150 likes | 162 Vues
Explore the trade-off between security and usability in password management, proposing balanced solutions for evaluating systems. Study current approaches, represent the relationship, and evaluate security with usability. References include academic studies on usability and security.
E N D
Security and Usability of Password Based User Authentication Systems Hatim Alsuwat Sami Alsuwat
Overview • Nowadays most services and businesses are available through the Internet. • This massive use of computer systems has resulted in two major requirements, • Usability, and • Security of passwords. • Trade-off between security and usability and security
Our Hypothesis • It is feasible to define a balanced solution where security and usability of password management are acceptable; thus allowing us to evaluate password security and usability of different systems.
The Proposed Research • Task 1: Studying current security and usability approaches and password management, • Task 2: representing the relationship between security and usability of password management, and • Task 3: evaluating password security with usability of different systems based on task 2. The outcome of this task can be divided into three cases as follow: • Case 1: Identify usable, not secure passwords, • Case 2: Identify unusable, secure passwords, and • Case 3: Identify usable, secure (balanced solution) passwords.
Task 1: Studying current security and usability approaches and password management: • Password strength is a function that estimates the average number of attempts an attacker needs to do in order to crack the password correctly based on three factors, which are length, complexity, and unpredictability of a password.
Password management vs. security and usability • Weak passwords characteristics • Weak passwords practices • Strong passwords characteristics • Strong passwords practices
Password management vs. security and usability • The approach of reusing the same password for different systems. • The problem of is low-trust systems such as online gaming. • If the attackers compromise the user’s password for one account then all other accounts are compromised.
Password management vs. security and usability • Another alternative approach of choosing independent passwords for each system. • Strongest security guarantees since if an attacker compromises one of the user’s password for one account then the other accounts are not compromised. • However, there will be negative impact on the usability since most of online profiles are visited infrequently, and therefore, users are more likely to forget those passwords or bypass the security by writing those passwords down.
Task 2: Representing the relationship between security and usability of password management
Task 3: Evaluating password security with usability of different systems • The outcome of this task can be divided into three cases as follow: • Case 1: Identify usable, not secure password, • Case 2: Identify unusable, secure password, and • Case 3: Identify usable, secure (balanced solution) password.
Case 3: Identify usable, secure (balanced solution) password
References • Andrew Cheung, Terren Chong. (2008). Usability and Security. Vrije Universiteit Amsterdam. Web. • Asbjørn Følstad, E. L.-C. (2012). Analysis in Practical Usability Evaluation: A Survey Study. ACM, 2127-2136. • Gathercole, Susan E. Short-term and Working Memory: A Special Issue of Memory. Hove: Psychology, 2001. Print. • Hub, M., Capek, J., & Myskova, R. (2011). Relationship between security and usability – authentication case study. International Journal of Computers and Communication, 5(1), 1-8. • Jaroslav Zeman, P. T. (2009). The Utilization Of Metrics Usability To Evaluate The Software Quality. 2009 International Conference on Computer Technology and Development (pp. 243-246). IEEE Computer Society. • Jeffrey Stylos, S. C. (n.d.). Usability Implications of Requiring Parameters in Objects’ Constructors. • Jens Gerken, H.-C. J. (2011). The Concept Maps Method as a Tool to Evaluate the Usability of APIs. ACM, 2337-2346. • Markotten, U. J. (2000). Usability meets Security - The Identity-Manager as your Personal Security Assistant for the Internet. IEEE, 344-353. • Matthew, G., & Thomas, S. (2013). A novel multifactor authentication system ensuring usability and security. Cryptography and Security, 1-10. • Parmit K. Chilana, J. O. (2010). Understanding Usability Practices in Complex Domains. ACM, 2337-2346.