Security and Usability of Security and Usability of Password Based User Password Based User

Authentication Systems Authentication Systems

Hatim AlsuwatSami Alsuwat

Overview

2

Nowadays most services and businesses are available through the Internet.

This massive use of computer systems has resulted in two major requirements,

Usability, and Security of passwords. Trade-off between

security and usability and security

Our Hypothesis Our Hypothesis

3

It is feasible to define a balanced solution where security and usability of password management are acceptable; thus allowing us to evaluate password security and usability of different systems.

The Proposed Research

4

Task 1: Studying current security and usability approaches and password management,Task 2: representing the relationship between security and usability of password management, andTask 3: evaluating password security with usability of different systems based on task 2. The outcome of this task can be divided into three cases as follow: •Case 1: Identify usable, not secure passwords, •Case 2: Identify unusable, secure passwords, and•Case 3: Identify usable, secure (balanced solution) passwords.

5

Task 1: Studying current security Task 1: Studying current security and usability approaches and and usability approaches and password management: password management:

Password strength is a function that estimates the average number of attempts an attacker needs to do in order to crack the password correctly based on three factors, which are length, complexity, and unpredictability of a password.

6

Password management vs. security Password management vs. security and usability and usability

Weak passwords characteristics Weak passwords practices Strong passwords characteristics Strong passwords practices

7

Password management vs. security Password management vs. security and usability and usability

The approach of reusing the same password for different systems.

The problem of is low-trust systems such as online gaming.

If the attackers compromise the user’s password for one account then all other accounts are compromised.

8

Password management vs. security Password management vs. security and usability and usability Another alternative approach of choosing

independent passwords for each system. Strongest security guarantees since if an

attacker compromises one of the user’s password for one account then the other accounts are not compromised.

However, there will be negative impact on the usability since most of online profiles are visited infrequently, and therefore, users are more likely to forget those passwords or bypass the security by writing those passwords down.

9

Task 2: Representing the relationship between security and usability of password management

10

Task 3: Evaluating password security with usability of different systems

The outcome of this task can be divided into three cases as follow: •Case 1: Identify usable, not secure password, •Case 2: Identify unusable, secure password, and•Case 3: Identify usable, secure (balanced solution) password.

11

Case 1: Identify usable, not Case 1: Identify usable, not secure password, secure password,

12

Case 2: Identify unusable, secure Case 2: Identify unusable, secure passwordpassword

13

Case 3: Identify usable, secure Case 3: Identify usable, secure (balanced solution) password(balanced solution) password

14

ReferencesReferences

•Andrew Cheung, Terren Chong. (2008). Usability and Security. Vrije Universiteit Amsterdam. Web. •Asbjørn Følstad, E. L.-C. (2012). Analysis in Practical Usability Evaluation: A Survey Study. ACM, 2127-2136.•Gathercole, Susan E. Short-term and Working Memory: A Special Issue of Memory. Hove: Psychology, 2001. Print.•Hub, M., Capek, J., & Myskova, R. (2011). Relationship between security and usability – authentication case study. International Journal of Computers and Communication, 5(1), 1-8.•Jaroslav Zeman, P. T. (2009). The Utilization Of Metrics Usability To Evaluate The Software Quality. 2009 International Conference on Computer Technology and Development (pp. 243-246). IEEE Computer Society.•Jeffrey Stylos, S. C. (n.d.). Usability Implications of Requiring Parameters in Objects’ Constructors. •Jens Gerken, H.-C. J. (2011). The Concept Maps Method as a Tool to Evaluate the Usability of APIs. ACM, 2337-2346.•Markotten, U. J. (2000). Usability meets Security - The Identity-Manager as your Personal Security Assistant for the Internet. IEEE, 344-353.•Matthew, G., & Thomas, S. (2013). A novel multifactor authentication system ensuring usability and security. Cryptography and Security, 1-10. •Parmit K. Chilana, J. O. (2010). Understanding Usability Practices in Complex Domains. ACM, 2337-2346.

15