Security and Usability: The Case of the User Authentication Methods

Security and Usability: The Case of the User Authentication Methods Christina Braz

 Jean-Marc Robert 

Université du Québec à Montréal

École Polytechnique de Montréal

[email protected]

 [email protected]

C.P. 8888, succ. Centre-ville Montreal, QC QC H3C 3P8 Canada

ABSTRACT The usability of security systems has become a major issue in research on the efficiency and user acceptance of  security systems. The authentication process is essential for controlling the access to various resources and facilities. The design of usable yet secure user authentication methods raises crucial questions concerning how to solve conflicts between security and usability goals. KEYWORDS: Security Usability, User Authentication, Human Factors, Access Control, User Interface design. RESUME L'utilisabilité des systèmes de sécurité informatique est devenue un des problèmes majeurs sur la recherche de l'efficacité et l'acceptation des utilisateurs/trices des systèmes de sécurité informatique. Le processus d'authentification est ainsi crucial pour le contrôle d'accès à distance aux ressources et à des installations. La conception des méthodes d'authentification d'utilisateur/trice qui soient faciles à utiliser soulève alors des questions importantes telles que: Comment résoudre les conflits existants entre les objectifs d'utilisabilité et de la sécurité appliqués aux systèmes informatiques? CATEGORIES AND SUBJECT DESCRIPTORS: H.1.2 [User/Machine Systems]: Human factors; K.6.5 [Security and Protection]: Authentication; D.4.6 [Security and Protection]: Access controls , Authentication. GENERAL TERMS: Security in HCI, Usability vs Security, Biometric Data. INTRODUCTION User authentication is the entry point to different computing networks or facilities in which a set of services are rendered to users or a set of tasks can be performed. Once authenticated, the user can gain access for example

Reserve this space for the c opyright notice

C.P. 6079, succ. Centre-ville Montreal, QC H3C 3A7 Canada

to a company’s Intranet to consoles, databases, buildings, vehicles, etc. Usability of the authentication mechanisms has seldom been investigated and since security mechanisms are conceived, implemented, put into practice and violated by people, human factors should be taken into account in their design [1]. Usability becomes a strategic issue in the establishment of user authentication methods. Usability can be defined as "the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use" [5]. Security usability is concerned with the study of how security information should be handled in the user interface [6] and how security mechanisms and authentication systems themselves should be easy of use. This paper presents the usability security issues of the user authentication methods in the computer security and access control domains. It aims at tackling this growing problem, contributing to the discussions and helping systems developers to make decisions concerning the usability of security systems. HUMAN FACTORS ASPECTS OF USER AUTHENTICATION METHODS Presently there has been very little research on security usability, as a consequence both suitable specific usability design methods and a model of Graphical User Interface (GUI) for authentication methods are needed. The primary data that were gathered on the security usability were concerned with the usability evaluation of Pretty Good Privacy (PGP) [11], a public key encryption program primarily intended for authentication and email privacy, a rule-based authorization engine called MAP [ 13], previous work on design of secure user interface for network applications (i.e. authentication of the communication) [6], and finally a few generic white papers regarding the matter. In a nutshell, research on Human Computer Interaction (HCI) and Security has been sporadic, even worse on user authentication methods.

Security and usability are both essential in the authentication process. However the requirements for a high level of security while maintaining adequate usability are frequently in conflict with each other and a suitable balance has to be found. The potential conflicts between security and usability might be minimized by making use

Trusted by over 1 million members

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

Trusted by over 1 million members

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

of some general design heuristics principles such as minimize the user input, make decisions in the name of  the user, notify the user of actions taken upon her/is behalf, and provide the user t he capability to undo those actions when possible, and if not to minimize their impact. However, as we have stated earlier, there is no set of usability recognized principles and standards for authentication methods. We will present in the next section of the paper some Human Factors issues of the authentication methods.

Golden Rules Rules of User Interface Interface Design Adequate for Passwords? 1. Strive for consistency Yes 2. Frequent users can use shortcuts (A) No 3. Provide informative feedback (B) No 4. Dialogs should yield closure Yes 5. Prevent errors and provide simple No error handling (C) 6. Easy reversal of any action (D) No 7. Put the user in charge (E) No 8. Reduce short-term memory load (F) No

Password Complexity Passwords are the first line of defence against attacks to a computer system. The rules for password choice can be certainly a cumbersome problem for a user and a security problem for a system. For instance, very trivial choices that are ease to guess are broken within seconds using password cracking techniques – the longer the password the more difficult it is to crack. To prevent hackers from gaining access to our computer or files, experts recommend using complicated passwords which can in a first instance increases the short-term memory load of users causing frequent errors. In fact, the capacity of shortterm memory is normally limited to 7+ 2 items (e.g. letters, digits, words, etc.) [7]. Traditional password systems include many design features for the purpose of  making trial-and-error attacks as difficult as possible. Actually, they violate most of the recognized usability standards for computer systems. From the eight "Golden Rules" for interface design recommended by Shneiderman [9], password interactions break six of them (Table 1). Table 2 mostly shows shows how to minimize the security usability conflict dealing with these golden rules. In addition, users should follow a set of rules (i.e. password security policy) especially related to password creation: "All passwords must be at least six characters long; Include numbers and letters; Include a mix of upper and lower case; Use different passwords for each system; Change once a month; Do not write anything down" [10].

Table 1:

Item (A)

(B)

(C)

(D)

(E)

In a highly networked world, wherein users must access to multiple applications, password protection is considered as costly, awkward and insecure. The requirement of authentication to access different applications, services, or facilitities might generate frustration among users on a day-to-day basis, because users might need to frequently access the same secured applications in a short period of time.

(F)

Do the 8 golden Rules of User Interface Design apply to security systems?

Usability Users can't take shortcuts: the system won't match the first few letters typed and fulfill in the rest. Users hardly see the password they type: they can't find out repeated letters/accidental misspellings. Most systems only mention success or failure: they don't show how close the password guess was, or even discern between a mistyped username and password. Most systems keep track of  incorrect guesses and take irreparable action (locking the user's account) if several bad guesses happen. The system makes users be "responders" of actions rather than the initiators.

Users must follow a set of  security policies related to password creation recommended by [10]. Short-term memory is normally limited to 7+ 2 items.

Table 2:

Security Prevents dictionary1 and eavesdropping2 attacks. Prevents guessing attacks and Social Engineering3. Prevents guessing, eavesdropping and social engineering attacks.

Prevents guessing, eavesdropping, and social engineering attacks. Prevents guessing, eavesdropping, and social engineering attacks. Prevents guessing, eavesdropping, and social engineering attacks.

How to deal with the golden rules using heuristics.

1

A form of attack in which an attacker uses a large set of likely combinations to guess a secret. 2

Electronic eavesdropping eavesdropping is the intentional surveillance of data:

Trusted by over 1 million members

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

Locking Pin Systems A classic strategy to defend against Personal Identification Number (PIN) guessing attacks in authentication tokens is to lock the system after three consecutive invalid PIN attempts. However, this classic strategy could seriously undermine the system usability. After the PIN has been locked, it can only be unlocked by the token Administrator. Actually, that is the worse-case scenario of  usability once the administrator is not available, the user is blocked and no reversible action is possible. Cumbersome Data Input of Challenge Response Calculators Challenge-response Challenge-response calculators (CRC) require even more data input in comparison with other authentication methods such as a user ID, a password, a PIN and a "challenge" (e.g. an authentication server creates a "challenge", which is typically a random number sent to the client machine). Therefore, the difficulty and the probability of data input errors are higher (i.e., CRC do not echo the password back on the screen as it is typed, or they only display asterisks in place of the actual characters).

No Usability Features of Public Key Infrastructure (PKI) In order to illustrate the usability issues in a user authentication method, let’s briefly present the "Usability of  Security: A Case Study" [11] which was performed to evaluate the usability of Pretty Good Privacy (PGP) 5.0. The PGP is a standard software, which uses Public Key Infrastructure to encrypt, decrypt, and digitally sign data, for the encryption of Electronic Mail developed by Phil Zimmermann [12]. The authors choose PGP because it has a good user interface according to established standards, and they claimed to find out whether that was sufficient to allow non-programmers who know little about security to use it effectively. The results obtained through a cognitive walkthrough and user testing show that users had difficulty to: avoid dangerous errors, encrypt a message, understand the public key model, figure out the correct key to encrypt with and how to encrypt with any key, decrypt a message, publish the public key, and finally verify a signature on an email message. These are  just the basics tasks to be performed in order to execute correctly the program. Therefore, PGP is not sufficiently usable to provide effective security for most email users, according to the authors, because of the fact there is a "mismatch between the design philosophy behind its user interface, and the usability needs of a security utility".

Redundancy Redundancy Factor of Biometrics Systems

authentication technique – a two-factor authentication; in a two-factor technique (e.g. coupling biometrics with smart card technology) the "redundancy" of the authentication augments the security level, but at the same time diminishes the user experience. Furthermore, there can be serious limitations with some biometric measures (e.g. there is a range of eye diseases that affect the capability of iris recognition system to capture an appropriate image of the eye [4]) and the level of social acceptability. In such cases, the authentication process must be built in redundancy, so that a second method must be provided in order to confirm the identity's user. However, an authentication process also involves a user being enrolled and verified. Hence, we should focus on enhancing user experience and convenience when choosing an authentication method.

Comparative Analysis of the Authentication methods As part of this project, we developed a comparative analysis of the different features encountered in authentication methods according to Table 3. T o describe the following features we make use of subjective rating scales: "Security" and "Usability" (ranging from 1=Minimum to 5=Maximum in order to measure the degree of severity issues related to each authentication method), and "Automatism versus Human" (ranging from 1=Human is better; 5=Machine is better). The feature "Accuracy" has two measure rates of authentication by biometrics: (i) False Reject Rate (FRR) where a legitimate user is re  jected by the acquisition device; (ii) False Acceptance Rate (FAR) where a false user is accepted. The "Average Attack Space" (AAS) corresponds to the number of  guesses made by an attacker in order to disclose the secret (e.g. passwords, PINs, etc.). Abbreviations used in the Table 3: PK=Public Key; PRK=Private Key; SSO= Single-Sign-On; Single-Sign-On; TGS=Ticket Granting Service.

Authentication Methods - Vulnerabilities still remain Despite the efforts that were made by organizations to provide suitable authentication methods, vulnerabilities still remain. Mechanisms and models that are complicated to the user will be misused. When an authenticaauthentication method is too demanding the user might not keep up with the increasing workload (e.g. a user might refuse to change her/is password each time s/he logs on). Thus, organizations tend to blame mostly users for the human failure of not handling complex and demanding technical systems. However, Norman argues that what we often view as human error is the result of design flaws that may be surmounted [8]. According to Computing Technology

Trusted by over 1 million members

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

Feature/  Acquisition Device

Definition

Passwords (PW)

PIN

Know ledge based

Know ledge based

8 to 12 digits

4 digits

Proximity card

One Time Generators

Challenge

Public Key (PK)

Kerberos

Response

Multi function card

Cryptography

Key Distribution Center

Authentication

Authentication

Authentication

Authentication

Token

Token

Token

Token

(PK and PRK)

Finger print

Voice

or

Biometrics User scanning

High definition graph ic

Unchang eable (lifetime)

No enrolment

Forger, steal chip is pretty hard

Can signature at any time

Exces sive user cooperation

Masquerade (spoof  ing)

Masquerade (spoof  ing)

3

5

3

4

3

2

3

3

4

1

1

3

Computerbased network 

Computerbased network 

Computerbased network 

RFID based

<5 8 secs

<5 9 secs Not yet

PW difficult to guess

No synchronization

Builtin dynamic data processing

User credent ials once per login session

Mutual Authentication

Ease to collect

No PWs

Disadvantages

Can be forgotten

Can be forgotten

Theft, fraud, counterfeit

Brute force, dictionary attack 

Users shares their access permissions

Need of a smart card reader

PK is single point of attack 

Scalability

Crimi nal affilia tion

Chan ges over time

2

2

3

3

3

5

5

5

4

1

3

3

3

3

3

3

3

5

Human versus Automa-

2

2

3

4

5

Computerbased network 

3

4

5

5

5

5

5

5

1

4

Computerbased network 

Sitebased (Access Control)

Computerbased network 

Computerbased network 

PK infrastructurebased

PK infrastructurebased

Distributedbased network 

Sitebased (Access Control)

Telecom/  computerbased network 

2-5 secs6

15s5m5

15s5m5

7-20

7-20 secs5

7-20

s5,6

<5 secs7

<5 secs7

XyLocSageID, etc.

RSA, Secure Computing, etc.

Crypto

Axalto Gemplus, etc.

Pretty Good Privacy (PGP)

Kerberos 5

Digital

Card, ActivCar d, etc.

Up to 10cm of the reader

AAS 19 =2

AAS =54 bit [10]

No available data

AAS =102 4 bit PK= 86 2 [10]

Clock  synchroniza12 tion

change

blood

vessels

Biometrics User's typing rhyth m

RFID

Biometrics Lengt h /widt h pen pressure

Last longer (contactless)

Biometrics Pattern of 

Undertheskin ID chip

Biometrics User voice when speak  ing

Networkless

Usability

Recognition

or Face

Ease of deployment

1

Keystroke

Retina/  Iris

Hand

Advantages

Security

Signature

based

2

tism

Data collection environment

Input Process Time

Industrial Application

Accuracy

7-20

5-10

secs5

secs5

Unix [10], Windows NT00  /keyC hain

RSA

AAS

AAS

= 2

15

23

to 2

(dictionary attack)

[10]

Secur ID

10

13-bit

[10]

(frequency 13.56 mhz)

11

to 2

63

[10]

secs5

Release 1.3.2

= 5m

Personna , Visionics

FRR =1 to 20%; FAR = 0,001

to 5%

5-15

5secs

secs7

-15m

Apple Mac OSX, Voice Security

Cyber Sign

PrivateI D, Exclé, etc.

Net Nann y’s Bio Password

FRR =10 to 20%; FAR =2 to 5% [10]

FRR =2try 10%; FAR =2try 0,58

FRR =2 to 10%; FAR

Average 98% rate in recognizing individu-

7

≥

0,001

% [10]

implemented

[2]

No data available

Trusted by over 1 million members

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.

1

Software generated, generated, more robust and break six rules of User Interface

3.

2

Design [9] ; Automatism is related to the "acquisition device or data generator" presented by the user (e.g., PIN, memory card, fingerprint, etc.);

3

Machines generate more secure and automatic passwords;

4

Novel Neural Net Recognizes Spoken Words Better Than Human Listeners (2003) University of Southern California (US). Retrieved January, 2006
6

_video.html>; User average speed tapping; Average swiping speed (i.e. the ideal swiping speed has to do with your self-confidence: timid people swipe slower, nervous people swipe too fast, and confident 7

people swipe at the ideal speed); User data collection is the time period a person must spend to have her/is biometric reference template successfully created created (i.e. enrolment and verification time) but can vary dramatically;

8

Verification is built up on the concept that the rhythm

with which the user types is distinguishing;

9

4. Daugman, J. (2005)   Results from 200 Billion Iris Cross-comparisons, Technical Report, Computer Laboratory, University of Cambridge Computer Laboratory (UK). Retrieved on February 21, 2006 5.

International Organization for Standardization (1998) ISO 9241-11: Ergonomic requirements for office work with visual display terminals (VDTs Part 11: Guidance on Usability).

6.

Jøsang, A. & Patton, M. (2001) User Interface Requirements for Authentication of Communication, Security Usability White Paper, Distributed Systems Technology Centre, QUT, Brisbane, Qld 4001 (Australia).

7.

Miller, G. A. (1956) The magical number seven plus or minus two: Some limits on our capacity for processing information, Psychological Review, 63, 8197.

8.

Norman, Donald A. (2001) The Psychology of the  Everyday Things, Basic Books, Inc., Publishers New York, NY (US).

9.

Shneiderman, B. (1998)   Designing the User Inter  face: Strategies for Effective Human Computer Interaction. Chapter 2, Addison-Wesley, Reading, MA (US).

System processing time;

10

RSA Security SecurID Token. Retrieved February 21, 2006 11 http://www.rsasecurity.com/node.asp?id=1156; Cards are intended to operate within up to 10cm of the reader antenna at a frequency of  12 13.56 MHz (ISO/IEC 14443-1:2000); Maximum tolerance for computer clock synchronization: this is the maximum time skew that can be tolerated between a ticket's timestamp and the current time at the 13 Kerberos Distribution Center (KDC); Net Nanny’s BioPassword Retrieved February 21, 20 06

User satisfaction can be reached if the system is in accordance with the user mental model of the task. For instance, the user might regularly use the password-based authentication method which must be easy to learn and remember, requiring a little memory from them whose minds are already concerned with the task itself and whose time is valuable.

Conclusion There is more and more research and development on computer system security, but still very few researches on the usability issues of security mechanisms and techniques. To be able to build reliable, effective and usable security systems, we need specific guidelines that take into account the specific constraints of security mechanisms. Systems should be built so as to be easy to learn and use by users with different backgrounds and skills. Human factors should be incorporated into the development of security solutions where usability is central during the whole development process. REFERENCES 1. Adams, A. & Sasse, M. (1999) Users Are Not the  Enemy, Communications of the ACM, vol.42, nº 12.

2.

Braz, C. (2003) AuthenLink: A User-Centred Authentication System for a Secure Mobile Commerce, Master Thesis, Department of Computer Science and Operations Research, Université de Montréal (Canada).

Computing Technology Industry Association (CompTIA) (2002) Committing to Security: A CompTIA Analysis of IT Security and the Work force, Oakbrook Terrace, IL (US).

10. Smith, R. (2002)   Authentication: From Passwords Addison-Wesley, 1st edition (US). to Public Keys, Addison-Wesley, 11. Whitten, A. & Tygar, J. D. (1998) Usability of Security: A Case Study, School of Computer Science EECS Carnegie Mellon University Pittsburgh, PA and University of California SIMS, Berkeley, CA (US). 12. Zimmermann, Zimmermann, P. (2004) Phil Zimmermann's Zimmermann's Home Page. Phil Zimmermann & Associates LCC. Retrieved on February 11, 2006 13. Zurko, M. & Simon, R. (1997) User-Centered Security, The Pen Group Research Institute, Cambridge, MA (US).