Usability of web authentication systems

Last updated

Usability of web authentication systems refers to the efficiency and user acceptance of online authentication systems. [1] Examples of web authentication systems are passwords, federated identity systems (e.g. Google OAuth 2.0, Facebook Connect, Sign in with Apple), email-based single sign-on (SSO) systems (e.g. SAW, Hatchet), QR code-based systems (e.g. Snap2Pass, WebTicket) or any other system used to authenticate a user's identity on the web. Even though the usability of web authentication systems should be a key consideration in selecting a system, very few web authentication systems (other than passwords) have been subjected to formal usability studies or analysis. [2]

Contents

Usability and users

A web authentication system needs to be as usable as possible whilst not compromising the security that it needs to ensure. [1] The system needs to restrict access by malicious users whilst allowing access to authorised users. If the authentication system does not have sufficient security, malicious users could easily gain access to the system. On the other hand, if the authentication system is too complicated and restrictive, an authorised user would not be able to (or want to) use it. [3] Strong security is achievable in any system, but even the most secure authentication system can be undermined by the users of the system, often referred to as the "weak links" in computer security. [4]

Users tend to inadvertently increase or decrease security of a system. If a system is not usable, security could suffer as users will try to minimize the effort required to provide input for authentication, such as writing down their passwords on paper. A more usable system could prevent this from happening. Users are more likely to oblige to authentication requests from systems that are important (e.g. online banking), as opposed to less important systems (e.g. a forum that the user visits infrequently) where these mechanisms might just be ignored. Users accept the security measures only up to a certain point before becoming annoyed by complicated authentication mechanisms. [4] An important factor in the usability of a web authentication system is thus the convenience factor for the user around it.

Usability and web applications

The preferred web authentication system for web applications is the password, [4] despite its poor usability and several security concerns. [5] This widely used system usually contains mechanisms that were intended to increase security (e.g. requiring users to have high entropy passwords) but lead to password systems being less usable and inadvertently less secure. [6] This is because users find these high entropy passwords harder to remember. [7] Application creators need to make a paradigm shift to develop more usable authentication systems that take the user's needs into account. [5] Replacing the ubiquitous password based systems with more usable (and possibly more secure) systems could lead to major benefits for both the owners of the application and its users.

Measurement

To measure the usability of a web authentication system, one can use the "usability–deployability–security" or "UDS" framework [5] or a standard metric, such as the system usability scale. [2] The UDS framework looks at three broad categories, namely usability deployability and security of a web authentication system and then rates the tested system as either offering or not offering a specific benefit linked to one (or more) of the categories. An authentication system is then classified as either offering or not offering a specific benefit within the categories of usability deployability and security. [5]

Measuring usability of web authentication systems will allow for formal evaluation of a web authentication system and determine the ranking of the system relative to others. While a lot of research regarding web authentication system is currently being done, it tends to focus on security and not usability. [1] Future research should be evaluated formally for usability using a comparable metric or technique. This will enable the comparison of various authentication systems, as well as determining whether an authentication system meets a minimum usability benchmark. [2]

Which web authentication system to choose

It has been found that security experts tend to focus more on security and less on the usability aspects of web authentication systems. [5] This is problematic as there needs to be a balance between the security of a system and its ease-of-use. A study conducted in 2015 [2] found that users tend to prefer Single sign-on (like those provided by Google and Facebook) based systems. Users preferred these systems because they found them fast and convenient to use. [2] Single sign-on based systems have resulted in substantial improvements in both usability and security. [5] SSO reduces the need for users to remember many usernames and passwords as well as the time needed to authenticate themselves, thereby improving the usability of the system.

Other important considerations

Future work

Usability will become more and more important as more applications move online and require robust and reliable authentication systems that are both usable and secure. The use of brainwaves in authentication systems [8] have been proposed as a possible way to achieve this. However more research and usability studies are required.

See also

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. It is a protocol for bidirectional 8-bit communications. Its main goal was to connect terminal devices and terminal-oriented processes.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping.

There are several forms of software used to help users or organizations better manage passwords:

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

Implicit authentication (IA) is a technique that allows the smart device to recognize its owner by being acquainted with his/her behaviors. It is a technique that uses machine learning algorithms to learn user behavior through various sensors on the smart devices and achieve user identification. Most of the current authentication techniques, e.g., password, pattern lock, finger print and iris recognition, are explicit authentication which require user input. Comparing with explicit authentication, IA is transparent to users during the usage, and it significantly increases the usability by reducing time users spending on login, in which users find it more annoying than lack of cellular coverage.

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

References

  1. 1 2 3 Christina Braz; Jean-Marc Robert (2006-04-18). "Security and Usability: The Case of the User Authentication Methods". ACM Digital Library. ACM New York, NY, USA. pp. 199–203. Retrieved 24 February 2016.
  2. 1 2 3 4 5 6 7 Scott Ruoti; Brent Roberts; Kent Seamons. "Authentication Melee: A Usability Analysis of Seven Web Authentication Systems" (PDF). 24th International World Wide Web Conference. pp. 916–926. Retrieved 2016-02-24.
  3. Schneier, Bruce. "Balancing Security and Usability in Authentication". Schneier on Security. Retrieved 24 February 2016.
  4. 1 2 3 Renaud, Karen (January 2004). "Quantifying the Quality of Web Authentication Mechanisms A Usability Perspective". Journal of Web Engineering. Retrieved 24 February 2016.
  5. 1 2 3 4 5 6 Bonneau, Joseph; Herley, Cormac; van Oorschot, Paul C.; Stajano, Frank (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes". 2012 IEEE Symposium on Security and Privacy (PDF). University of Cambridge Computer Laboratory. pp. 553–567. doi:10.1109/SP.2012.44. ISBN   978-1-4673-1244-8. ISSN   1476-2986.
  6. 1 2 Sundararaman, Jeyaraman; Topkara, Umut (2005). "Have the cake and eat it too - Infusing usability into text-password based authentication systems". 21st Annual Computer Security Applications Conference (ACSAC'05) (PDF). IEEE. pp. 473–482. doi:10.1109/CSAC.2005.28. ISBN   0-7695-2461-3. ISSN   1063-9527.
  7. 1 2 Ma, Y; Feng, J (2011). "Evaluating Usability of Three Authentication Methods in Web-Based Application". 2011 Ninth International Conference on Software Engineering Research, Management and Applications. IEEE. pp. 81–88. doi:10.1109/SERA.2011.18. ISBN   978-1-4577-1028-5.
  8. Financial Cryptography and Data Security. Springer Berlin Heidelberg. 2013. pp. 1–16. ISBN   978-3-642-41320-9.

Further reading