Usable security: User preferences for authentication methods in eBanking and the effects of experience

Multi-factor authentication involves the use of more than one mode in authentication processes and is typically employed to increase security compared to a fixed password (knowledge-based mode). This research compared three different eBanking authentication processes, a two-layer password (1-factor) method and two alternative 2-factor solutions. The 2-factor processes used One-Time-Passcodes (OTPs) delivered either via a small, single-use device or by text message to a mobile phone. The three authentication methods were compared in a repeated-measures experiment with 141 participants. Three user groups were balanced in the experiment to investigate the effect of experience (current users of the service) on perceptions of usability and security. Attitudes toward usability and observations were taken for each process. Other data gathered quality ratings, preferences and ranked comparisons regarding convenience and security issues. Both 2-factor methods scored significantly higher than the 1-factor method for eBanking authentication usability metrics overall, but experienced users gave higher scores to the 1-factor method they currently use. Overall preferences were spread evenly between the three methods. However, the majority of the participant sample perceived the 1-factor method they had most experience with as being the most secure and most convenient option. The results offer insight into customer attitudes important in their selection of authentication options: convenience, personal ownership and habitual experience of processes.

[1]  Jasna Kuljis,et al.  Is usable security an oxymoron? , 2006, INTR.

[2]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[3]  Moshe Zviran,et al.  Cognitive passwords: The key to easy access control , 1990, Comput. Secur..

[4]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[5]  Bruce Schneier,et al.  Customers, Passwords, and Web Sites , 2004, IEEE Secur. Priv..

[6]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[7]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[8]  Antonella De Angeli,et al.  Usability and biometric verification at the ATM interface , 2003, CHI '03.

[9]  Nesic Dragoljub Chip TalkStronger security , 2007 .

[10]  Nigel Bevan Design for usability , 1999, HCI.

[11]  Luis A. Hernández Gómez,et al.  Usability evaluation of multi-modal biometric verification systems , 2006, Interact. Comput..

[12]  Paolo Salvaneschi,et al.  The usability of security devices , 2004 .

[13]  Mervyn A. Jack,et al.  Functionality and usability in design for eStatements in eBanking services , 2007, Interact. Comput..

[14]  Joos Vandewalle,et al.  On the Security of Today's Online Electronic Banking Systems , 2002, Comput. Secur..

[15]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[16]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[17]  James N. Anderson,et al.  On the role of metaphor and language in design of third party payments in eBanking: Usability and quality , 2006, Int. J. Hum. Comput. Stud..

[18]  Nigel Reavley Securing online banking , 2005 .

[19]  Jan H. P. Eloff,et al.  Security and human computer interfaces , 2003, Comput. Secur..

[20]  Ivan Flechais,et al.  Usable Security: Why Do We Need It? How Do We Get It? , 2005 .

[21]  Kjell Jørgen Hole,et al.  Case study: online banking security , 2006, IEEE Security & Privacy.

[22]  K. Williamson,et al.  Understanding Consumer Adoption of Internet Banking: An Interpretive Study in the Australian Banking Context , 2006 .

[23]  R. Likert “Technique for the Measurement of Attitudes, A” , 2022, The SAGE Encyclopedia of Research Design.

[24]  Jean-Marc Robert,et al.  Security and usability: the case of the user authentication methods , 2006, IHM '06.

[25]  Mervyn A. Jack,et al.  User perceptions of security, convenience and usability for ebanking authentication tokens , 2009, Comput. Secur..

[26]  Thomas Weigold,et al.  Secure Internet banking authentication , 2006, IEEE Security & Privacy.

[27]  Clara Centeno,et al.  Adoption of Internet services in the Acceding and Candidate Countries, lessons from the Internet banking case , 2004, Telematics Informatics.

[28]  Steven Furnell,et al.  A comparison of website user authentication mechanisms , 2007 .

[29]  Anne Adams,et al.  Building security and trust in online banking , 2005, CHI Extended Abstracts.

[30]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[31]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[32]  Jörg Abrolat Pre-pay? It's a gift! , 2007 .

[33]  Sean W. Smith,et al.  The TIPPI Point: Toward Trustworthy Interfaces , 2005, IEEE Secur. Priv..

[34]  Ben F. Barton,et al.  User-friendly password methods for computer-mediated information systems , 1984, Comput. Secur..

[35]  Bruce Schneier,et al.  Two-factor authentication: too little, too late , 2005, CACM.

[36]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[37]  Gavriel Salvendy,et al.  Usability and Security An Appraisal of Usability Issues in Information Security Methods , 2001, Comput. Secur..

[38]  Andy P. Field,et al.  Discovering Statistics Using SPSS , 2000 .

[39]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[40]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[41]  Paul A. Henry Authentication: Two-factor authentication - a look behind the headlines , 2006 .

[42]  Steve Brunswick eCommerce fraud – time to act? , 2009 .

[43]  Steven Furnell,et al.  Why users cannot use security , 2005, Comput. Secur..

[44]  John Viega Security - Problem Solved? , 2005, ACM Queue.

[45]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[46]  Morten Hertzum,et al.  Usable Security and E-Banking: ease of use vis-a-vis security , 2004, Australas. J. Inf. Syst..

[47]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[48]  Audun Jøsang,et al.  An Experimental Investigation of the Usability of Transaction Authorization in Online Bank Security Systems , 2008, AISC.