Security and Usability: The Case of the User Authentication Methods

Security and Usability: The Case of the User Authentication Methods Christina Braz

Jean-Marc Robert

Université du Québec à Montréal

École Polytechnique de Montréal

[email protected]

[email protected]

C.P. 8888, succ. Centre-ville Montreal, QC H3C 3P8 Canada

ABSTRACT

The usability of security systems has become a major issue in research on the efficiency and user acceptance of security systems. The authentication process is essential for controlling the access to various resources and facilities. The design of usable yet secure user authentication methods raises crucial questions concerning how to solve conflicts between security and usability goals. KEYWORDS: Security Usability, User Authentication,

Human Factors, Access Control, User Interface design. RESUME

L'utilisabilité des systèmes de sécurité informatique est devenue un des problèmes majeurs sur la recherche de l'efficacité et l'acceptation des utilisateurs/trices des systèmes de sécurité informatique. Le processus d'authentification est ainsi crucial pour le contrôle d'accès à distance aux ressources et à des installations. La conception des méthodes d'authentification d'utilisateur/trice qui soient faciles à utiliser soulève alors des questions importantes telles que: Comment résoudre les conflits existants entre les objectifs d'utilisabilité et de la sécurité appliqués aux systèmes informatiques? CATEGORIES AND SUBJECT DESCRIPTORS: H.1.2

[User/Machine Systems]: Human factors; K.6.5 [Security and Protection]: Authentication; D.4.6 [Security and Protection]: Access controls, Authentication. GENERAL TERMS: Security in HCI, Usability vs Secu-

rity, Biometric Data. INTRODUCTION

User authentication is the entry point to different computing networks or facilities in which a set of services are rendered to users or a set of tasks can be performed. Once authenticated, the user can gain access for example

Reserve this space for the copyright notice

C.P. 6079, succ. Centre-ville Montreal, QC H3C 3A7 Canada

to a company’s Intranet to consoles, databases, buildings, vehicles, etc. Usability of the authentication mechanisms has seldom been investigated and since security mechanisms are conceived, implemented, put into practice and violated by people, human factors should be taken into account in their design [1]. Usability becomes a strategic issue in the establishment of user authentication methods. Usability can be defined as "the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use" [5]. Security usability is concerned with the study of how security information should be handled in the user interface [6] and how security mechanisms and authentication systems themselves should be easy of use. This paper presents the usability security issues of the user authentication methods in the computer security and access control domains. It aims at tackling this growing problem, contributing to the discussions and helping systems developers to make decisions concerning the usability of security systems. HUMAN FACTORS ASPECTS OF USER AUTHENTICATION METHODS

Presently there has been very little research on security usability, as a consequence both suitable specific usability design methods and a model of Graphical User Interface (GUI) for authentication methods are needed. The primary data that were gathered on the security usability were concerned with the usability evaluation of Pretty Good Privacy (PGP) [11], a public key encryption program primarily intended for authentication and email privacy, a rule-based authorization engine called MAP [13], previous work on design of secure user interface for network applications (i.e. authentication of the communication) [6], and finally a few generic white papers regarding the matter. In a nutshell, research on Human Computer Interaction (HCI) and Security has been sporadic, even worse on user authentication methods. Security and usability are both essential in the authentication process. However the requirements for a high level of security while maintaining adequate usability are frequently in conflict with each other and a suitable balance has to be found. The potential conflicts between security and usability might be minimized by making use

of some general design heuristics principles such as minimize the user input, make decisions in the name of the user, notify the user of actions taken upon her/is behalf, and provide the user the capability to undo those actions when possible, and if not to minimize their impact. However, as we have stated earlier, there is no set of usability recognized principles and standards for authentication methods. We will present in the next section of the paper some Human Factors issues of the authentication methods.

Golden Rules of User Interface Design Adequate for Passwords? 1. Strive for consistency Yes 2. Frequent users can use shortcuts (A) No 3. Provide informative feedback (B) No 4. Dialogs should yield closure Yes 5. Prevent errors and provide simple No error handling (C) 6. Easy reversal of any action (D) No 7. Put the user in charge (E) No 8. Reduce short-term memory load (F) No

Password Complexity

Table 1: Do the 8 golden Rules of User Interface Design apply to security systems?

Passwords are the first line of defence against attacks to a computer system. The rules for password choice can be certainly a cumbersome problem for a user and a security problem for a system. For instance, very trivial choices that are ease to guess are broken within seconds using password cracking techniques – the longer the password the more difficult it is to crack. To prevent hackers from gaining access to our computer or files, experts recommend using complicated passwords which can in a first instance increases the short-term memory load of users causing frequent errors. In fact, the capacity of shortterm memory is normally limited to 7+ 2 items (e.g. letters, digits, words, etc.) [7]. Traditional password systems include many design features for the purpose of making trial-and-error attacks as difficult as possible. Actually, they violate most of the recognized usability standards for computer systems. From the eight "Golden Rules" for interface design recommended by Shneiderman [9], password interactions break six of them (Table 1). Table 2 mostly shows how to minimize the security usability conflict dealing with these golden rules. In addition, users should follow a set of rules (i.e. password security policy) especially related to password creation: "All passwords must be at least six characters long; Include numbers and letters; Include a mix of upper and lower case; Use different passwords for each system; Change once a month; Do not write anything down" [10].

Item (A)

(B)

(C)

(D)

(E)

In a highly networked world, wherein users must access to multiple applications, password protection is considered as costly, awkward and insecure. The requirement of authentication to access different applications, services, or facilitities might generate frustration among users on a day-to-day basis, because users might need to frequently access the same secured applications in a short period of time.

(F)

Usability Users can't take shortcuts: the system won't match the first few letters typed and fulfill in the rest. Users hardly see the password they type: they can't find out repeated letters/accidental misspellings. Most systems only mention success or failure: they don't show how close the password guess was, or even discern between a mistyped username and password. Most systems keep track of incorrect guesses and take irreparable action (locking the user's account) if several bad guesses happen. The system makes users be "responders" of actions rather than the initiators.

Users must follow a set of security policies related to password creation recommended by [10]. Short-term memory is normally limited to 7+ 2 items.

Security Prevents dictionary1 and eavesdropping2 attacks. Prevents guessing attacks and Social Engineering3. Prevents guessing, eavesdropping and social engineering attacks.

Prevents guessing, eavesdropping, and social engineering attacks. Prevents guessing, eavesdropping, and social engineering attacks. Prevents guessing, eavesdropping, and social engineering attacks.

Table 2: How to deal with the golden rules using heuristics. 1

A form of attack in which an attacker uses a large set of likely combinations to guess a secret. 2 Electronic eavesdropping is the intentional surveillance of data: voice, fax, e-mail, mobile telephones, etc. often for nefarious purposes. 3 To infiltrate a physical building or information systems using nontechnical means (e.g. searching user desks for passwords on notes).

Locking Pin Systems

A classic strategy to defend against Personal Identification Number (PIN) guessing attacks in authentication tokens is to lock the system after three consecutive invalid PIN attempts. However, this classic strategy could seriously undermine the system usability. After the PIN has been locked, it can only be unlocked by the token Administrator. Actually, that is the worse-case scenario of usability once the administrator is not available, the user is blocked and no reversible action is possible. Cumbersome Data Input of Challenge Response Calculators

Challenge-response calculators (CRC) require even more data input in comparison with other authentication methods such as a user ID, a password, a PIN and a "challenge" (e.g. an authentication server creates a "challenge", which is typically a random number sent to the client machine). Therefore, the difficulty and the probability of data input errors are higher (i.e., CRC do not echo the password back on the screen as it is typed, or they only display asterisks in place of the actual characters). No Usability Features of Public Key Infrastructure (PKI) In order to illustrate the usability issues in a user authentication method, let’s briefly present the "Usability of Security: A Case Study" [11] which was performed to evaluate the usability of Pretty Good Privacy (PGP) 5.0. The PGP is a standard software, which uses Public Key Infrastructure to encrypt, decrypt, and digitally sign data, for the encryption of Electronic Mail developed by Phil Zimmermann [12]. The authors choose PGP because it has a good user interface according to established standards, and they claimed to find out whether that was sufficient to allow non-programmers who know little about security to use it effectively. The results obtained through a cognitive walkthrough and user testing show that users had difficulty to: avoid dangerous errors, encrypt a message, understand the public key model, figure out the correct key to encrypt with and how to encrypt with any key, decrypt a message, publish the public key, and finally verify a signature on an email message. These are just the basics tasks to be performed in order to execute correctly the program. Therefore, PGP is not sufficiently usable to provide effective security for most email users, according to the authors, because of the fact there is a "mismatch between the design philosophy behind its user interface, and the usability needs of a security utility". Redundancy Factor of Biometrics Systems The best practices in the authentication area state that multi-factor authentication (i.e. more than one form of credential to identify a user) is generally stronger than any single-factor authentication method. Biometrics (i.e. recognition of one’s hand, iris, voice, etc.) is generally recognized as a "good candidate" to be used with another

authentication technique – a two-factor authentication; in a two-factor technique (e.g. coupling biometrics with smart card technology) the "redundancy" of the authentication augments the security level, but at the same time diminishes the user experience. Furthermore, there can be serious limitations with some biometric measures (e.g. there is a range of eye diseases that affect the capability of iris recognition system to capture an appropriate image of the eye [4]) and the level of social acceptability. In such cases, the authentication process must be built in redundancy, so that a second method must be provided in order to confirm the identity's user. However, an authentication process also involves a user being enrolled and verified. Hence, we should focus on enhancing user experience and convenience when choosing an authentication method. Comparative Analysis of the Authentication methods As part of this project, we developed a comparative analysis of the different features encountered in authentication methods according to Table 3. To describe the following features we make use of subjective rating scales: "Security" and "Usability" (ranging from 1=Minimum to 5=Maximum in order to measure the degree of severity issues related to each authentication method), and "Automatism versus Human" (ranging from 1=Human is better; 5=Machine is better). The feature "Accuracy" has two measure rates of authentication by biometrics: (i) False Reject Rate (FRR) where a legitimate user is rejected by the acquisition device; (ii) False Acceptance Rate (FAR) where a false user is accepted. The "Average Attack Space" (AAS) corresponds to the number of guesses made by an attacker in order to disclose the secret (e.g. passwords, PINs, etc.). Abbreviations used in the Table 3: PK=Public Key; PRK=Private Key; SSO= Single-Sign-On; TGS=Ticket Granting Service. Authentication Methods - Vulnerabilities still remain Despite the efforts that were made by organizations to provide suitable authentication methods, vulnerabilities still remain. Mechanisms and models that are complicated to the user will be misused. When an authentication method is too demanding the user might not keep up with the increasing workload (e.g. a user might refuse to change her/is password each time s/he logs on). Thus, organizations tend to blame mostly users for the human failure of not handling complex and demanding technical systems. However, Norman argues that what we often view as human error is the result of design flaws that may be surmounted [8]. According to Computing Technology Industry Association CompTIA [3], the human error turns out to be the principal cause of security breaches in the computing security sector of organizations; they account for 84% of security breaches in 900 private and public American organizations.

Feature/ Acquisition Device

Definition

Passwords (PW)

Know ledge based 8 to 12 digits

PIN

Know ledge based 4 digits

Proximity card

Authentication Token

One Time Generators

Challenge

Public Key (PK)

Kerberos

Response

Multi function card

Authentication Token

Authentication Token

Authentication Token

Cryptography (PK and PRK)

Key Distribution Center

Finger print

Voice

or

Signature

Retina/ Iris

Keystroke

Biometrics Lengt h/widt h pen pressure High definition graph ic

Biometrics Pattern of

Biometrics User's typing rhyth m

RFID

Unchang eable (lifetime)

No enrolment

Forger, steal chip is pretty hard

Masquerade (spoof ing)

Masquerade (spoof ing)

Hand

Recognition

or Face Biometrics User scanning

Biometrics User voice when speak ing

blood

vessels

Undertheskin ID chip based

Advantages

Ease of deployment

Networkless

Last longer (contactless)

PW difficult to guess

No synchronization

Builtin dynamic data processing

User credent ials once per login session

Mutual Authentication

Ease to collect

No PWs

Disadvantages

Can be forgotten

Can be forgotten

Theft, fraud, counterfeit

Brute force, dictionary attack

Users shares their access permissions

Need of a smart card reader

PK is single point of attack

Scalability

Crimi nal affilia tion

Chan ges over time

Can signature at any time

Exces sive user cooperation

2 21 43

2 2 53

3 3 5

3 3 5

3 3 5

5 3 5

5 3 5

5 3 5

4 3 1

1 5 44

3 3 4

5 2 1

3 3 1

4 3 3

Data collection environment

Computerbased network

Computerbased network

Sitebased (Access Control)

Computerbased network

Computerbased network

PK infrastructurebased

PK infrastructurebased

Distributedbased network

Sitebased (Access Control)

Telecom/ computerbased network

Computerbased network

Computerbased network

Computerbased network

RFID based

Input Process Time

7-20

5-10

15s5m5

15s5m5