Search results

Despite the widespread use of authentication schemes and the rapid emergence of novel authentication schemes, a general set of domain-specific guidelines has not yet been developed. This paper aims to present and explain a list of human-centered guidelines for developing usable authentication schemes.

The guidelines stem from research findings within the fields of psychology, human–computer interaction and information/computer science.

Instead of viewing users as the inevitable weak point in the authentication process, this study proposes that authentication interfaces be designed to take advantage of users’ natural abilities. This approach requires that one understands how interactions with authentication interfaces can be improved and what human capabilities can be exploited. A list of six guidelines that designers ought to consider when developing a new usable authentication scheme has been presented.

This consolidated list of usable authentication guidelines provides system developers with immediate access to common design issues impacting usability. These guidelines ought to assist designers in producing more secure products in fewer costly development cycles.

Cybersecurity research and development has mainly focused on technical solutions to increase security. However, the greatest weakness of many systems is the user. It is argued that authentication schemes with poor usability are inherently insecure, as users will inadvertently weaken the security in their efforts to use the system. The study proposes that designers need to consider the human factors that impact end-user behavior. Development from this perspective will address the greatest weakness in most security systems by increasing end-user compliance.

The aim of the research is to realize a better form of personal identification number (PIN) authentication for a mobile phone without lowering usability and acceptability.

The authors’ approach is to extend the input operation of PIN authentication by allowing more than one number at a time using a multi-touch-enabled screen. The authors also introduced substitution keys to be able to type any combination of a PIN value and an input pattern by multi-touch typing.

The authors conducted a user evaluation study using a Web-based prototype system. The results of the study indicate that PIN input time, input errors and secret memorability of the proposed scheme were no worse than those of conventional PIN authentication. The theoretical security level of the proposed scheme is almost three and a half times than that of the conventional scheme.

The paper introduced a multi-touch-allowed secret input operation into a PIN authentication. Though the introduction affected not only an input operation but also a PIN input interface and secret information, it makes possible to realize a better security level without a drastic change of a user interface and taking a longer input time.

The purpose of this paper was to determine factors that could be used to create different authentication requirements for diverse online banking customers based on their risk profile. Online security remains a challenge to ensure safe transacting on the Internet. User authentication, a human-centric process, is regarded as the basis of computer security and hence secure access to online banking services. The increased use of technology to enforce additional actions has the ability to improve the quality of authentication and hence online security, but often at the expense of usability. The objective of this study was to determine factors that could be used to create different authentication requirements for diverse online banking customers based on their risk profile.

A web-based survey was designed to determine online consumers’ competence resecure online behaviour, and this was used to quantify the online behaviour as more or less secure. The browsers used by consumers as well as their demographical data were correlated with the security profile of respondents to test for any significant variance in practice that could inform differentiated authentication.

A statistical difference between behaviours based on some of the dependant variables was evident from the analysis. Based on the results, a case could be made to have different authentication methods for online banking customers based on both their browser selected (before individual identification) as well as demographical data (after identification) to ensure a safer online environment.

The research can be used by the financial services sector to improve online security, where required, without necessarily reducing usability for more “security inclined” customers.

Two-factor authentication is being implemented more broadly to improve security against phishing, shoulder surfing, keyloggers and password guessing attacks. Although passwords serve as the first authentication factor, a common approach to implementing the second factor is sending a one-time code, either via e-mail or text message. The prevalence of smartphones, however, creates security risks in which a stolen phone leads to user’s accounts being accessed. Physical tokens such as RSA’s SecurID create extra burdens for users and cannot be used on many accounts at once. This study aims to improve the usability and security for two-factor online authentication.

The authors propose a novel second authentication factor that, similar to passwords, is also based on something the user knows but operates similarly to a one-time code for security purposes. The authors design this component to provide higher security guarantee with minimal memory burden and does not require any additional communication channels or hardware. Motivated by psychology research, the authors leverage users’ autobiographical memory in a novel way to create a secure and memorable component for two-factor authentication.

In a multi-session lab study, all of the participants were able to log in successfully on the first attempt after a one-week delay from registration and reported satisfaction on the usability of the scheme.

The results indicate that the proposed approach to leverage autobiographical memory is a promising direction for further research on second authentication factor based on something the user knows.

This paper aims to propose that more useful novel schemes could develop from a more principled examination and application of promising authentication features. Text passwords persist despite several decades of evidence of their security and usability challenges. It seems extremely unlikely that a single scheme will globally replace text passwords, suggesting that a diverse ecosystem of multiple authentication schemes designed for specific environments is needed. Authentication scheme research has thus far proceeded in an unstructured manner.

This paper presents the User-Centred Authentication Feature Framework, a conceptual framework that classifies the various features that knowledge-based authentication schemes may support. This framework can used by researchers when designing, comparing and innovating authentication schemes, as well as administrators and users, who can use the framework to identify desirable features in schemes available for selection.

This paper illustrates how the framework can be used by demonstrating its applicability to several authentication schemes, and by briefly discussing the development and user testing of two framework-inspired schemes: Persuasive Text Passwords and Cued Gaze-Points.

This framework is intended to support the increasingly diverse ecosystem of authentication schemes by providing authentication researchers, professionals and users with the increased ability to design, develop and select authentication schemes better suited for particular applications, environments and contexts.

Because of the continued use of mobile, cloud and the internet of things, the possibility of data breaches is on the increase. A secure authentication and authorization strategy is a must for many of today’s applications. Authentication schemes based on knowledge and tokens, although widely used, lead to most security breaches. While providing various advantages, biometrics are also subject to security threats. Using multiple factors together for authentication provides more certainty about a user’s identity; thus, leading to a more reliable, effective and more difficult for an adversary to intrude. This study aims to propose a novel, secure and highly stable multi-factor one-time password (OTP) authentication solution for mobile environments, which uses all three authentication factors for user authentication.

The proposed authentication scheme is implemented as a challenge-response authentication where three factors (username, device number and fingerprint) are used as a secret key between the client and the server. The current scheme adopts application-based authentication and guarantees data confidentiality and improved security because of the integration of biometrics with other factors and each time new challenge value by the server to client for OTP generation.

The proposed authentication scheme is implemented on real android-based mobile devices, tested on real users; experimental results show that the proposed authentication scheme attains improved performance. Furthermore, usability evaluation proves that proposed authentication is effective, efficient and convenient for users in mobile environments.

The proposed authentication scheme can be adapted as an effective authentication scheme to accessing critical information using android smartphones.

One‐time password systems provide great strengths over conventional password systems: protection against over‐the‐shoulder, eavesdropping, replay, etc. The Grid Data Security authentication system is a server‐challenge‐based system. It has advantages over other one‐time password systems since it does not require pre‐installed software nor special devices to carry on. However, there are some weaknesses. The purpose of this paper is to analyze the weaknesses of the one‐time password system and provide practical guidelines for using the one‐time password system.

This paper statistically analyzes the weakness of the Grid Data Security authentication system and simulates attacks to the system to confirm the discovered weakness. The paper also suggests ways to reduce the discovered vulnerability using mathematical formula and offers practical guideline for using the system. It also identifies the system's strength on access authentication on mobile communication.

The Grid Data Security authentication system which is a server‐challenge‐based one‐time password system has a great weakness when an attacker gains its user‐interface screen and its GridCode. The discovered vulnerability can be improved by changing cardinality of the GridCode. This paper creates a formula that can help a system manager to decide the security level and its required cardinality of GridCode and length of password. It also identifies the system's strengths on mobile communication.

The paper provides a practical tool for security managers to identify requirements of cardinality of GridCode and password length for certain levels of security.

The purpose of this paper is to extract the user behaviour and transform it into a unique signature that can be used as implicit authentication technique. Smart devices are equipped with multiple authentication techniques and still remain prone to attacks because all of these techniques require explicit intervention of the user. Entering a pin code, a password or even having a biometric print can be easily hacked by an adversary.

In this paper, the authors introduce a novel authentication model to be used as complementary to the existing authentication models. Particularly, the duration of usage of each application and the occurrence time were examined and modelled into a user signature. During the learning phase, a cubic spline function is used to extract the user signature based on his/her behavioural pattern.

Preliminary field experiments show a 70 per cent accuracy rate in determining the rightful owner of the device.

The main contribution of this paper is a framework that extracts the user behaviour and transforms it into a unique signature that can be used to implicitly authenticate the user.

The average employee spends a total of 18.6 h every two months on password-related activities, including password retries and resets. The problem is caused by the user forgetting or mistyping the password (usually because of character switching). The source of this issue is that while a password containing combinations of lowercase characters, uppercase characters, digits and special characters (LUDS) offers a reasonable level of security, it is complex to type and/or memorise, which prolongs the user authentication process. This results in much time being spent for no benefit (as perceived by users), as the user authentication process is merely a prerequisite for whatever a user intends to accomplish. This study aims to address this issue, passphrases that exclude the LUDS guidelines are proposed.

To discover constructs that create security and to investigate usability concerns relating to the memory and typing issues concerning passphrases, this study was guided by three theories as follows: Shannon’s entropy theory was used to assess security, chunking theory to analyse memory issues and the keystroke level model to assess typing issues. These three constructs were then evaluated against passwords and passphrases to determine whether passphrases better address the security and usability issues related to text-based user authentication. A content analysis was performed to identify common password compositions currently used. A login assessment experiment was used to collect data on user authentication and user – system interaction with passwords and passphrases in line with the constructs that have an impact on user authentication issues related to security, memory and typing. User–system interaction data was collected from a purposeful sample size of 112 participants, logging in at least once a day for 10 days. An expert review, which comprised usability and security experts with specific years of industry and/or academic experience, was also used to validate results and conclusions. All the experts were given questions and content to ensure sufficient context was provided and relevant feedback was obtained. A pilot study involving 10 participants (experts in security and/or usability) was performed on the login assessment website and the content was given to the experts beforehand. Both the website and the expert review content was refined after feedback was received from the pilot study.

It was concluded that, overall, passphrases better support the user during the user authentication process in terms of security, memory issues and typing issues.

This research aims at promoting the use of a specific type of passphrase instead of complex passwords. Three core aspects need to be assessed in conjunction with each other (security, memorisation and typing) to determine whether user-friendly passphrases can support user authentication better than passwords.

Six years ago, Bonneau et al. (2012) proposed a framework to compare authentication schemes to the ubiquitous text password. Even though their work did not reveal an alternative outperforming the text password on every criterion, the framework can support decision makers in finding suitable solutions for specific authentication contexts. The purpose of this paper is to extend and update the database, thereby discussing benefits, limitations and suggestions for continuing the development of the framework.

This paper revisits the rating process and describes the application of an extended version of the original framework to an additional 40 authentication schemes identified in a literature review. All schemes were rated in terms of 25 objective features assigned to the three main criteria: usability, deployability and security.

The rating process and results are presented along with a discussion of the benefits and pitfalls of the rating process.

While the extended framework, in general, proves suitable for rating and comparing authentication schemes, ambiguities in the rating could be solved by providing clearer definitions and cut-off values. Further, the extension of the framework with subjective user perceptions that sometimes differ from objective ratings could be beneficial.

The results of the rating are made publicly available in an authentication choice support system named ACCESS to support decision makers and researchers and to foster the further extension of the knowledge base and future development of the extended rating framework.