A process for supporting risk-aware web authentication mechanism choice

Web authentication is often treated as a one-size-fits-all problem with ubiquitous use of the password. Indeed, authentication is seldom tailored to the needs of either the site or the target users. This paper does an in-depth analysis of all the vulnerabilities of authentication mechanisms, and proposes a structured and simple process which, if followed, will enable developers to choose a web authentication mechanism so that it matches the needs of their particular site.

[1]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[2]  Frank Bomarius,et al.  COBRA: a hybrid method for software cost estimation, benchmarking, and risk assessment , 1998, Proceedings of the 20th International Conference on Software Engineering.

[3]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[4]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[5]  C Whipple,et al.  Risks of Risk Decisions , 1980, Science.

[6]  Gilbert Cockton,et al.  People and Computers XIV — Usability or Else! , 2000, Springer London.

[7]  Antonella De Angeli,et al.  VIP: a visual approach to user authentication , 2002, AVI '02.

[8]  Scott Lobdell,et al.  Identity Theft , 2006 .

[9]  Matt Blaze Safecracking for the computer scientist , 2004 .

[10]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[11]  Kenneth R. van Wyk,et al.  Bridging the Gap between Software Development and Information Security , 2005, IEEE Secur. Priv..

[12]  A. Finkel Comparing Risks Thoughtfully , 1996 .

[13]  William L. Simon,et al.  The Art of Intrusion , 2005 .

[14]  Chiara Braghin Biometric Authentication , 2000 .

[15]  Nigel J. Smith,et al.  Managing Risk in Construction Projects , 1998 .

[16]  P. Slovic Trust, Emotion, Sex, Politics, and Science: Surveying the Risk‐Assessment Battlefield , 1999, Risk analysis : an official publication of the Society for Risk Analysis.

[17]  H. Kraemer,et al.  Coming to terms with the terms of risk. , 1997, Archives of general psychiatry.

[18]  J. A. Whittaker,et al.  Computer Security , 2004, IEEE Secur. Priv..

[19]  Harold F. Tipton,et al.  Information security management handbook, Sixth Edition , 2003 .

[20]  W. Dean,et al.  Competing Conceptions of Risk , 1996 .

[21]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[22]  Hal Berghel,et al.  Identity theft, social security numbers, and the Web , 2000, CACM.

[23]  L. Toledo-Pereyra Trust , 2006, Mediation Behaviour.

[24]  Carl F. Endorf Measuring ROI on Security , 2007, Information Security Management Handbook, 6th ed..

[25]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[26]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[27]  Karen Renaud A Visuo-Biometric Authentication Mechanism for Older Users , 2005, BCS HCI.

[28]  John C. Yuille,et al.  Imagery, memory, and cognition : essays in honor of Allan Paivio , 1984 .

[29]  M. Tarr,et al.  IS A PICTURE REALLY WORTH A THOUSAND WORDS? , 1993 .

[30]  C. P. Pfleeger,et al.  The fundamentals of information security , 1997 .

[31]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[32]  J. Zittrain The Future of the Internet , 2008 .

[33]  Antonella De Angeli,et al.  My password is here! An investigation into visuo-spatial authentication mechanisms , 2004, Interact. Comput..

[34]  H Roberts,et al.  Risk Society: Towards a New Modernity , 1994 .

[35]  T. Wright,et al.  A Picture Memory. , 2003 .

[36]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[37]  Howard Thomas,et al.  Practical Risk Analysis: An Approach Through Case Histories , 1984 .

[38]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[39]  Charles P. Pfleger Quality Time: The Fundamentals of Information Security , 1997, IEEE Softw..

[40]  Christopher J. Alberts,et al.  Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 , 1999 .

[41]  Alfred C. Weaver,et al.  Biometric authentication , 2006, Computer.