A Field Study of User Behavior and Perceptions in Smartcard Authentication

A field study of 24 participants over 10 weeks explored user behavior and perceptions in a smartcard authentication system. Ethnographic methods used to collect data included diaries, surveys, interviews, and field observations. We observed a number of issues users experienced while they integrated smartcards into their work processes, including forgetting smartcards in readers, forgetting to use smartcards to authenticate, and difficulty understanding digital signatures and encryption. The greatest perceived benefit was the use of an easy-to-remember PIN in replacement of complicated passwords. The greatest perceived drawback was the lack of smartcard-supported applications. Overall, most participants had a positive experience using smartcards for authentication. Perceptions were influenced by personal benefits experienced by participants rather than an increase in security.

[1]  Brandon M. Malone,et al.  Utilizing smart cards for authentication and compliance tracking in a diabetes case management system , 2008, ACM-SE 46.

[2]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[3]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[4]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[6]  Dennis Strouble,et al.  PRODUCTIVITY AND USABILITY EFFECTS OF USING A TWO-FACTOR SECURITY SYSTEM , 2009 .

[7]  Jean-Daniel Aussel Smart Cards and Digital Security , 2007 .

[8]  Corinne S. Irwin,et al.  Identity, credential, and access management at NASA, from Zachman to attributes , 2009, IDtrust '09.

[9]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[10]  Ma Sasse,et al.  Usability and Trust in Information Systems , 2005 .

[11]  Jean-Marc Robert,et al.  Security and usability: the case of the user authentication methods , 2006, IHM '06.

[12]  Gavriel Salvendy,et al.  A Task Analysis of Usability in Third-Party Authentication , 2000 .

[13]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[14]  Mervyn A. Jack,et al.  Usable security: User preferences for authentication methods in eBanking and the effects of experience , 2010, Interact. Comput..

[15]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[16]  W. Summers,et al.  Password policy: the good, the bad, and the ugly , 2004 .

[17]  Thomas A. Johnson,et al.  Homeland Security Presidential Directive/HSPD-12 , 2007 .

[18]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[19]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[20]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[21]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[22]  Shirley Radack Implementation of FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors , 2005 .

[23]  Paul A. Karger Privacy and security threat analysis of the federal employee personal identity verification (PIV) program , 2006, SOUPS '06.

[24]  Siddhartha Arora National e-ID card schemes: A European overview , 2008, Inf. Secur. Tech. Rep..