SlideShare a Scribd company logo

Making User Authentication More Usable

Jim Fenton
Jim Fenton

A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process. Presentation to BayCHI, December 12, 2017

1 of 29
Downloaded 18 times
Making
 User Authentication
 More Usable Jim Fenton
 @jimfenton
Context I’m a consultant to the National Institute of Standards and Technology Focusing on revising US Government digital identity standards Everything here is my own opinion; I don’t speak for NIST! This talk focuses on the usability aspects of authentication, and the security aspects only incidentally
About SP 800-63 NIST Special Publication 800-63, Digital Identity Guidelines Intended for federal government use, but also widely used commercially and internationally
Four-volume Set Enrollment and
 Identity Proofing
 SP 800-63A Authentication and
 Lifecycle Management
 SP 800-63B Federation and Assertions
 SP 800-63C
Executive Order 13681, “Improving the Security
 of Consumer Financial Transactions” “…ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
Who are the Users? Everybody: Non-English speakers Homeless people Disabled veterans Hospital patients Physicians Elderly Students Usability needs to consider all of these Not just Federal employees! Photo by Rob Curran on Unsplash
Usability Emphasis in
 SP 800-63-3 Engaged NIST human-factors specialists Included a Usability Considerations section in each volume (A, B, and C) Invited review on normative requirements that might affect usability
Related Concepts Accessibility: Can users with various disabilities authenticate? Availability: Can users authenticate under all circumstances?
Authenticators Nine authenticator types defined Memorized secret (password, PIN, etc.) Look-up secret Out-of-band device Single- and multi-factor OTP device Single- and multi-factor crypto software Single- and multi-factor crypto device
Factors There are three authentication factors: Something you know (password) Something you have Something you are (biometric) Authenticators may provide 1 or 2 of these
Memorized Secrets Passwords, passphrases, PINs, etc.
Memorized Secrets Passwords are: Most used authenticators Most hated authenticators Relatively weak But they’re the only “something you know” Security questions no longer acceptable
Making Passwords More Usable Action Rationale Get rid of composition rules (include digits, symbols, etc.) Frustrating for users, less benefit than expected Allow all printing characters plus space Maximum freedom in selection; no technical reason otherwise Allow Unicode characters Memorable passwords in all languages Very long maximum length Encourage long passwords, passphrases
Frustration vs. Security Recommend use of a blacklist for common passwords Unfortunately not very transparent Frustrated users make bad choices Weak passwords allowed Frustrated users Blacklist size
Password Visibility Passwords are obscured to inhibit “shoulder surfing” Makes correct entry more difficult, and often there is no shoulder-surfing threat Recommend making passwords visible on request Future browser feature??
Pasting Some sites disallow pasting: <input type="test" onPaste="return false”> Also disables password managers Done to enhance security, but probably encourages weaker passwords SP 800-63B discourages blocking pasting
Other Authenticators
Look-up Secrets List of machine-generated one-time secrets Not intended for memorization: typically more complex Less usable/accessible because they require manual transcription, subject to misread/mistyping Cheap and very suitable as a backup authenticator
Out-of-Band Requires a separate communication channel, usually separate device Availability: cell phone service is not always available Accessibility: Usually requires transcription of a secret from one device to another, often time-limited
Single-factor One Time Password (OTP) Requires transcription from device to login session Time based OTP imposes a time limit on this process Photo credit: Wikimedia Commons
Multi-factor OTP Requires transcription of secret from authenticator to login session Typing on small device may be challenging Photo credit: HID
Cryptographic Software Authenticators Example: client certificate (with or without passphrase) Process for installation of authenticator on user device should be considered Authenticators need to be organized for identification
Single-factor
 Cryptographic Device Availability: Requires an interface (e.g., USB) to connect to authenticating device Location of some ports is inconvenient for pushing the button Photo credit: Yubico
Multi-factor Cryptographic Device Availability: Requires an interface or adapter to connect to authenticating device
About Biometrics… Need to reproduce conditions of enrollment Choice of finger (fingerprint) Lighting conditions (iris) Facial hair, expression, glasses (face) Many modalities (fingerprint, iris, etc.) are not usable by some people Generally considered convenient to use, but familiarity is important
Summary There isn’t a perfect authenticator, from either a usability or security standpoint Services should support a variety of ways to authenticate and to enroll multiple authenticators per user
Identity Proofing
Identity Proofing Enrollment process: establishing that a digital identity corresponds to a specific individual Generally done only once at enrollment, but may be repeated if all authenticators are lost May be done in-person (preferred) or remotely Less sensitive to convenience, but more sensitive to accessibility (disabled, homeless, etc.)
Questions?
Ad

Recommended

User Authentication Overview
User Authentication OverviewUser Authentication Overview
User Authentication Overview
Jim Fenton
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
Jim Fenton
 
Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password Requirements
Jim Fenton
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
Efficient Securing System Using Graphical Captcha
Efficient Securing System Using Graphical Captcha Efficient Securing System Using Graphical Captcha
Efficient Securing System Using Graphical Captcha
Sankar Anand
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login system
Akshay Surve
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
Vijayanand Yadla
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
mmubashirkhan
 
captcha as a graphical password
captcha as a graphical passwordcaptcha as a graphical password
captcha as a graphical password
VishnuVardhan mooli
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
onionid12
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015
Alex Q. Chen
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
Tjylen Veselyj
 
Vshantaram
VshantaramVshantaram
Vshantaram
sparsh dwivedi
 
Graphical password minor report
Graphical password minor reportGraphical password minor report
Graphical password minor report
Love Kothari
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
Bill Nelson
 
Pass byo bring your own picture for securing graphical passwords
Pass byo bring your own picture for securing graphical passwordsPass byo bring your own picture for securing graphical passwords
Pass byo bring your own picture for securing graphical passwords
LeMeniz Infotech
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
banda5630
 
ECSA Exam Centre in Adyar
ECSA Exam Centre in Adyar ECSA Exam Centre in Adyar
ECSA Exam Centre in Adyar
sasikalaD3
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and color
Nitesh Kumar
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
Nicholas Davis
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
Ad

More Related Content

What's hot (20)

Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login system
Akshay Surve
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
Vijayanand Yadla
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
mmubashirkhan
 
captcha as a graphical password
captcha as a graphical passwordcaptcha as a graphical password
captcha as a graphical password
VishnuVardhan mooli
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
onionid12
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015
Alex Q. Chen
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
Tjylen Veselyj
 
Vshantaram
VshantaramVshantaram
Vshantaram
sparsh dwivedi
 
Graphical password minor report
Graphical password minor reportGraphical password minor report
Graphical password minor report
Love Kothari
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
Bill Nelson
 
Pass byo bring your own picture for securing graphical passwords
Pass byo bring your own picture for securing graphical passwordsPass byo bring your own picture for securing graphical passwords
Pass byo bring your own picture for securing graphical passwords
LeMeniz Infotech
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
banda5630
 
ECSA Exam Centre in Adyar
ECSA Exam Centre in Adyar ECSA Exam Centre in Adyar
ECSA Exam Centre in Adyar
sasikalaD3
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and color
Nitesh Kumar
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
Nicholas Davis
 
Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login system
Akshay Surve
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
Vijayanand Yadla
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
mmubashirkhan
 
captcha as a graphical password
captcha as a graphical passwordcaptcha as a graphical password
captcha as a graphical password
VishnuVardhan mooli
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
onionid12
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015
Alex Q. Chen
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
Tjylen Veselyj
 
Vshantaram
VshantaramVshantaram
Vshantaram
sparsh dwivedi
 
Graphical password minor report
Graphical password minor reportGraphical password minor report
Graphical password minor report
Love Kothari
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
Bill Nelson
 
Pass byo bring your own picture for securing graphical passwords
Pass byo bring your own picture for securing graphical passwordsPass byo bring your own picture for securing graphical passwords
Pass byo bring your own picture for securing graphical passwords
LeMeniz Infotech
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
banda5630
 
ECSA Exam Centre in Adyar
ECSA Exam Centre in Adyar ECSA Exam Centre in Adyar
ECSA Exam Centre in Adyar
sasikalaD3
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and color
Nitesh Kumar
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
Nicholas Davis
 

Similar to Making User Authentication More Usable (20)

Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
Class paper final
Class paper finalClass paper final
Class paper final
Anusha Manchala
 
BSI Biometrics Standards Presentation
BSI Biometrics Standards PresentationBSI Biometrics Standards Presentation
BSI Biometrics Standards Presentation
BSI British Standards Institution
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper Example
Kayla Perry
 
Ranjith_Bm
Ranjith_BmRanjith_Bm
Ranjith_Bm
branjith
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
Rajat Jain
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3
DigitalPersona
 
UNIT 2 Information Security Sharad Institute
UNIT 2 Information Security Sharad InstituteUNIT 2 Information Security Sharad Institute
UNIT 2 Information Security Sharad Institute
SatishPise4
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET Journal
 
120 i143
120 i143120 i143
120 i143
Hai Nguyen
 
Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lecture
ynamoto
 
Biometrics security
Biometrics securityBiometrics security
Biometrics security
Vuda Sreenivasarao
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
phanleson
 
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdfAnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
tonkung6
 
Biometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security IssuesBiometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security Issues
ijtsrd
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
Class paper final
Class paper finalClass paper final
Class paper final
Anusha Manchala
 
BSI Biometrics Standards Presentation
BSI Biometrics Standards PresentationBSI Biometrics Standards Presentation
BSI Biometrics Standards Presentation
BSI British Standards Institution
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper Example
Kayla Perry
 
Ranjith_Bm
Ranjith_BmRanjith_Bm
Ranjith_Bm
branjith
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
Rajat Jain
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3
DigitalPersona
 
UNIT 2 Information Security Sharad Institute
UNIT 2 Information Security Sharad InstituteUNIT 2 Information Security Sharad Institute
UNIT 2 Information Security Sharad Institute
SatishPise4
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET Journal
 
120 i143
120 i143120 i143
120 i143
Hai Nguyen
 
Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lecture
ynamoto
 
Biometrics security
Biometrics securityBiometrics security
Biometrics security
Vuda Sreenivasarao
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
phanleson
 
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdfAnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
tonkung6
 
Biometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security IssuesBiometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security Issues
ijtsrd
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
Ad

More from Jim Fenton (10)

Notifs 2018
Notifs 2018Notifs 2018
Notifs 2018
Jim Fenton
 
REQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS RequirementsREQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS Requirements
Jim Fenton
 
Security Questions Considered Harmful
Security Questions Considered HarmfulSecurity Questions Considered Harmful
Security Questions Considered Harmful
Jim Fenton
 
LOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest ProposalLOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest Proposal
Jim Fenton
 
Notifs update
Notifs updateNotifs update
Notifs update
Jim Fenton
 
IgnitePII2014 Nōtifs
IgnitePII2014 NōtifsIgnitePII2014 Nōtifs
IgnitePII2014 Nōtifs
Jim Fenton
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
Jim Fenton
 
OneID Garage Door
OneID Garage DoorOneID Garage Door
OneID Garage Door
Jim Fenton
 
Identity systems
Identity systemsIdentity systems
Identity systems
Jim Fenton
 
Adapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICAdapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTIC
Jim Fenton
 
Notifs 2018
Notifs 2018Notifs 2018
Notifs 2018
Jim Fenton
 
REQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS RequirementsREQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS Requirements
Jim Fenton
 
Security Questions Considered Harmful
Security Questions Considered HarmfulSecurity Questions Considered Harmful
Security Questions Considered Harmful
Jim Fenton
 
LOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest ProposalLOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest Proposal
Jim Fenton
 
Notifs update
Notifs updateNotifs update
Notifs update
Jim Fenton
 
IgnitePII2014 Nōtifs
IgnitePII2014 NōtifsIgnitePII2014 Nōtifs
IgnitePII2014 Nōtifs
Jim Fenton
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
Jim Fenton
 
OneID Garage Door
OneID Garage DoorOneID Garage Door
OneID Garage Door
Jim Fenton
 
Identity systems
Identity systemsIdentity systems
Identity systems
Jim Fenton
 
Adapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICAdapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTIC
Jim Fenton
 
Ad

Recently uploaded (14)

plataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdfplataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdf
valdiviesovaleriamis
 
Paper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdfPaper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdf
Steven McGee
 
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
werhkr1
 
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCONJava developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Jago de Vreede
 
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdfBig_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
avreyjeyson
 
ProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptxProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptx
OlenaKotovska
 
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 202530 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
steve198109
 
35 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 202535 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 2025
steve198109
 
an overview of information systems .ppt
an overview of information systems .pptan overview of information systems .ppt
an overview of information systems .ppt
DominicWaweru
 
introduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.pptintroduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.ppt
SherifElGohary7
 
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness GuideThe Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
russellpeter1995
 
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIATAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN 99
 
Save TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - TikcdSave TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - Tikcd
Tikcd
 
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdfGiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 
plataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdfplataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdf
valdiviesovaleriamis
 
Paper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdfPaper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdf
Steven McGee
 
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
werhkr1
 
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCONJava developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Jago de Vreede
 
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdfBig_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
avreyjeyson
 
ProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptxProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptx
OlenaKotovska
 
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 202530 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
steve198109
 
35 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 202535 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 2025
steve198109
 
an overview of information systems .ppt
an overview of information systems .pptan overview of information systems .ppt
an overview of information systems .ppt
DominicWaweru
 
introduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.pptintroduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.ppt
SherifElGohary7
 
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness GuideThe Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
russellpeter1995
 
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIATAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN 99
 
Save TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - TikcdSave TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - Tikcd
Tikcd
 
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdfGiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 

Making User Authentication More Usable

  • 2. Context I’m a consultant to the National Institute of Standards and Technology Focusing on revising US Government digital identity standards Everything here is my own opinion; I don’t speak for NIST! This talk focuses on the usability aspects of authentication, and the security aspects only incidentally
  • 3. About SP 800-63 NIST Special Publication 800-63, Digital Identity Guidelines Intended for federal government use, but also widely used commercially and internationally
  • 4. Four-volume Set Enrollment and
 Identity Proofing
 SP 800-63A Authentication and
 Lifecycle Management
 SP 800-63B Federation and Assertions
 SP 800-63C
  • 5. Executive Order 13681, “Improving the Security
 of Consumer Financial Transactions” “…ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
  • 6. Who are the Users? Everybody: Non-English speakers Homeless people Disabled veterans Hospital patients Physicians Elderly Students Usability needs to consider all of these Not just Federal employees! Photo by Rob Curran on Unsplash
  • 7. Usability Emphasis in
 SP 800-63-3 Engaged NIST human-factors specialists Included a Usability Considerations section in each volume (A, B, and C) Invited review on normative requirements that might affect usability
  • 8. Related Concepts Accessibility: Can users with various disabilities authenticate? Availability: Can users authenticate under all circumstances?
  • 9. Authenticators Nine authenticator types defined Memorized secret (password, PIN, etc.) Look-up secret Out-of-band device Single- and multi-factor OTP device Single- and multi-factor crypto software Single- and multi-factor crypto device
  • 10. Factors There are three authentication factors: Something you know (password) Something you have Something you are (biometric) Authenticators may provide 1 or 2 of these
  • 12. Memorized Secrets Passwords are: Most used authenticators Most hated authenticators Relatively weak But they’re the only “something you know” Security questions no longer acceptable
  • 13. Making Passwords More Usable Action Rationale Get rid of composition rules (include digits, symbols, etc.) Frustrating for users, less benefit than expected Allow all printing characters plus space Maximum freedom in selection; no technical reason otherwise Allow Unicode characters Memorable passwords in all languages Very long maximum length Encourage long passwords, passphrases
  • 14. Frustration vs. Security Recommend use of a blacklist for common passwords Unfortunately not very transparent Frustrated users make bad choices Weak passwords allowed Frustrated users Blacklist size
  • 15. Password Visibility Passwords are obscured to inhibit “shoulder surfing” Makes correct entry more difficult, and often there is no shoulder-surfing threat Recommend making passwords visible on request Future browser feature??
  • 16. Pasting Some sites disallow pasting: <input type="test" onPaste="return false”> Also disables password managers Done to enhance security, but probably encourages weaker passwords SP 800-63B discourages blocking pasting
  • 18. Look-up Secrets List of machine-generated one-time secrets Not intended for memorization: typically more complex Less usable/accessible because they require manual transcription, subject to misread/mistyping Cheap and very suitable as a backup authenticator
  • 19. Out-of-Band Requires a separate communication channel, usually separate device Availability: cell phone service is not always available Accessibility: Usually requires transcription of a secret from one device to another, often time-limited
  • 20. Single-factor One Time Password (OTP) Requires transcription from device to login session Time based OTP imposes a time limit on this process Photo credit: Wikimedia Commons
  • 21. Multi-factor OTP Requires transcription of secret from authenticator to login session Typing on small device may be challenging Photo credit: HID
  • 22. Cryptographic Software Authenticators Example: client certificate (with or without passphrase) Process for installation of authenticator on user device should be considered Authenticators need to be organized for identification
  • 23. Single-factor
 Cryptographic Device Availability: Requires an interface (e.g., USB) to connect to authenticating device Location of some ports is inconvenient for pushing the button Photo credit: Yubico
  • 24. Multi-factor Cryptographic Device Availability: Requires an interface or adapter to connect to authenticating device
  • 25. About Biometrics… Need to reproduce conditions of enrollment Choice of finger (fingerprint) Lighting conditions (iris) Facial hair, expression, glasses (face) Many modalities (fingerprint, iris, etc.) are not usable by some people Generally considered convenient to use, but familiarity is important
  • 26. Summary There isn’t a perfect authenticator, from either a usability or security standpoint Services should support a variety of ways to authenticate and to enroll multiple authenticators per user
  • 28. Identity Proofing Enrollment process: establishing that a digital identity corresponds to a specific individual Generally done only once at enrollment, but may be repeated if all authenticators are lost May be done in-person (preferred) or remotely Less sensitive to convenience, but more sensitive to accessibility (disabled, homeless, etc.)