The Great Authentication Fatigue - And How to Overcome It

We conducted a two-part study to understand the impact of authentication on employees’ behaviour and productivity in a US governmental organisation. We asked 23 participants to keep a diary of all their authentication events within a 24-hour period, and subsequently interviewed them about their experience with authentication. We found that the authentication tasks employees have to perform not only carry significant workload, but that the way in which authentication disrupts primary tasks reduces productivity and creates frustration. Our participants reported a range of coping strategies, including use of tools and re-organising their work to avoid security. Avoidance meant they logged in less frequently, stopped using certain devices and services. They also reported not pursing innovative ideas because of “the battle with security” that would be required. Our case study paints a picture of chronic ‘authentication fatigue’ resulting from current policies and mechanisms, and the negative impact on staff productivity and morale. We propose that organisations need to urgently re-think how they authenticate users in a pervasive technology requirement, and advocate a paradigm shift from explicit to implicit authentication.

[1]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[2]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[3]  Allen Newell,et al.  The keystroke-level model for user performance time with interactive systems , 1980, CACM.

[4]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[5]  Noah Schiffman,et al.  The effect of task interruption and closure on perceived duration , 1992 .

[6]  M. Angela Sasse,et al.  Federated identity to access e-government services: are citizens ready for this? , 2013, Digital Identity Management.

[7]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Michael C. Fairhurst,et al.  Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity for Management of Information Access , 2002, User Interfaces for All.

[9]  Cormac Herley,et al.  More Is Not the Answer , 2014, IEEE Security & Privacy.

[10]  Oscar Mauricio Serrano Jaimes,et al.  EVALUACION DE LA USABILIDAD EN SITIOS WEB, BASADA EN EL ESTANDAR ISO 9241-11 (International Standard (1998) Ergonomic requirements For office work with visual display terminals (VDTs)-Parts II: Guidance on usability , 2012 .

[11]  Markus Jakobsson,et al.  Implicit Authentication through Learning User Behavior , 2010, ISC.

[12]  G. D. Logan Task Switching , 2022 .

[13]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[14]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[15]  Christina Courtright,et al.  Context in information behavior research , 2007 .

[16]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[17]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[18]  Julie Thorpe,et al.  Pass-thoughts: authenticating with our minds , 2005, NSPW '05.

[19]  Kat Krol,et al.  Report: Authentication Diary Study , 2014 .

[20]  Ergonomic requirements for office work with visual display terminals ( VDTs ) — Part 11 : Guidance on usability , 1998 .

[21]  Roy A. Maxion,et al.  Comparing anomaly-detection algorithms for keystroke dynamics , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[22]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.