Quantifying the quality of web authentication mechanisms: a usability perspective

Users wishing to use secure computer systems or web sites are required to authenticate themselves. Users are usually required to supply a user identification and to authenticate themselves to prove that they are indeed the person they claim to be. The authenticator of choice in the web environment is the simple password. Since the advent of the web the proliferation of secure systems has placed an unacceptable burden on users to recall increasing numbers of passwords that are often infrequently used. This paper will review the research into different types of authentication mechanisms, including simple passwords, and propose a mechanism for quantifying the quality of different authentication mechanisms to support an informed choice for web site administrators.

[1]  William L. Simon,et al.  The Art of Deception , 2002 .

[2]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[3]  Tom Gilb Advanced Requirements Specification: Quantifying The Qualitative , 1999 .

[4]  John C. Yuille,et al.  Imagery, memory, and cognition : essays in honor of Allan Paivio , 1984 .

[5]  Vibha Sazawal,et al.  Doodling our way to better authentication , 2002, CHI Extended Abstracts.

[6]  Sharath Pankanti,et al.  BIOMETRIC IDENTIFICATION , 2000 .

[7]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[8]  Eiji Okamoto,et al.  Proposal of user identification scheme using mouse , 1997, ICICS.

[9]  Vernon H. Gregg,et al.  Introduction to Human Memory , 1986 .

[10]  K. A. Ericsson,et al.  Long-term working memory. , 1995, Psychological review.

[11]  Sidney L. Smith Authenticating users by word association , 1987, Comput. Secur..

[12]  Matthew Warren,et al.  A Conceptual Model for Graphical Authentication , 2003 .

[13]  E. Tulving,et al.  Effectiveness of retrieval cues in memory for words. , 1968, Journal of experimental psychology.

[14]  Azriel Rosenfeld,et al.  Face recognition: A literature survey , 2003, CSUR.

[15]  Moshe Zviran,et al.  Cognitive passwords: The key to easy access control , 1990, Comput. Secur..

[16]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[17]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[18]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[19]  Anil K. Jain,et al.  Integrating Faces and Fingerprints for Personal Identification , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[20]  P H Millard,et al.  The psychology of ageing. , 1988, La Revue du praticien.

[21]  Jan H. P. Eloff,et al.  Reinforcing password authentication with typing biometrics , 1995 .

[22]  Linda R. Warren,et al.  New Directions in Memory and Aging , 1981 .

[23]  M. Burge,et al.  Using Ear Biometrics for Passive Identiication , 1998 .

[24]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[25]  Antonella De Angeli,et al.  Honest, it’s me! Self-service verification , 2003 .

[26]  Bruce Schneier Sensible Authentication , 2004, ACM Queue.

[27]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[28]  Denise C. Park,et al.  Ageing and Memory: Mechanisms Underlying Age Differences in Performance , 1998 .

[29]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[30]  Antonella De Angeli,et al.  Usability and biometric verification at the ATM interface , 2003, CHI '03.

[31]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[32]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[33]  Joe Clark Building Accessible Websites , 2002 .

[34]  Bruce Schneier,et al.  Customers, Passwords, and Web Sites , 2004, IEEE Secur. Priv..

[35]  Hal Berghel,et al.  Identity theft, social security numbers, and the Web , 2000, CACM.

[36]  Antonella De Angeli,et al.  USABILITY AND USER AUTHENTICATION: PICTORIAL PASSWORDS VS. PIN , 2004 .

[37]  Jan H. P. Eloff,et al.  Enhanced Password Authentication through Fuzzy Logic , 1997, IEEE Expert.

[38]  David A. Workman,et al.  Quality guidelines = designer metrics , 1994, TRI-Ada '94.

[39]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[40]  Claudia Picardi,et al.  User authentication through keystroke dynamics , 2002, TSEC.

[41]  Eugene H. Spafford Preventing Weak Password Choices , 1991 .

[42]  Kenneth S. Hendis Quantifying software quality , 1981, ACM '81.

[43]  Helen Nissenbaum,et al.  Users' conceptions of risks and harms on the web: a comparative study , 2002, CHI Extended Abstracts.

[44]  Antonella De Angeli,et al.  VIP: a visual approach to user authentication , 2002, AVI '02.

[45]  Michael K. Reiter,et al.  Password hardening based on keystroke dynamics , 1999, CCS '99.

[46]  Mohammad S. Obaidat,et al.  Verification of computer users using keystroke dynamics , 1997, IEEE Trans. Syst. Man Cybern. Part B.

[47]  Zheng Wang,et al.  Using latency to evaluate interactive system performance , 1996, OSDI '96.

[48]  Marcel Kinsbourne,et al.  The mechanism of the word-frequency effect on recognition memory , 1974 .

[49]  M. Eagle,et al.  RECALL AND RECOGNITION IN INTENTIONAL AND INCIDENTAL LEARNING. , 1964, Journal of experimental psychology.

[50]  Mark D'Esposito,et al.  Memory: Phenomena, Experiment and Theory , 1994 .

[51]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[52]  Antonella De Angeli,et al.  My password is here! An investigation into visuo-spatial authentication mechanisms , 2004, Interact. Comput..

[53]  Ari Juels,et al.  Error-tolerant password recovery , 2001, CCS '01.

[54]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[55]  Lawrence G. Bahler,et al.  Improved voice identification using a nearest-neighbor distance measure , 1994, Proceedings of ICASSP '94. IEEE International Conference on Acoustics, Speech and Signal Processing.

[56]  F. Craik,et al.  Depth of processing and the retention of words , 1975 .

[57]  William A. Ward,et al.  Some observations on software quality , 1999, ACM-SE 37.

[58]  C. Ulrich,et al.  The psychology of ageing , 1995 .

[59]  Yishay Spector,et al.  Pass-sentence - a new approach to computer code , 1994, Comput. Secur..