"`They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking

To prevent password breaches and guessing attacks, banks increasingly turn to two-factor authentication (2FA), requiring users to present at least one more factor, such as a one-time password generated by a hardware token or received via SMS, besides a password. We can expect some solutions -- especially those adding a token -- to create extra work for users, but little research has investigated usability, user acceptance, and perceived security of deployed 2FA. This paper presents an in-depth study of 2FA usability with 21 UK online banking customers, 16 of whom had accounts with more than one bank. We collected a rich set of qualitative and quantitative data through two rounds of semi-structured interviews, and an authentication diary over an average of 11 days. Our participants reported a wide range of usability issues, especially with the use of hardware tokens, showing that the mental and physical workload involved shapes how they use online banking. Key targets for improvements are (i) the reduction in the number of authentication steps, and (ii) removing features that do not add any security but negatively affect the user experience

Accessible Banking: Experiences and Future Directions

This is a short position paper drawing on experience working with the UK banking industry and their disabled and ageing customers in the Business Disability Forum, a UK non-profit member organisation funded by a large body of UK private and public sector businesses. We describe some commonly reported problems of disabled customers who use modern banking technologies, relating them to UK law and best practice. We describe some of the recent banking industry innovations and the hope they may offer for improved inclusive and accessible multi-channel banking.Comment: 3 pages, presented at Workshop on Inclusive Privacy and Security (WIPS): Privacy and Security for Everyone, Anytime, Anywhere, held as part of Symposium on Usable Privacy and Security (SOUPS) 2015, July 22-24, 2015, Ottawa, Canad

An Exploratory Study of User Perceptions of Payment Methods in the UK and the US

This paper presents the design and the results of a cross-cultural study of user perceptions and attitudes toward electronic payment methods. We conduct a series of semi-structured interviews involving forty participants (20 in London, UK, and 20 in Manhattan, KS, USA) to explore how individuals use the mechanisms available to them within their routine payment and banking activities. We also study their comprehension of payment processes, the perceived effort and impact of using different methods, as well as direct or indirect recollections of (suspected or actual) fraud and related interactions with banks and retailers. By comparing UK and US participants, we also elicit commonalities and differences that may help better understand, if not predict, attitudes of US customers once technologies like Chip-and-PIN are rolled out – for instance, several US participants were confused by how to use it, while UK participants found it convenient. Our results show that purchasing habits as well as the availability of rewards schemes are primary criteria influencing choices relating to payment technologies, and that inconsistencies, glitches, and other difficulties with newer technologies generate frustration sometimes leading to complete avoidance of new payment methods

Assessing the Effectiveness of the Implementation of Cybercrimes Mitigation Strategies in Selected Commercial Banks in Tanzania

This study aimed to assess the effectiveness of implemented cybercrime mitigation strategies for commercial banks in Tanzania. Most financial sectors, like banks, are vulnerable to continuous attacks from external and internal cybercriminals such that the majority of banks spend their time updating and maintaining cybercrime mitigation strategies against cyber attacks. Despite the ongoing efforts to prevent cyber attacks the studies and experiences show that such attacks still occur regardless of the strong measures implemented against cyber attacks. It is articulated with different researchers that there is a gap to make a resilient and stronger systems against cybercrimes. This research assessed the effectiveness of cybercrime mitigation strategies by analyzing public awareness, budget allocation, support from management, and availability of skilled personnel. The study used a sample of 885 respondents from five biggest banks in Tanzania. The collected data were analyzed using descriptive statistical methods. The implications emanating from the study were discussed.&nbsp

User authentication and authorization for next generation mobile passenger ID devices for land and sea border control

Despite the significant economic benefits derived from the continuously increasing number of visitors entering the European Union through land-border crossing points or sea ports, novel solutions, such as next generation mobile devices for passenger identification for land and sea border control, are required to promote the comfort of passengers. However, the highly sensitive information handled by these devices makes them an attractive target for attackers. Therefore, strong user authentication and authorization mechanisms are required. Towards this direction, we provide an overview of user authentication and authorization requirements for this new type of devices based on the NIST Special Publication 500-280v2.1

System usability scale evaluation of online banking service: A South African study

Online banking is a critical service offered by financial institutions to their clientele to facilitate easier and faster access to financial services and transactions. Banks currently spend huge amounts of money on development and maintenance of websites and backend systems that offer online banking facilities to clients. Here we address the effect of moderating factors on online banking usability assessment in South Africa. Using statistical analysis techniques that included t-tests, ANOVA and correlation, we investigated whether there are statistically significant mean differences in system usability scale (SUS) scores based on a variety of moderating factors in South Africa. Findings based on a sample of 540 respondents show that SUS scores differ significantly based on factors such as age, experience and income, whereas factors such as gender, use frequency and employment did not affect the mean SUS scores. Given the individual SUS scores for a variety of users based on different demographics, the financial institutions might improve service usability to target specific user groups and realise their return on investment in digital banking channels. Therefore improving service usability might go a long way in encouraging online banking adoption in South Africa.School of Computin

Strong authentication based on mobile application

The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution. This history and the aspects of the evolution are used to state hypothesis about the future research and development. We predict that the authentication systems in the future may be based on a holistic view of the behavioral patterns and physical properties of the user. Machine learning may be used in the future to implement an autonomous authentication concept that enables users to be authenticated with minimal physical or cognitive effort

Password-Based Authentication and The Experiences of End Users

Passwords are used majorly for end-user authentication in information and communication technology (ICT) systems due to its perceived ease of use. The use for end-user authentication extends through mobile, computers and network-based products and services. But with the attendant issues relating to password hacks, leakages, and theft largely due to weak, reuse and poor password habits of end-users, the call for passwordless authentication as alternative intensifies. All the same, there are missing knowledge of whether these password-based experiences are associated with societal economic status, educational qualification of citizens, their age and gender, technological advancements, and depth of penetration. In line with the above, understanding the experience of end-users in developing economy to ascertain their password-based experience has become of interest to the researchers. This paper aims at measuring the experience of staff and students in University communities within southeastern Nigeria on password-based authentication systems. These communities have population whose age brackets are majorly within the ages of 16 and 60 years; have people with requisite educational qualifications ranging from Diploma to Doctorate degrees and constitutes good number of ICT tools consumers. The survey had 291 respondents, and collected data about age, educational qualifications, and gender from these respondents. It also collected information about their password experience in social media network, online shopping, electronic health care services, and internet banking. Our analysis using SPSS and report by means of descriptive statistics, frequency distribution, and Chi-Square tests showed that account compromise in the geographical area is not common with the respondents reporting good experience with passwords usage.Comment: 31 pages, 15 tables, 2 figure

Responsibility and Tangible Security: Towards a Theory of User Acceptance of Security Tokens

This is the author accepted manuscript. It is currently under an indefinite embargo pending publication by the Internet Society.Security and usability issues with passwords suggest a need for a new authentication scheme. Several alternatives involve a physical device or token. We investigate one such alternative, Pico: an authentication scheme that utilizes multiple wearable devices. We present the grounded theory results of a series of semi-structured interviews for exploring perceptions of this scheme. We found that the idea of carrying physical devices increases perceived personal responsibility for secure authentication, making the risks and inconvenience associated with loss and theft salient for participants. Although our work is focused on Pico, the results of the study contribute to a broader understanding of user perception and concerns of responsibility for any token-based authentication schemes.We are grateful to the European Research Council for funding this research through grant StG 307224 (Pico)

IQP Strong Authentication

The threat of online personal information breaches rises as people put more critical data online, and despite ample availability, strong authentication protecting this information is not being adopted quickly enough to address the threat. To better understand this problem, the IQP team designed and conducted a study to isolate factors leading to such behavior. The team found that people had trouble surmounting the shift to stronger tools, but once past that, they readily settled into permanent use. Also, personal connection to threats was correlated to a good impression of strong authentication. The solution may be online security education that induces a personal connection to the threat, so as to create a better incentive to overcome the obstacles of transitioning and increase security