QUANTIFYING THE QUALITY OF WEB AUTHENTICATION MECHANISMS A USABILITY PERSPECTIVE

Authors

  • Karen Renaud Department of Computing Science, University Of Glasgow

Keywords:

Authentication, metric, memorability, accessibility, security, vulnerability

Abstract

Users wishing to use secure computer systems or web sites are required to authenticate themselves. Users are usually required to supply a user identification and to authenticate themselves to prove that they are indeed the person they claim to be. The authenticator of choice in the web environment is the simple password. Since the advent of the web the proliferation of secure systems has placed an unacceptable burden on users to recall increasing numbers of passwords that are often infrequently used. This paper will review the research into different types of authentication mechanisms, including simple passwords, and propose a mechanism for quantifying the quality of different authentication mechanisms to support an informed choice for web site administrators.

 

Downloads

Download data is not yet available.

References

A Adams and M A Sasse. Users are not the enemy: Why users compromise security mechanisms

and how to take remedial measures. Communications of the ACM, 42(12):40–46, December 1999.

A. Adams, M. A. Sasse, and P. Lunt. Making passwords secure and usable. In H. Thimbleby,

B. O’Conaill, and P. Thomas, editors, People & Computers XII,Proceedings of HCI’97, pages 1–19,

Bristol, August 12-15 1997. Springer. http://www.getrealsecurity.com/publications.htm.

A M De Alvare and E E Schultz Jr. A framework for password selection. In Proceedings of

USENIX Unix security Workshop, pages 29–30, aug 1988.

A De Angeli, M Coutts, L Coventry, and G I Johnson. VIP: a visual approach to user authentication.

In Proceedings of the Working Conference on Advanced Visual Interfaces AVI. 2002, pages

–323. ACM Press, 2002.

A De Angeli, L Coventry, G I Johnson, and M Coutts. Usability and user authentication: Pictorial

passwords vs. PIN. In P.T.McCabe, editor, Contemporary Ergonomics 2003, pages 253–258. Taylor

& Francis, London, 2003.

L Bahler, J Porter, and A Higgins. Improved voice identification using a nearest neighbour

distance measure. In Proceedings Proc. International Conference of Acoustics, Speech and Signal

Processing, pages 321–324, Adelaide., April 19-22 1994.

F Bergadano, D Gunetti, and C Picardi. User authentication through keystroke dynamics. ACM

Transactions on Information and System Security (TISSEC), 5(4):367 – 397, 2002.

Hal Berghel. Identity theft, social security numbers, and the web. CACM, 43(2):17–21, 2000.

D Besnard and B Arief. Computer security impaired by legitimate users. Computers and Security,

(3):253–264, may 2004.

G E Blonder. Graphical password, 1996. United States Patent 5559961.

J Brentano and K Wiseth. Enterprise-wide security: Authentication and single sign-on. In Network

Applications Consortium, San Francisco, 1996. position paper. http://www.alameda-techlab.

com/portfolio/samples/Old Papers/NACSEC02.pdf.

S Brostoff and A Sasse. Are passfaces more usable than passwords? a field trial investigation. In

S. McDonald, editor, People and Computers XIV - Usability or Else! Proceedings of HCI 2000,

pages 405–424. Springer, 2000.

S Brostoff and A Sasse. Ten strikes and you’re out: Incresing the number of login attempts can

improve password usability. In Workshop on Human-Computer Interaction and Security Systems,

Fort Lauderdale, Florida, April 2003. ACM.

M Burge andWBurger. Using ear biometrics for passive identification. In G Papp and R Posch, editors,

Proceedings of the IFIP TC11 14th international conference on information security, SEC’98,

pages 139–148, Wien, 1998.

J Clark. Building Accessible Websites. New Riders, 2002.

L Coventry, A De Angeli, and G I Johnson. Usability and biometric verification at the atm

interface. In CHI 2003 Proceedings. ACM Press, 2003.

Lynne Coventry, Antonella De Angeli, and Graham Johnson. Honest, it’s me! Self service verification.

In Workshop on Human-Computer Interaction and Security Systems, Fort Lauderdale,

Florida, April 2003. ACM.

F I M Craik and E Tulving. Depth of processing and word retention. Journal of Experimental

Psychology, 104(3):268–294, 1975.

R Crutchfield and D A Workman. Quality guidelines = designer metrics. In Annual International

W G de Ru and J H P Eloff. Reinforcing password authentication with typing biometrics.

In Proceedings of the IFIP TC11 eleventh international conference on information security,

IFIP/SEC’95, pages 562–574, London, UK, 1995. Chapman and Hall.

W G de Ru and J H P Eloff. Enhanced password authentication through fuzzy logic. IEEE

Intelligent Systems & their applications, 12(6), Nov/Dec 1997.

R Dhamija and A Perrig. D´ej`a vu: A user study using images for authentication. In Proceedings

of USENIX Security Symposium, August 2000.

M Eagle and E Leiter. Recall and recognition in intentional and incidental learning. Journal of

Experimental Psychology, 68:58 – 63, 1964.

H Ebbinghaus. Memory: A contribution to experimental psychology. Dover Publications, Inc, New

York, 1964. Translated by H A Ruger and C E Bussenius. Originally published, 1885.

C. Ellison, C. Hall, R. Milbert, , and B. Schneier. Protecting secret keys with personal entropy.

Future Generation Computer Systems, 16:311–318, 2000.

C Ellison, C Hall, R Milbert, and B Schneier. Protecting secret keys with personal entropy. Future

Generation Computer Systems, 16:311–318, 2000.

Y Endo, Z Wang, J B Chen, and Margo I. Seltzer. Using latency to evaluate interactive system

performance. In Proceedings of the 2nd USENIX Symposium on Operating Systems Design and

Implementation, pages 185–200, Berkeley, October 28–31 1996. USENIX Association.

K A Ericsson and W Kintsch. Long-term working memory. Psychological Review, 102:211–245,

Foolproof. Accessibility online briefing, April 2004. http://www.foolproofservices.co.uk/accessibility/.

B Friedman, H Nissenbaum, D Hurley, D C Howe, and E Felten. User’s conceptions of risks and

harms on the web: A comparative study. In Proceedings of CHI 2002., Minneapolis, Minnesota,

April 20-25 2002. ACM.

N Frykholm and A Juels. Error-tolerant password recovery. In Proceedings of the 8th ACM

conference on Computer and Communications Security, pages 1–9. ACM Press, 2001.

S Garfinkel, G Spafford, and A Schwartz. Practical UNIX and Internet Security. O’Reilly, Cambridge,

rd edition, 2003.

T Gilb. Advanced requirements specification: Quantifying the qualitative. In

PSQT Conference St Paul MN, oct 1999. http://citeseer.ist.psu.edu/332850.html;

http://www.pimsl.com/TomGilb/Quantify Quality paper PSQT.pdf.

J Goldberg, J Hangman, and V Sazawal. Doodling our way to better authentication. In Poster

presented at CHI 2002, Minneapolis, April 2002.

V H Gregg. Introduction to Human Memory. Routledge & Kegan Paul, 1986.

I S Hamilton. The Psychology of Ageing. Jessica Kingsley Publishers, 3 edition, 2000.

K Hayashi, E Okamoto, and M Mambo. Proposal of user identification scheme using mouse. In

T Okamoto Y Han and S Qing, editors, Proceedings of the 1st International Information and

Communications Security Conference, pages 144–148, 1997.

K S Hendis. Quantifying software quality. In Proceedings of the ACM ’81 conference, pages

–273. ACM Press, 1981.

L. Hong and A Jain. Integrating faces and fingerprints for personal identification. Lecture Notes

in Computer Science, 1351, 1997.

B Ives, K R Walsh, and H Schneider. The domino effect of password reuse. Commun. ACM,

(4):75–78, 2004.

A Jain, L Hong, and S Pankanti. Biometric identification. Commun. ACM, 43(2):90–98, 2000.

I Jermyn, A Mayer, F Monrose, M K Reoter, and A D Rubin. The design and analysis of graphical

passwords. In Proceedings of the 9th USENIX Security Symposium, August 2000.

M Kinsbourne and J George. The mechanisme of the word-frequency effect on recognition memory.

Journal of Verbal Learning and Verbal Behavior, 13:63 – 69, 1974.

J Liddell, K V Renaud, and A De Angeli. Authenticating users using a combination of sound and

images. In HCI 2003, Bath, UK, September 2003. Short Paper.

A Lusher. Keypad pensions cause problems. Sunday Telegraph, 18 May 2003.

S Madigan. Picture memory. In J.C. Yuille, editor, Imagery, memory, and cognition: essays in

honor of Allan Paivio. Lawrence Erlbaum Associates, Hillsdale, NJ, 1983.

C Miller. Password recovery. Web Document, 2004.

http://fishbowl.pastiche.org/archives/docs/PasswordRecovery.pdf.

K D Mitnick and W L Simon. The Art of Deception. Wiley, Indianapolis, 2002.

F Monrose and M K Reiter. Password hardening based on keystroke dynamics. In Proceedings of

the 6th ACM Conference on Computer and Communications Security, pages 73–82, 1999.

T Moss. Web accessibility and uk law: Telling it like it is, July 2004.

http://www.alistapart.com/articles/accessuk.

E Murrer. Fingerprint authentication. Secure Computing, pages 26–30, March 1999.

D A Norman. Memory and Attention. An introduction to human information processing. John

Wiley & Sons, 1969.

M S Obiadat and B Sadoun. Verification of computer users using keystroke dynamics. IEEE

Transactions on Systems, Man and Cybernetics - Part B: Cybernetics, 27(2):261–269, April 1997.

A Paivio. Mental representations: A dual coding approach. Oxford University Press, Oxford, UK,

D C Park. Ageing and memory: Mechanisms underlying age differences in performances. In

Proceedings of the 1997 World Congress of Gerontology, 1997.

A J Parkin. Memory: Phenomena, Experiment and Theory. Blackwell, 1993.

J D Pierce, J G Wells, M J Warren, and D R Mackay. A conceptual model for graphical authentication.

In 1st Australian Information Security Management Conference, Perth,Western Australia,

November 2003.

D Povey. Optimistic security: a new access control paradigm. In Proceedings of the 1999 workshop

on New security paradigms, pages 40–45. ACM Press, 2000.

K V Renaud and A De Angeli. My password is here! Investigating authentication schemes based

on visuo-spatial memory. Interacting with Computers, 204. To Appear.

B. Schneier. Security in the real world: How to evaluate security. Computer Security Journal,

(4):1–14, 1999.

B Schneier. Secrets and Lies. Wiley, 2000.

B Schneier. Customers, passwords, and web sites. IEEE Security & Privacy Columns, 2004.

B Schneier. Sensible authentication. ACM Queue, 1(10), February 2004.

S L Smith. Authenticating users by word association. In G Papp and R Posch, editors, Proceedings

of the Human Factors Society 31st Annual Meeting, pages 135–138, Wien, 1987.

E. H. Spafford. Preventing weak password choices. In Proc. 14th NIST-NCSC National Computer

Security Conference, pages 446–455, 1991.

Y Spector and J Ginzberg. Pass-sentence - a new approach to computer code. Computers and

Security, 13:145–160, 1994.

L Stein. Web Security. Addison Wesley, 1998.

E Tulving and S Osler. Effectiveness of retrieval cues in memory for words. Journal of Experimental

Psychology, 77:593–601, 1968.

H van Solms, J H P Eloff, M Eloff, and E Smith. Information Security. B & D Printers, 2003.

W A Ward and B Venkataraman. Some observations on software quality. In ACM Southeast

Regional COnference. Proceedings 37th Annual southeast regional conference., 1999.

Alma Whitten and J. D. Tygar. Why Johnny can’t encrypt: A usability evaluation of PGP 5.0.

In Proceedings of the 8th USENIX Security Symposium, Washington, D.C., USA, August 1999.

USENIX.

E Winograd and E W Simon. Visual memory and imagery in the aged. In New Directions in

Memory and Aging. Proceedings of the George A Talland Memorial Conference, chapter 27, pages

–506. Lawrence Erlbaum, 1980.

T Wu. A real-world analysis of kerberos password security. In Proceedings of the 1999 Network

and Distributed System Security Symposium, February 3-5 1999.

F Yates. The Art of Memory. Pimlico, London, 1966.

W. Zhao, R. Chellappa, P. J. Phillips, and A. Rosenfeld. Face recognition: A literature survey.

ACM Comput. Surv., 35(4):399–458, 2003.

M Zviran and W J Haga. Cognitive passwords: The key to easy access control. Computers and

Security, 9:723–736, 1990.

Downloads

Published

2004-09-22

How to Cite

Renaud, K. . (2004). QUANTIFYING THE QUALITY OF WEB AUTHENTICATION MECHANISMS A USABILITY PERSPECTIVE. Journal of Web Engineering, 3(1-2), 095–123. Retrieved from https://journals.riverpublishers.com/index.php/JWE/article/view/4341

Issue

Section

Articles