phone Number Note, we will send you an SMS with a confirmation code in the next step to guarantee that you are able to receive SMS messages from us.So make sure you have your mobile phone within reach.(012) 345-6789 (c) SMS Please provide the email addresses of three trusted contacts to help if you get locked out of your account.

Figure 2 :
Figure 2: Screenshots of the fallback setup pages displaying the respective information for the diferent fallback schemes.The form of the email scheme shown in Figure2awas the standard form that all participants had to complete to create an account.

Figure 4 :
Figure4: Password reset times for the diferent fallback schemes.For the designated trustees scheme, we show two additional plots where we separated participants into those who used the scheme in a dependent or autonomous way.For the sake of clarity, we limited the x-axis to 600 s.The median and average for the dependent sub-group are 27 min and 62 min, respectively.

Figure 8 :
Figure 8: Email we sent to trusted contacts informing them about their role.Additionally, this email was used to confrm the provided email address exists.

Figure 9 :
Figure 9: The email we sent to the trusted contacts containing the reset code.

Table 1 :
The considered fallback authentication schemes as well as the security assumption they rely on.EmailClick on reset link sent to registered email account Secrecy of the channel and access to the email account SMS Provide reset code sent via SMS to a registered phone number Secrecy of the channel and access to the phone PKQ Answer security questions referring to personal knowledge Difculty to answer the questions (targeted and trawling attacks) Designated Trustees Provide reset codes sent to registered trusted contacts Ability of trusted contacts to only share the reset code with the user