Network authentication using single sign-on: the challenge of aligning mental models

Healthcare organizations are struggling to meet industry best practices for information security as well as complying with regulatory requirements. Single sign-on technology is emerging as a leading technology for password authentication management and promises to improve security while curbing system maintenance costs. While the technology seems to be a simple viable solution for authentication, when placed in context, many socio-technical complexities emerge. One of these complexities is that of the mismatch between the users' mental models and the system model. This study was a 15-month ethnographic field study that followed the implementation of a single sign-on system in a hospital environment. It resulted in the finding that the misaligned mental models caused difficulties not only for the user but for the system administrators. The findings also indicate that not only was the user's mental model of the technology inaccurate, but the presentation of the technology by the information technology group contributed to this misaligned understanding. The end result was dissatisfaction with the new technology for both end users and the system administrators. In order to address the critical issue of mental model misalignment in the implementation of SSO technology, practitioners must first gain an understanding of the preexisting mental models had by the target users regarding authentication and then use this information to guide implementation of the new technology.

[1]  Christine L. Borgman The user's mental model of an information retrieval system: an experiment on a prototype online catalog , 1999, Int. J. Hum. Comput. Stud..

[2]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[3]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[4]  Judith S. Olson,et al.  A mental model can help with learning to operate a complex device , 1993, CHI '93.

[5]  John M. Carroll,et al.  Mental Models in Human-Computer Interaction , 1988 .

[6]  Gerrit C. van der Veer,et al.  Mental models , 2002 .

[7]  Frank R. Abate,et al.  The new Oxford American dictionary , 2001 .

[8]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[9]  Sri Hastuti Kurniawan,et al.  Review of Interaction design , 2003 .

[10]  Audun Jøsang,et al.  Trust Requirements in Identity Management , 2005, ACSW.

[11]  M. Angela Sasse,et al.  Eliciting and describing users' models of computer systems , 1997 .

[12]  Martin R. Gibbs,et al.  Mediating intimacy: designing technologies to support strong-tie relationships , 2005, CHI.

[13]  Mahmoud Pegah,et al.  Regaining single sign-on taming the beast , 2003, SIGUCCS '03.

[14]  Jakob E. Bardram,et al.  The trouble with login: on usability and computer security in ubiquitous computing , 2005, Personal and Ubiquitous Computing.

[15]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[16]  Ben Shneiderman,et al.  Designing the user interface (2nd ed.): strategies for effective human-computer interaction , 1992 .

[17]  Yvonne Rogers,et al.  Interaction Design: Beyond Human-Computer Interaction , 2002 .

[18]  B. Schneiderman,et al.  Designing the User Interface. Strategies for Effective Human-Computer Interaction , 1992 .

[19]  Ben Shneiderman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction , 1998 .

[20]  Yvonne Rogers,et al.  Beyond Interaction Design: Beyond Human-Computer Interaction , 2001 .

[21]  Austin Henderson,et al.  Interaction design: beyond human-computer interaction , 2002, UBIQ.

[22]  Christine L. Borgman The User's Mental Model of an Information Retrieval System: An Experiment on a Prototype Online Catalog , 1986, Int. J. Man Mach. Stud..

[23]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .