AUTHENTICATION MELEE A Usability Analysis of Seven Web Authentication Systems Scott Ruoti, Brent Roberts, Kent Seamons Internet Security Research Lab Brigham.

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

Advertisements

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

Digital Certificate Installation & User Guide For Class-2 Certificates.

A mobile single sign-on system Master thesis 2006 Mats Byfuglien.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Briefing: NYU Education Policy Breakfast on Teacher Quality November 4, 2011 Dennis M. Walcott Chancellor NYC Department of Education.

Breaking Trust On The Internet

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Caleb Stepanian, Cindy Rogers, Nilesh Patel

CLaSS Computer Literacy Software A Three Year Student Evaluation Ian Cole Lecturer in Information & Communication Technology University of York.

Outline of presentation Brief introduction of Facebook as a social networking tool Research questions Methods Findings and Results Some Experimentation.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

Follow these instructions to pay your dues. Get into your web browser Like Internet Explorer Now you need type in this address in the Address bar. Example.

Project Workshops Results and Evaluation. General The Results section presents the results to demonstrate the performance of the proposed solution. It.

June is an easy way to communicate. It costs nothing to send an , but it does require a connection to the Internet. You can.

Review an existing website Usability in Design. to begin with.. Meeting Organization’s objectives and your Usability goals Meeting User’s Needs Complying.

AUTHENTICATION TASK FORCE NEEDS ASSESSMENT PRESENTATION OF RESEARCH PRESENTED TO THE MASSACHUSETTS BOARD OF LIBRARY COMMISSIONERS (MBLC) SUBMITTED BY Anne.

Outlook Web Access (OWA) is a web mail service of Microsoft Exchange; allow users to connect remotely via a Web browser OWA is used to access ,

Fire Officer Strategy and Tactics (FOST) State Certification Practical Examination PART “A” May 2009.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Quick Reference Guide Welcome TEST USER Version_NSU_ HELP RETIREMENT MANAGER DEMO FEEDBACK.

BIOMETRICS IN RETAIL Ben McDaniel Paul Acken Wesley McAhren.

Student Success Plan for Delaware. SSP Homepage The SSP Homepage is the central point from which students can access all of the features and functions.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Welcome To PTP Personal Transition Plan Advanced Guidance advancedguidance.webs.com.

NAMS Account Activation Training. 2 What is NAMS? The NASA Account Management System is NASA’s centralized process for requesting and maintaining accounts.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Reliability & Desirability of Data

An Introduction to IBM Systems Director

User Centered Learning Design Ranvir Bahl (PMP, CSM)

A Comparative Usability Study of Two-Factor Authentication Emiliano de Cristofaro 1, Honglu Du 2, Julien Freudiger 2, Gregory Norcie 3 UCL 1, PARC 2, Indiana.

V 1.0 May 16,2011 Audience: Staff Outlook Agent For the latest version of this document please go to:

Heuristic evaluation Functionality: Visual Design: Efficiency:

E-Safety E-safety relates to the education of using new technology responsibly and safely focusing on raising awareness of the core messages of safe content,

IPMA Executive Conference Value of IT September 22, 2005.

Competitive Swimmers’ Interpretation of Motivational Climate Rebecca C. Trenz, M.A. Fordham University Psychology of Motivation.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Confused Johnny WHEN AUTOMATIC ENCRYPTION LEADS TO CONFUSION AND MISTAKES Scott Ruoti, Nathan Kim, Ben Burgon, Tim van der Horst, Kent Seamons Internet.

Region 5 Portal Registration Guide 1 Portal Registration: A Quick Start Guide 12/31/08 Aum Sri Sai Ram Sathya Sai Baba Centers of North Central Region.

1 Ss. Colman-John Neumann Basketball Survey 2008/2009.

What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID Daniel Smith.

Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

WEBSITES AND ADDRESS RELATIONSHIP By: Nahed Alnahash Dr. Wenjin Zhou.

Amber Johnson U.S. Department of Education WVASFAA Fall 2015 Conference October 29, 2015 FSA ID: The FSA PIN Replacement.

Problems With Centralized Passwords Dartmouth College PKI Lab.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Trouble-shooting Tips Georgia Bulldogs I can receive, but not send messages  If you can successfully receive messages, but can’t send messages,

BOPS – Biometric Open Protocol Standard Emilio J. Sanchez-Sierra.

BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)

“We’re on the Same Page”: A Usability Study of Secure Using Pairs of Novice Users Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O'Neill, Elham.

How to fix Netflix Signing In Issues? For More Details Visit Our Website

Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0

INFORMATION TECHNOLOGY NEW USER ORIENTATION

Scott Ruoti. †, Tyler Monson. , Justin Wu. , Daniel Zappala

Private Facebook Chat Chris Robison, Scott Ruoti, Tim van der Horst, Kent Seamons Internet Security Research Lab Computer Science Department Brigham Young.

Simple Authentication for the Web

Data and Applications Security Developments and Directions

Standard Metrics and Scenarios for Usable Authentication

Client Certs -- the old-new thing

Installation & User Guide

Strengthening Password-based Authentication

The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.

Architecture Competency Group

INFORMATION TECHNOLOGY NEW USER ORIENTATION

SharePoint Online Authentication Patterns

INFORMATION TECHNOLOGY NEW USER ORIENTATION

How to Contact Hotmail Customer Service Number +1(844)

Presentation transcript:

AUTHENTICATION MELEE A Usability Analysis of Seven Web Authentication Systems Scott Ruoti, Brent Roberts, Kent Seamons Internet Security Research Lab Brigham Young University World Wide Web Conference 2015, Florence, Italy

Acknowledge co-authors Scott Ruoti Brent Roberts

Passwords Rule the Web Deployed everywhere Well-known security problems Many proposed systems to replace them Passwords have combination of usability, deployability, and security that is hard to beat Bonneau et al. The Quest to Replace Passwords, IEEE Security & Privacy 2012 May 20, 2015WWW 2015, Florence, Italy3

Our Research Agenda Develop Single Sign-on Protocols using Secure Remote Password (SRP) Analyze security and usability of our system We wanted to leverage experience from prior work in usable authentication What are the most usable authentication systems? How to measure the usability of an authentication system? May 20, 2015WWW 2015, Florence, Italy4

Where Are We? Looked at systems proposed in research literature No clear best system Lack of empirical analysis May 20, 2015WWW 2015, Florence, Italy5

Where Are We? Looked at systems proposed in research literature No clear best system Lack of empirical analysis Limitations Proposals are not evaluated using standard usability metrics Proposals are not compared against each other May 20, 2015WWW 2015, Florence, Italy6

Security vs. Usability Big Dog vs. little dog May 20, 2015WWW 2015, Florence, Italy7

Where Do We Want to Be? Elevate usability on an equal footing with security Truly secure systems must be both secure and usable Determine which proposals have the best overall usability Use a standard metric Head-to-head comparison of proposals Identify best in class systems Establish a basis for evaluating new proposals New proposals should not receive serious attention until they demonstrate acceptable usability Security researchers can be poor predictors of usability May 20, 2015WWW 2015, Florence, Italy8

Authentication Melee Conducted empirical analysis of seven web authentication systems Federated single sign-on: Google OAuth 2.0, Facebook Connect, Mozilla Persona -based: SAW, Hatchet QR Code-based: WebTicket, Snap2Pass Used the System Usability Scale (SUS) as a standard usability metric Organized systems into head-to-head competitions May 20, 2015WWW 2015, Florence, Italy9

Tournament Structure Difficult to do a full combinatorial study If each participant tests two systems, it requires a large number of participants If each participant tests all systems, it can lead to study fatigue Instead we structured our study into a tournament First round based on type of authentication system May 20, 2015WWW 2015, Florence, Italy10

Federated Single Sign-on Authentication is centralized into a single identifying party The website relies on the identifying party to verify the identity of users Systems Google OAuth 2.0 Widespread Facebook Connect Widespread Mozilla Persona Identifying party only handles authentication May 20, 2015WWW 2015, Florence, Italy11

-based Single sign-on where all providers are identity providers Users verify their identity by demonstrating their ability to send or receive Systems SAW Click on a link sent in an message Hatchet Enter a code sent in an message May 20, 2015WWW 2015, Florence, Italy12

QR Code-based Encodes authentication credentials into a QR code Two recent systems WebTicket Snap2Pass May 20, 2015WWW 2015, Florence, Italy13

QR Code-based Encodes authentication credentials into a QR code Two recent systems WebTicket Credentials encoded into a token that is printed out Token is shown to the website to authenticate the user May 20, 2015WWW 2015, Florence, Italy14

QR Code-based Encodes authentication credentials into a QR code Two recent systems WebTicket Credentials encoded into a token that is printed out Token is shown to the website to authenticate the user Snap2Pass The user’s phone acts as the identity provider The website sends information to the phone through QR codes May 20, 2015WWW 2015, Florence, Italy15

Methodology Four studies in total Federated single sign-on: 24 participants -based: 18 participants QR code-based: 25 participants Championship round: 30 participants Participants were from BYU Most were undergraduates Most were between 18 – 24 years old On average rated themselves as having intermediate technical skills May 20, 2015WWW 2015, Florence, Italy16

Study design Built two websites Forum website Bank website Implemented the seven authentication systems Existing implementations unavailable Consistent look and functionality Six tasks 2 registration tasks 4 authentication tasks Repeated same tasks for each system tested Questionnaire After each system After study as a whole May 20, 2015WWW 2015, Florence, Italy17

System Usability Scale Single numeric score between 0 and 100 (higher is better) Calculated based on user responses to 10 Likert-scale questions Individual participants’ SUS scores are averaged to give the overall SUS score May 20, 2015WWW 2015, Florence, Italy18

SUS Questions 1. I think that I would like to use this system frequently. 2. I found the system unnecessarily complex. 3. I thought the system was easy to use. 4. I think that I would need the support of a technical person to be able to use this system. 5. I found the various functions in this system were well integrated. 6. I thought there was too much inconsistency in this system. 7. I would imagine that most people would learn to use this system very quickly. 8. I found the system very cumbersome to use. 9. I felt very confident using the system. 10. I needed to learn a lot of things before I could get going with this system. May 20, 2015WWW 2015, Florence, Italy19

What Does the SUS Score Mean? If a system has a SUS score of 75, what does that mean? Bangor et al. examined SUS in over 200 usability studies and developed an adjective-oriented interpretation of a SUS score May 20, 2015WWW 2015, Florence, Italy20

Results: Federated Single Sign-on Winner: three way tie SUS scores between 71 and 72 Good Acceptable C grade Chose Google OAuth 2.0 to advance Mozilla Persona took longer to authenticate Difference was not mentioned in participants qualitative responses Trust issues with Google OAuth 2.0 and Facebook Connect May 20, 2015WWW 2015, Florence, Italy21 SystemSUS Score Google72.0 Facebook71.4 Mozilla71.8

Results: -based Winner: SAW Both systems performed poorly SAW OK Low-marginal acceptability D grade Participants disliked checking their Hatchet OK Low-marginal acceptability F grade Users don’t want to leave their browser May 20, 2015WWW 2015, Florence, Italy22 SystemSUS Score SAW61.0 Hatchet53.5

Results: QR Code-based Winner: Snap2Pass WebTicket OK Low-marginal acceptability D grade Snap2Pass Good Acceptable B grade May 20, 2015WWW 2015, Florence, Italy23 SystemSUS Score WebTicket57.9 Snap2Pass75.7

Championship Round Participants: Google OAuth 2.0, SAW, Snap2Pass Google OAuth 2.0 and Snap2Pass tie SUS scores consistent with earlier scores Overall winners: Federated single sign-on Snap2Pass May 20, 2015WWW 2015, Florence, Italy24 SystemSUS Score Google75.0 SAW53.2 Snap2Pass68.4

Championship Round Participants were asked how the systems compared to each other and to passwords May 20, 2015WWW 2015, Florence, Italy25

System Usability Scale Repeatable results - consistent SUS scores between studies Good predictor of overall preference More accurate than mean time to authenticate Recommendation: All new proposals be evaluated using SUS New system proposals should not be seriously considered until they receive a score of at least 70 May 20, 2015WWW 2015, Florence, Italy26

Qualitative Feedback Users provided feedback via open-ended survey questions and in-person interviews The results provide interesting user perspectives on authentication May 20, 2015WWW 2015, Florence, Italy27

Transparency In usable security, transparency refers to hiding security details Transparency increases usability Tested this by modifying SAW to automate token retrieval Used participants from second usability study ( -based) Increased SUS score by 12.1 points Statistically significant difference (p=0.01) May 20, 2015WWW 2015, Florence, Italy28

Transparency Transparency can result in a lack of trust Similar phenomenon in our secure research Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes Ruoti et al., SOUPS 2013 “I would like to understand more about how it works up-front. It doesn't feel secure.” “I think it was very straightforward to use. Once again like with the other system, perhaps an explanation of how it protected information would give me more confidence in using it.” May 20, 2015WWW 2015, Florence, Italy29

Single Sign-on Protocols Users liked the speed and convenience Users recognized the risk of putting all their eggs in one basket Suggested augmenting SSO with low-entropy passwords at the website Adds security if identity provider account is compromised May 20, 2015WWW 2015, Florence, Italy30

Single Sign-on Protocols Reputation of the identity provider is important Desire dedicated identity providers “I would be worried about security. I've heard that Facebook is ‘relatively’ easy to hack. I would want to be sure that it was all secure before I started using it.” “I trust Google with my passwords.” “I would make an account separate from my social network and mail specifically for functions like banking etc.” May 20, 2015WWW 2015, Florence, Italy31

The Coolness Factor Participants were most willing to adopt systems that they described as “cool” “Man was that cool!” “Also, the feel of it made me enjoy doing it. I felt technologically literate and the app felt futuristic as a whole, which I enjoyed.” May 20, 2015WWW 2015, Florence, Italy32

Biometrics We did not test or mention biometrics in our study Users consistently mentioned them as being a “cool” way to authenticate Indication that users may be accepting of viable biometric solutions “retinal scanner so i just sit in front of my computer and it scans my eye. dope.” “The ideal system would scan some part of my body - either eye or thumb - because these are literally ALWAYS with me.” May 20, 2015WWW 2015, Florence, Italy33

Conclusion We tested seven web authentication systems Found federated single sign-on and Snap2Pass to be the most usable First empirical analysis of a heterogeneous collection of authentication proposals System Usability Scale SUS is a good measure of usability for authentication proposals Repeatable results that allow for comparing heterogeneous systems Recommend it be used for all new authentication proposals Minimum score of 70 for serious consideration Future work Exploring the tradeoffs of transparency in authentication Low-entropy passwords with single sign-on Biometric-based web authentication May 20, 2015WWW 2015, Florence, Italy34

Questions? May 20, 2015WWW 2015, Florence, Italy35 Contact:

Questions?