Changing users' security behaviour towards security questions: A game based learning approach

Fallback authentication is used to retrieve forgotten passwords. Security questions are one of the main techniques used to conduct fallback authentication. In this paper, we propose a serious game design that uses system-generated security questions with the aim of improving the usability of fallback authentication. For this purpose, we adopted the popular picture-based "4 Pics 1 word" mobile game. This game was selected because of its use of pictures and cues, which previous psychology research found to be crucial to aid memorability. This game asks users to pick the word that relates to the given pictures. We then customized this game by adding features which help maximize the following memory retrieval skills: (a) verbal cues - by providing hints with verbal descriptions, (b) spatial cues - by maintaining the same order of pictures, (c) graphical cues - by showing 4 images for each challenge, (d) interactivity/engaging nature of the game.Comment: 6, Military Communications and Information Systems Conference (MilCIS), 2017. arXiv admin note: substantial text overlap with arXiv:1707.0807

Portugal: Leapfrogging Digital Transformation

This report is structured as follow: Section 1 presents details about Portugal enabling or inhibiting its digital transformation. Section 2 analyzes the main motivations for the digital transformation strategy; Section 3 summarizes its main challenges, while Section 4 presents the main components of the strategy. Section 5 analyzes the governance model, and Section 6, the legal and regulatory framework. Section 7 discusses critical enablers for the digital transformation of government services. Section 8 introduces 16 key initiatives of the strategy. Section 9 summarizes the lessons learnt, followed by an assessment of the strategy’s impact in Section 10. Section 11 synthesizes lessons for Latin American countries. Finally, Appendix A enumerates main legal and regulatory instruments supporting the digital transformation in Portugal, Appendix B presents a set of 18 sections providing details of the initiatives analyzed in the report1, and Appendix C explains how the digital transformation efforts contributed to face the challenges raised by the COVID-19 pandemics.Fil: Estevez, Elsa Clara. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina. Universidad Nacional de La Plata; ArgentinaFil: Fillottrani, Pablo. Provincia de Buenos Aires. Gobernación. Comisión de Investigaciones Científicas; Argentina. Universidad Nacional del Sur; ArgentinaFil: Linares, Sebastián. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Bahía Blanca. Instituto de Investigaciones Económicas y Sociales del Sur. Universidad Nacional del Sur. Departamento de Economía. Instituto de Investigaciones Económicas y Sociales del Sur; ArgentinaFil: Cledou, Maria Guillermina. Universidade do Minho; Portuga

"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication

Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usability is challenging for developers. Previous work found that developers use online resources to inform security decisions when writing code. Similar to other areas, lots of authentication advice for developers is available online, including blog posts, discussions on Stack Overflow, research papers, or guidelines by institutions like OWASP or NIST. We are the first to explore developer advice on authentication that affects usable security for end-users. Based on a survey with 18 professional web developers, we obtained 406 documents and qualitatively analyzed 272 contained pieces of advice in depth. We aim to understand the accessibility and quality of online advice and provide insights into how online advice might contribute to (in)secure and (un)usable authentication. We find that advice is scattered and that finding recommendable, consistent advice is a challenge for developers, among others. The most common advice is for password-based authentication, but little for more modern alternatives. Unfortunately, many pieces of advice are debatable (e.g., complex password policies), outdated (e.g., enforcing regular password changes), or contradicting and might lead to unusable or insecure authentication. Based on our findings, we make recommendations for developers, advice providers, official institutions, and academia on how to improve online advice for developers.Comment: Extended version of the paper that appears at ACM CCS 2023. 18 pages, 4 figures, 11 table

Passwords and the evolution of imperfect authentication

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939

Leveraging bluetooth as a second factor in two-factor authentication

Passwords have been the dominant single-factor authentication method for decades but are no longer sufficient to validate a user\u27s identity. The simplistic nature of passwords perpetuate their existence and makes them an easy attack vector. However, Two-Factor Authentication (2FA) augments passwords and adds a layer of security. Although 2FA has the potential to increase security, traditional second factors require user interaction at every login attempt, which may contribute to slow adaptation. Traditional second factors drastically alter the user authentication experience and typically require the user to navigate away from the login screen. Therefore, we present a new second-factor method that leverages Bluetooth technology called Ambient-Discovery. Our protocol is designed to provide security assurances comparable to or greater than the traditional second factors while keeping the user experience the same as password-based authentication. There is no user interaction, as the second factor restricts communication between a mobile application and a computer browser. Therefore, Ambient-Discovery provides an additional layer of security while limiting user interaction

Towards NFC payments using a lightweight architecture for the Web of Things

The Web (and Internet) of Things has seen the rapid emergence of new protocols and standards, which provide for innovative models of interaction for applications. One such model fostered by the Web of Things (WoT) ecosystem is that of contactless interaction between devices. Near Field Communication (NFC) technology is one such enabler of contactless interactions. Contactless technology for the WoT requires all parties to agree one common definition and implementation and, in this paper, we propose a new lightweight architecture for the WoT, based on RESTful approaches. We show how the proposed architecture supports the concept of a mobile wallet, enabling users to make secure payments employing NFC technology with their mobile devices. In so doing, we argue that the vision of the WoT is brought a step closer to fruition

Online authentication methods used in banks and attacks against these methods

© 2019 The Authors. Published by Elsevier B.V. Growing threats and attacks to online banking security (e.g. phishing, identity theft) motivates most banks to look for and use stronger authentication methods instead of using a normal username and password authentication. The main objective of the research is to identify the most common online authentication methods used widely in international banks and compare it with the methods used in six banks operating in UAE. In addition, this research will cover the current authentication threats and attacks against these methods. Two well-defined comparison matrices [15], one based on characteristics and second one on attack vectors, will be used to examine and assess the authentication methods of those six banks. This paper is different than other studies and works since it will help to identify the common authentication methods used in banks operating in UAE. Moreover, the comparison matrices will help to examine those authentication methods, define their weaknesses, and evaluate them