Mary Theofanos Visualization & Usability Group Information Access Division Information Technology Laboratory PIV Pilot Usability Lessons Learned.

Slides:

Advertisements

Similar presentations

ARIN XIMemphis, TN April 2003 ARIN DBWG Tim Christensen Authentication Update.

Advertisements

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

A mobile single sign-on system Master thesis 2006 Mats Byfuglien.

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

Public Key Infrastructure (PKI) Hosting Services.

1 Cypak core technology New convenient security solutions for online gaming Combat fraud and keep your customer happy.

Controlling Access to Resources for Walk-In Users 14 September 2006 Rod Crowley Systems Team Leader Leeds University Library.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Address 3.Course Syllabus 4.Major.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

PRODUCT FOCUS 4/14/14 – 4/25/14 INTRODUCTION Our Product Focus for the next two weeks is Microsoft Office 365. Office 365 is Microsoft’s most successful.

Systems Analysis and Design 9th Edition

Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan

FMMI Overview October 2014.

Fire Officer Strategy and Tactics (FOST) State Certification Practical Examination PART “A” May 2009.

March 14, 2012 Office of Client Solutions 1800 F Street, NW Washington, DC Working together to meet your needs and make.

1 Emerging Knowledge-Based Business Models Robert M. Shapiro, CEO Meta Software Corporation.

Mary Theofanos Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

NIH Policy Manual 2811 Policy on Smart Card Authentication iTrust Forum Mark L. Silverman December 10, 2009

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

IPv6 Survey: Taking the Federal Pulse on IPv6 Summary Results Market Connections, Inc. June 2006.

21 st Century 2.0 Project Creating a 21 st Century Learning Environment at Hillview School.

Fire Officer Strategy and Tactics (FOST)

Ministry of State for Administrative Development Towards Meaningful ICT Indicators for Developing Countries Dr. Ahmed M. Darwish EGYPT Government and Education.

● Agenda 2 What is TNet? Why Adopt TNet? How it Works Timeline The Two Goals Steps for Implementation.

Kevin Killourhy Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security:

UNCLASSIFIED NGA NIPRNET Presentation to FLIP Coordinating Committee, Digital Working Group Larry Glick, (314) , Aeronautical.

Institutional Considerations

Systems Analysis and Design 8 th Edition Chapter 2 Analyzing the Business Case.

Virtual University - Human Computer Interaction 1 © Imran Hussain | UMT Imran Hussain University of Management and Technology (UMT) Lecture 40 Observing.

+ Chapter 9: Management of Business Intelligence © Sabherwal & Becerra-Fernandez.

STRATEGY SESSION SEPTEMBER 15, YEAR SECURITY DISCUSSION 1 NETWORK PLANNING TASK FORCE.

ISPAB Panel on Usable Security Mary Frances Theofanos - NIST Ellen Cram Kowalczyk - Microsoft.

E VALUATING YOUR E - LEARNING COURSE LTU Workshop 11 March 2008.

How to become a Horizon 2020 Evaluator.

/ 8 FEIDHE Electronic Identification in Finnish Higher Education Janne Kanner FEIDHE Electronic Identification in Finnish Higher Education.

Security for eScience M. Angela Sasse & Brock Craft University College London

An Online learning journal system. Staff record children's progress and activities using tablet devices and PCs. Parents can view their child’s journal.

The Digital Portfolio Add samples of student work directly from the Gradebook into the Digital Portfolio Keep track of several different formats: Written.

Introduction to the PKI Issues at UW Madison Presented to ITC on Friday, 3/18/2005 Tom Jordan Systems Engineer,

Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.

E-ticketing ONLINE CINEMA TICKET BOOKING SYSTEM. What is eticketing system ? Modern science and technology are bringing us into the digital time. In the.

1 Data Warehouse Assessments What, Why, and How Noah Subrin Technical Lead SRA International April 24, 2010.

For the Students Students in elementary school right now have always used technology, classes seem outdated and boring to most because of the lack of.

Systems Analysis & Design 7 th Edition Chapter 2.

Component D: Activity D.3: Surveys Department EU Twinning Project.

‘How and where should financial brands focus their digital attention?’ January 2014.

Help You Choose For Tutors PRESENTER: REPLACE ALL RED TEXT BEFORE YOU START!

Q K-12 Blueprint Overview. 2 The K-12 Blueprint offers resources for education leaders involved in planning and implementing personalized learning.

WikID installation/training

Chapter One: Mastering the Basics of Security

U.S. Department of Energy Consolidated Audit Program

Enterprise Single Sign-On

Multifactor Authentication & First Time Login

GSBS IT Resources and Security

LEAP 360: Accessing K-2 Formative Tasks

School’s Cool Makes a Difference!

Logging in to CIITS.

Authentication & the Web

PLANNING A SECURE BASELINE INSTALLATION

Patient Access to Electronic Medical Records

Password Reset and Access Management

Scott Miller TSM Team Lead Ray Mah Architect, Foundation

Scott Miller TSM Team Lead Ray Mah Architect, Foundation

OU BATTLECARD: Oracle Identity Management Training

OU BATTLECARD: E-Business Suite Courses and Certifications

OU BATTLECARD: Oracle WebCenter Training

Presentation transcript:

Mary Theofanos Visualization & Usability Group Information Access Division Information Technology Laboratory PIV Pilot Usability Lessons Learned

Comprehensive National Cyber-Security Initiative: Research and Development

Usability Research Goal: To enable policy makers and system implementers to make better decisions

PIV Pilot study objectives Investigate and gain insight on the impact of this new system on worker performance Explore attitudes people have about this new authentication approach that may affect uptake. Learn whether there are differences in users’ expectations and attitudes of the system prior to first use and ongoing use.

What did the Pilot involve? 26 NIST employees (of 100 Pilot users) over 10 weeks that used the PIV card and pin to: Log in to their computer Digitally sign Encrypt Access a web application to register visitors

What information did we collect? Daily s surveys (diary) Periodic interviews Direct observation Pre and post surveys Did you use the PV card to login today? If not why not? Did you have problems?

What did we learn? Installation and Training Streamline the PIV update certificate process Develop a strategy for coordinating technical support for users of PIV cards and readers. Provide a variety of training opportunities to accommodate the wide variety of learning styles that users have

What did we learn? Work Environment and Form Factor One size does not fit all. A wide range of devices should be evaluated and be made available for users to choose Continue to support use of username and passwords to address forgotten, stolen and lost PIV cards. Refrain from mandating a PIN that changes frequently No clear policy on when to encrypt/decrypt or digitally sign an Clear guidance on how to choose between certificates. All web applications should use PIV

What did we learn? Work Environment and Form Factor One size does not fit all. A wide range of devices should be evaluated and be made available for users to choose Continue to support use of username and passwords to address forgotten, stolen and lost PIV cards. Refrain from mandating a PIN that changes frequently No clear policy on when to encrypt/decrypt or digitally sign an Clear guidance on how to choose between certificates. How do you use PIV for multiple computers at one time All web applications should use PIV

Users Views of PIV Security Users develop mental models of security that are inaccurate No concept that possessing the card is part of the overall security mechanism (multi-factor) Reinforces the importance for security to be as transparent as possible and to maximize direct benefits to users

User Acceptance Users who interacted with the usability team were much more accepting than others users in pilot 1) used their PIV cards more during the pilot ; and 2) are much more likely to continue using their PIV cards for accessing their computers Consider creating user groups to allow development of in- house expertise related to PIV use.

Wrong Approach: Aw, they’ll get used to it

Contact Information Mary Theofanos Emile Morse