Effects of Authentication Method and System Properties on Authentication Decisions and Performance

Knowledge-based authentication is the oldest and most widely used form of authentication, but it is still problematic. We present a model of the effects of usage cost variables (e.g., code length, required motion precisions) on authentication performance (time for authentication, error rate) and on the decision to use authentication. We tested model predictions in two experiments in which participants played an investment game and had to use authentication to change their investment. We manipulated the authentication method (personal identification number vs. graphical password), the required precision for authentication, the code length, and time pressure. The variables affected authentication decisions and performance, but the effects were not the same. Also, when the graphical password required greater response precision, performance and subjective ratings decreased dramatically, much more than predicted by combining the effects of the variables independently. These results point to a number of issues that must be considered when designing authentication procedures.

[1]  J. Ebert,et al.  The role of cognitive resources in the valuation of near and far future events. , 2001, Acta psychologica.

[2]  R. Shepard Recognition memory for words, sentences, and pictures , 1967 .

[3]  Gavriel Salvendy,et al.  Factors affecting perception of information security and their impacts on IT adoption and security practices , 2011, Int. J. Hum. Comput. Stud..

[4]  Heath A. Demaree,et al.  Perceived time pressure and the Iowa Gambling Task , 2008, Judgment and Decision Making.

[5]  Nicolas Christin,et al.  Undercover: authentication usable in front of prying eyes , 2008, CHI.

[6]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[7]  R. Nickerson,et al.  SHORT-TERM MEMORY FOR COMPLEX MEANINGFUL VISUAL CONFIGURATIONS: A DEMONSTRATION OF CAPACITY. , 1965, Canadian journal of psychology.

[8]  Daphna Weinshall,et al.  Passwords you'll never forget, but can't recall , 2004, CHI EA '04.

[9]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[10]  Martina Angela Sasse,et al.  Why users compromise computer security mechanisms and how to take remedial measures. , 1999 .

[11]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[12]  A. Tversky,et al.  Prospect theory: analysis of decision under risk , 1979 .

[13]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[14]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[15]  John R. Vacca Practical internet security , 2006 .

[16]  Jasna Kuljis,et al.  Is usable security an oxymoron? , 2006, INTR.

[17]  P. Hancock,et al.  A Dynamic Model of Stress and Sustained Attention , 1989, Human factors.

[18]  Christopher D. Wickens,et al.  The Structure of Attentional Resources , 1980 .

[19]  Heinrich Hußmann,et al.  Towards understanding ATM security: a field study of real world ATM use , 2010, SOUPS.

[20]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[21]  Arun Ross,et al.  An introduction to biometric recognition , 2004, IEEE Transactions on Circuits and Systems for Video Technology.

[22]  Steven Furnell,et al.  Flexible and Transparent User Authentication for Mobile Devices , 2009, SEC.

[23]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[24]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[25]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[26]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[27]  Peter Sandiford,et al.  General Experimental Psychology. , 2022 .

[28]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[29]  Ma Sasse,et al.  Usability and Trust in Information Systems , 2005 .

[30]  P. V. Oorschot,et al.  Multiple Password Interference in Text and Click-Based Graphical Passwords , 2008 .

[31]  Esma Aïmeur,et al.  ASEMC : Authentication for a SEcure M-Commerce , 2005 .

[32]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[33]  JackMervyn,et al.  User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking , 2011 .

[34]  Daniel M. Wegner,et al.  The hyperaccessibility of suppressed thoughts. , 1992 .

[35]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[36]  Sebastian Möller,et al.  On the need for different security methods on mobile phones , 2011, Mobile HCI.

[37]  Christopher D. Wickens,et al.  Effort in Human Factors Performance and Decision Making , 2014, Hum. Factors.

[38]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[39]  Mary Ellen Zurko,et al.  Usable Security , 2017, IEEE Internet Comput..

[40]  R. Haber,et al.  Perception and memory for pictures: Single-trial learning of 2500 visual stimuli , 1970 .

[41]  L. Standing Learning 10,000 pictures. , 1973, The Quarterly journal of experimental psychology.

[42]  Shauna M. Stark,et al.  Introduction to Memory , 2016 .

[43]  Simone Wannemaker Security And Usability Designing Secure Systems That People Can Use , 2016 .

[44]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[45]  Stewart Kowalski,et al.  Consumers ’ Awareness of , Attitudes Towards and Adoption of Mobile Phone Security , 2006 .