A Comparative Usability Study of Two-Factor Authentication

Two-factor authentication (2F) aims to enhance resilience of password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. However, it also introduces non-negligible costs for service providers and requires users to carry out additional actions during the authentication process. In this paper, we present an exploratory comparative study of the usability of 2F technologies. First, we conduct a pre-study interview to identify popular technologies as well as contexts and motivations in which they are used. We then present the results of a quantitative study based on a survey completed by 219 Mechanical Turk users, aiming to measure the usability of three popular 2F solutions: codes generated by security tokens, one-time PINs received via email or SMS, and dedicated smartphone apps (e.g., Google Authenticator). We record contexts and motivations, and study their impact on perceived usability. We find that 2F technologies are overall perceived as usable, regardless of motivation and/or context of use. We also present an exploratory factor analysis, highlighting that three metrics -- ease-of-use, required cognitive efforts, and trustworthiness -- are enough to capture key factors affecting 2F usability.Comment: A preliminary version of this paper appears in USEC 201

Understanding dynamics of initial trust and its antecedents in password managers adoption intention among young adults

Security professionals often suggest password managers as one of the best measures for the end-users. However, the end-users have shown reluctance in adopting them, mostly due to the trust factor. The purpose of the paper was to examine the relationship of initial trust, and it’s antecedents with the password manager’s adoption intention. In this regard, using the Initial Trust Model as a framework, data from 289 respondents (age 18-35) were collected through a crowdsourcing website and analyzed using structural equation modeling (SEM) in SmartPLS 3.2. Results show that initial trust has a significant effect on the intention to adopt a password manager. In initial trust formation, firm reputation and structural assurances play a significant role, whereas personal propensity to trust does not significantly relate to initial trust. Moreover, firm reputation and structural assurances indirectly affect intention to adopt password managers

The Design and Development of an Interactive Story for Security Education: A Case Study on Password Managers

Password managers allow us to generate unique passwords that ultimately protect our accounts and improve our password management. Despite being one of the most common security advice, adaption of password managers remain low. The complexity and magnitude of security advice leave users pondering about the best decision to keep themselves safe online. Indeed, it is generally better to learn concepts through a feedback loop, where we are informed, make a decision, and ultimately experience the consequences of our decisions. This feedback loop is absent in the traditional way security advice is given. In this thesis, I explore the potential of using interactive stories (Choose-Your-Own Adventure stories) to simulate security consequences to convey lessons and risks. Through participatory design, survey methods, interviews, and learning science principles, I developed and validated a comprehensive and effective interactive story to be used in security education. The results of this thesis show a promising approach of using interactive stories in the security education ecosystem.Master of ScienceInformation, School ofUniversity of Michiganhttp://deepblue.lib.umich.edu/bitstream/2027.42/162553/1/Sugatan_Carlo_Final_MTOP_Thesis_20200429.pd

Factors Affecting Password Manager Adoption among European University Students

Password is the most common method of proving the identity on various online services. More and more sensitive information gets stored online: banking details, healthcare data, educational and corporate data. Due to the increasing amount of accounts, users face the challenge of creating and remembering various passwords of high complexity. To deal with such challenges and improve password management practices, security professionals suggest the use of password managers, also known as password managers. However, this tool has not gained much popularity among the end-users. The purpose of this thesis is to identify and examine the factors that may affect the adoption of password managers. In this regard, I have proposed a research model based on the Unified Theory of Acceptance and Use of Technology (UTAUT) and Task Technology Fit (TTF) models. Data (N=265) was collected from students enrolled at one of European universities using a online survey. For this purpose, data was collected using mailing lists and Facebook page of a crowdsourcing site. PLS-SEM was used to test the proposed model with a usable data set of N= 265.analyze the data sample collected with the means of a questionnaire. The results of the analysis show that performance expectancy and social influence affect behavioral intentions. Task technology fit, facilitating conditions, and behavioral intentions directly affect password manager adoptions, while performance expectancy, social influence, effort expectancy, and technology characteristics are the main factors that affect password manager adoption among European students indirectly

Integrating Visual Mnemonics and Input Feedback with Passphrases to Improve the Usability and Security of Digital Authentication

The need for both usable and secure authentication is more pronounced than ever before. Security researchers and professionals will need to have a deep understanding of human factors to address these issues. Due to their ubiquity, recoverability, and low barrier of entry, passwords remain the most common means of digital authentication. However, fundamental human nature dictates that it is exceedingly difficult for people to generate secure passwords on their own. System-generated random passwords can be secure but are often unusable, which is why most passwords are still created by humans. We developed a simple system for automatically generating mnemonic phrases and supporting mnemonic images for randomly generated passwords. We found that study participants remembered their passwords significantly better using our system than with existing systems. To combat shoulder surfing - looking at a user\u27s screen or keyboard as he or she enters sensitive input such as passwords - we developed an input masking technique that was demonstrated to minimize the threat of shoulder surfing attacks while improving the usability of password entry over existing methods. We extended this previous work to support longer passphrases with increased security and evaluated the effectiveness of our new system against traditional passphrases. We found that our system exhibited greater memorability, increased usability and overall rankings, and maintained or improved upon the security of the traditional passphrase systems. Adopting our passphrase system will lead to more usable and secure digital authentication

MIGRANT : modeling smartphone password manager adoption using migration theory

Password manager applications have the potential to alleviate password pain and improve password strength, yet they are not widely adopted. Password managers are dissimilar to other kinds of software tools, given that the leakage of the credentials they store could give a hacker access to all the individual's online accounts. Moreover, adoption requires a deliberate switch away from an existing (manual) password management routine. As such, traditional technology adoption models are unlikely to model password manager adoption accurately. In this paper, we propose and explain how we validated a theoretical model of smartphone password manager adoption. We commenced by carrying out exploratory interviews with 30 smartphone owners to identify factors that influence adoption. These were used to develop a model that reflects the password manager adoption process, building on migration theory. The proposed model, MIGRANT (MIGRation pAssword maNager adopTion), was validated and subsequently refined in a week-long study with 198 smartphone owners, combining self-report and observation to measure constructs. This study contributes to the information security behavioral literature by isolating the main factors that encourage or deter password manager adoption, and those that moor smartphone owners in their current practices, hindering switching. With this investigation, we introduce migration theory as a reference theory for future studies in the information security behavioral field

Análise da Gestão de Palavras-Chave

Gradualmente, tem-se vindo a verificar que a informação pertencente aos diversos utilizadores da Internet está cada vez mais exposta a ataques. Estas invasões comprometem os seus dados, e, para isso, têm surgido algumas respostas, tais como a segurança da informação. Um dos fatores que se destaca e que está relacionado com esta é a autenticidade. Técnicas de biometria e chaves eletrónicas são exemplos usados para a assegurar, na informação. Porém, o mecanismo que mais sobressai é a utilização de um par constituído por nome de utilizador e palavra-chave. Contudo, este tem revelado alguns problemas associados. Ora, se é usado um único segredo para salvaguardar todos os recursos privados, e este é descoberto, a informação do utilizador estará inteiramente comprometida. Já no caso de serem empregues múltiplas passwords, corre-se o risco de haver o esquecimento das credenciais de acesso. Por outro lado, existem inconvenientes se estas são curtas (facilmente encontradas) ou longas (difíceis de memorizar). Dadas as situações relatadas, têm vindo a ser aplicados gestores de palavras-chave. Tais métodos permitem o armazenamento dos segredos, bem como a sua criação, podendo estes ter vários tipos de resoluções, variando entre técnicas locais, móveis, ou até mesmo baseadas na web. Todas elas possuem vantagens (dependendo do cenário), assim como desvantagens comuns. De forma a verificar se estas ferramentas disponibilizam a segurança prometida, foi executada uma análise intensiva a alguns programas, escolhidos pelo seu desempenho e notoriedade, que já se encontram no mercado. Caso não se mostrassem eficazes, seria proposta uma aplicação, com vista a resolver os problemas descobertos. Porém, concluiu-se que já existe um mecanismo que oferece a salvaguarda pretendida. Assim, foi feito unicamente um estudo sobre as abordagens que podem ser adotadas, destacando a que se apresentou como mais adequada.It has been verified, gradually, that information belonging to different Internet users, is increasingly exposed to attacks. These invasions compromise their data, and so, some answers have arisen, such as information security. One of the most important factors, related to this concept, is authenticity. Biometrics and security tokens are examples used to ensure it. However, the mechanism that stands out more, is the pair composed by a username and password. Nevertheless, this has revealed some problems. If a single secret is used to protect all the websites, and it’s discovered, users’ information will be fully compromised. If there are used multiple passwords, there may be a risk of forgetting access credentials. On the other hand, there are drawbacks if they are short (easily found) or long (hard to remember). Considering the reported statements, password managers have been applied. Such methods allow to store and generate passwords, and can have different types of solutions, ranging between local, mobile or even web-based. All of these have advantages (depending on the scenario), as well as common disadvantages. In order to check if these tools offer the promised security, it was performed an intensive analysis to some programs, chosen by their performance and reputation, that are already on the market. If they proved to be ineffective, an application to solve the discovered problems would be proposed. However, it was concluded that a mechanism providing the desired protection, already exists. Thereby, it was only conducted a study about the approaches that can be adopted, pointing out the one that was presented as more appropriate

Assessing usable security of multifactor authentication

An authentication mechanism is a security service that establishes the difference between authorised and unauthorised users. When used as part of certain website processes such as online banking, it provides users with greater safety and protection against service attacks and intruders. For an e-banking website to be considered effective, it should provide a usable and secure authentication mechanism. Despite existing research on usability and security domains, there is a lack of research on synthesising the contributions of usable security and evaluating multifactor authentication methods. Without understanding the usability and security of authentication mechanisms, the authenticating process is likely to become cumbersome and insecure. This negatively affects a goal of the authentication process, convenience for the user. This thesis sought to investigate the usability and security of multifactor authentication and filled an important gap in the development of authenticating processes. It concentrated on users’ perspectives, which are crucial for the deployment of an authenticating process. To achieve the thesis goal, a systematic series of three studies has been conducted. First, an exploratory study was used to investigate the current state of the art of using multifactor authentication and to evaluate the usability and security of these methods. The study involved a survey of 614 e-banking users, who were selected because they were likely long-term users of online banking and they had two different bank accounts, a Saudi account and a foreign account (most foreign accounts were British). The study indicated that multifactor authentication has been widely adopted in e-banking in Saudi Arabia and the United Kingdom, with high levels of security and trustworthiness as compared to single factor authentication. The second study was a descriptive study of the most common authentication methods. This study aimed to learn more about commonly used methods that were identified in the previous study and sought to propose an appropriate combination of authentication methods to be evaluated in the third study. The third study was an experimental study with 100 users to evaluate the usable security of three different multifactor authentication methods: finger print, secure device and card reader. A web based system was designed specifically for this study to simulate an original UK e-banking website. One of the main contribution of this study was that the system allowed users to choose their preferred authentication method. Moreover, the study contributed to the field of usable security by proposing security evaluation criteria based on users’ awareness of security warnings. The key result obtained indicated that fingerprinting was the most usable and secure method. Additionally, the users’ level of understanding security warnings was very low, as shown by their reaction to the security indicators presented during the experiment