Using Fingerprint Authentication to Reduce System Security: An Empirical Study

Choosing the security architecture and policies for a system is a demanding task that must be informed by an understanding of user behavior. We investigate the hypothesis that adding visible security features to a system increases user confidence in the security of a system and thereby causes users to reduce how much effort they spend in other security areas. In our study, 96 volunteers each created a pair of accounts, one secured only by a password and one secured by both a password and a fingerprint reader. Our results strongly support our hypothesis -- on average. When using the fingerprint reader, users created passwords that would take one three-thousandth as long to break, thereby potentially negating the advantage two-factor authentication could have offered.

[1]  Scott D. Sagan,et al.  The Problem of Redundancy Problem: Why More Nuclear Security Forces May Produce Less Nuclear Security † , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[2]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[3]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[4]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[5]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[6]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[7]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[8]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[9]  F M Streff,et al.  An experimental test of risk compensation: between-subject versus within-subject analyses. , 1988, Accident; analysis and prevention.

[10]  Antonella De Angeli,et al.  Usability and biometric verification at the ATM interface , 2003, CHI '03.

[11]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[12]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[13]  T Assum,et al.  Risk compensation--the case of road lighting. , 1999, Accident; analysis and prevention.

[14]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[15]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[16]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[17]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[18]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[19]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[20]  R. M. Trimpop RISK HOMEOSTASIS THEORY: PROBLEMS OF THE PAST AND PROMISES FOR THE FUTURE , 1996 .

[21]  W. Evans,et al.  Risk reduction or risk compensation? The case of mandatory safety-belt use laws , 1991 .

[22]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[23]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[24]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[25]  Alain Forget,et al.  Persuasion for Stronger Passwords: Motivation and Pilot Study , 2008, PERSUASIVE.

[26]  Andrew Stewart,et al.  On risk: perception and direction , 2004, Comput. Secur..

[27]  Peter Hoonakker,et al.  Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users , 2009 .

[28]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[29]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[30]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[31]  Dennis Guster,et al.  Weak Password Security: An Empirical Study , 2008, Inf. Secur. J. A Glob. Perspect..

[32]  J. Tukey,et al.  Variations of Box Plots , 1978 .