Usability of web authentication systems explained

Usability of web authentication systems refers to the efficiency and user acceptance of online authentication systems.[1] Examples of web authentication systems are passwords, federated identity systems (e.g. Google OAuth 2.0, Facebook Connect, Sign in with Apple), email-based single sign-on (SSO) systems (e.g. SAW, Hatchet), QR code-based systems (e.g. Snap2Pass, WebTicket) or any other system used to authenticate a user's identity on the web. Even though the usability of web authentication systems should be a key consideration in selecting a system, very few web authentication systems (other than passwords) have been subjected to formal usability studies or analysis.[2]

Usability and users

A web authentication system needs to be as usable as possible whilst not compromising the security that it needs to ensure.[1] The system needs to restrict access by malicious users whilst allowing access to authorised users. If the authentication system does not have sufficient security, malicious users could easily gain access to the system. On the other hand, if the authentication system is too complicated and restrictive, an authorised user would not be able to (or want to) use it.[3] Strong security is achievable in any system, but even the most secure authentication system can be undermined by the users of the system, often referred to as the "weak links" in computer security.[4]

Users tend to inadvertently increase or decrease security of a system. If a system is not usable, security could suffer as users will try to minimize the effort required to provide input for authentication, such as writing down their passwords on paper. A more usable system could prevent this from happening. Users are more likely to oblige to authentication requests from systems that are important (e.g. online banking), as opposed to less important systems (e.g. a forum that the user visits infrequently) where these mechanisms might just be ignored. Users accept the security measures only up to a certain point before becoming annoyed by complicated authentication mechanisms.[4] An important factor in the usability of a web authentication system is thus the convenience factor for the user around it.

Usability and web applications

The preferred web authentication system for web applications is the password,[4] despite its poor usability and several security concerns.[5] This widely used system usually contains mechanisms that were intended to increase security (e.g. requiring users to have high entropy passwords) but lead to password systems being less usable and inadvertently less secure.[6] This is because users find these high entropy passwords harder to remember.[7] Application creators need to make a paradigm shift to develop more usable authentication systems that take the user's needs into account.[5] Replacing the ubiquitous password based systems with more usable (and possibly more secure) systems could lead to major benefits for both the owners of the application and its users.

Measurement

To measure the usability of a web authentication system, one can use the "usability–deployability–security" or "UDS" framework[5] or a standard metric, such as the system usability scale.[2] The UDS framework looks at three broad categories, namely usability deployability and security of a web authentication system and then rates the tested system as either offering or not offering a specific benefit linked to one (or more) of the categories. An authentication system is then classified as either offering or not offering a specific benefit within the categories of usability deployability and security.[5]

Measuring usability of web authentication systems will allow for formal evaluation of a web authentication system and determine the ranking of the system relative to others. While a lot of research regarding web authentication system is currently being done, it tends to focus on security and not usability.[1] Future research should be evaluated formally for usability using a comparable metric or technique. This will enable the comparison of various authentication systems, as well as determining whether an authentication system meets a minimum usability benchmark.[2]

Which web authentication system to choose

It has been found that security experts tend to focus more on security and less on the usability aspects of web authentication systems.[5] This is problematic as there needs to be a balance between the security of a system and its ease-of-use.A study conducted in 2015[2] found that users tend to prefer Single sign-on (like those provided by Google and Facebook) based systems. Users preferred these systems because they found them fast and convenient to use.[2] Single sign-on based systems have resulted in substantial improvements in both usability and security.[5] SSO reduces the need for users to remember many usernames and passwords as well as the time needed to authenticate themselves, thereby improving the usability of the system.

Other important considerations

Future work

Usability will become more and more important as more applications move online and require robust and reliable authentication systems that are both usable and secure. The use of brainwaves in authentication systems[8] have been proposed as a possible way to achieve this. However more research and usability studies are required.

See also

Further reading

Notes and References

  1. Web site: Security and Usability: The Case of the User Authentication Methods. 2006-04-18. ACM Digital Library. ACM New York, NY, USA. 199–203. en. braz. Christina Braz. Jean-Marc Robert. 24 February 2016.
  2. Web site: Authentication Melee: A Usability Analysis of Seven Web Authentication Systems. 24th International World Wide Web Conference. 916–926. en. ruoti. Scott Ruoti. Brent Roberts. Kent Seamons. 2016-02-24.
  3. Web site: Balancing Security and Usability in Authentication. Schneier on Security. schneier-balancing-security. Schneier. Bruce. 24 February 2016.
  4. Quantifying the Quality of Web Authentication Mechanisms A Usability Perspective. Journal of Web Engineering. qq-web-auth-use. Renaud. Karen. 24 February 2016. January 2004.
  5. Book: Bonneau. Joseph. Herley. Cormac. 2012. University of Cambridge Computer Laboratory. 1476-2986. van Oorschot. Paul C.. Stajano. Frank. 2012 IEEE Symposium on Security and Privacy . The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes . 10.1109/SP.2012.44 . 553–567 . 978-1-4673-1244-8 .
  6. Book: 21st Annual Computer Security Applications Conference (ACSAC'05) . Sundararaman. Jeyaraman. Topkara. Umut . Have the cake and eat it too - Infusing usability into text-password based authentication systems . 2005 . 473–482 . IEEE. 10.1109/CSAC.2005.28. 0-7695-2461-3. 1063-9527.
  7. Book: Ma. Y. Feng. J. 2011 Ninth International Conference on Software Engineering Research, Management and Applications. Evaluating Usability of Three Authentication Methods in Web-Based Application. 2011 . IEEE. 81–88. 10.1109/SERA.2011.18. 978-1-4577-1028-5.
  8. Book: Financial Cryptography and Data Security. Springer Berlin Heidelberg. 2013. 978-3-642-41320-9. 1–16.