Usability and Security - vurore.nl

Usability and Security

University: Vrije Universiteit Amsterdam Faculty of Economics and Business Administration Postgraduate program: IT Audit De Boelelaan 1105 1081 HV Amsterdam

Authors: Andrew Cheung Terren Chong

Team: 829 Date: March 31st 2008

Thesis coordinator VU: J. Steen, Vrije Universiteit Amsterdam Mentor: J.G.G.V. van den Boom, Ernst & Young EDP Audit

University coach: E. Koning, DNB

ABSTRACT

In the modern multi-user computer environment, Internet-capable networks provide connectivity that allows a large portion of the user population to access information from sources around the world. Because of the ease with which information can be accessed, computer security breaches may occur unless systems are restricted and information stored therein are kept secure. Breaches of security can have serious consequences, including theft of confidential corporate documents, compromise of intellectual property, unauthorized modification of systems and data, denial of service, and others. Considerable research has been conducted on threats to security. Numerous sophisticated security methods have been developed, many of which rely on individuals to implement and use them correctly. Despite the apparent influence of usability, surprisingly little research has been conducted on the relation between usability and the degree of security provided by the various information security methods. In this thesis, we review the various information security methods that are used, appraise the usability issues and map the relationship between these two aspects.

ACKNOWLEDGMENTS

This thesis covers the last and third year of the postgraduate program and is based on the work of an Executive Master in IT Auditing thesis in the Faculty of Economics and Business Administration of the Vrije Universiteit Amsterdam. It is a pleasure to thank the many people who made this thesis possible. To start with, we would like to thank our university coach, Evert Koning and our mentor, Guill van den Boom who throughout the thesis-writing period provided sound advice and explained things clearly and simply. We would also like to thank our interviewees, Eric Velleman and Martin Wijnmaalen, for their time and good input. Last but not least we would like to thank Rene Bestebreurtje, for his good teaching, ideas and encouragement. The Hague, March 31st 2008

CONTENTS

Introduction 1 1.1 Objective 1 1.2 Research question 1 1.3 Research scope 2 1.4 Research method 2

1.4.1 Literary study 2 1.4.2 Case study 2 1.4.3 Interviews 3

2 Literary study 3 2.1 What is usability? 3

2.1.1 Definitions 3 2.1.2 Definition used 4 2.1.3 Usability components 5

2.2 What is security? 5 2.2.1 Definitions 6 2.2.2 Definition used 6 2.2.3 Security requirements 6 2.2.4 Risk assessment 6 2.2.5 Security risks and controls 7 2.2.6 Access control 8

3 Case study 8 3.1 Description of research 8 3.2 Authentication in general 9 3.3 Authentication mechanisms 9

3.3.1 Passwords 9 3.3.2 Challenge questions 12 3.3.3 Tokens 16 3.3.4 Biometrics 18

4 Interviews 23

5 The optimal balance between usability and security 23 5.1 More secure authentication 24 5.2 More usable authentication 24

6 Conclusion 25

7 Reflection 26

Appendix 28 Interview with Martin Wijnmaalen Afgestemd op 25 Maart 2008 28 Interview with Eric Velleman 29

Sources 30

1

Introduction

The developments in Information Technology (IT) are continually growing. Management is faced with complicated technologies, which directly or indirectly, support the business processes in the organization. It is the responsibility of management to decide on the level, nature and extent of the measures that need to be taken. In addition, two aspects play an important role. On the one hand, it is the desire of the organization that an automated system supports the business in their day-to-day activities, in such a way that the business shows great willingness to use this system. From that point of view, the system must be user-friendly. This user-friendliness is strongly determined by a number of specific characteristics of a system: 'Gewin' or perceived pay-off, 'Gemak' or level of difficulty or discomfort when making use of the system and 'Genot' or subjective personal interest in and response to the system. On the other hand, from a security system perspective a system must be robust, which means that a system behaves ‘reasonably’, even in circumstances that were not anticipated in the requirements specification. This means, however, that measures should be taken which by definition are not user-friendly. It is therefore important that a proper balance is struck between these two principles and that management carefully considers the implementation of measures that need to be taken.

1.1 Objective

Many people believe that there is an inherent tradeoff between security and usability. A computer without passwords is usable, but not very secure. On the other hand, a computer that makes you authenticate every five minutes with a password length of eight characters might be very secure, but nobody would want to use it. The purpose of this thesis is to research the relationship between usability and security. The intent is to put usability and security amongst one another and map out the relationship between these two aspects for different authentication mechanisms in a “high, moderate and low” scale.

1.2 Research question

The main research question runs as follows: "To what extent is it possible to have a sufficient level of security, without losing usability? In order to answer the main research question, the following sub-questions need to be considered: • What is usability? • What is security? • What is the relationship between usability and security? • How will the relationship between usability and security develop in the coming years?

2

1.3 Research scope

The research questions formulated above limit the scope of the thesis to a large extent. The two main subjects discussed in this thesis are usability and security:

1. Security; here we focus on techniques for identifying and authenticating computer users to systems that are both local and remote, which are passwords, mechanisms with a challenge question, tokens and biometrics. These authentication mechanisms are commonly used to protect physical- and logical access;

2. Usability; here we focus on the usability issues associated with each of the authentication mechanisms. The human-interaction-processing (‘human factor’) characteristics will not come up for discussion in this thesis. However, where necessary it will be outlined as many authentication mechanisms require cognitive activity.

1.4 Research method

1.4.1 Literary study

The purpose of the literary study is to obtain more information about the subject and to help find answers to the research questions. We will carry out a literary study on usability and security and the techniques for identifying and authenticating computer users to systems. The literary study will also serve as a basis for performing different case studies and interviews. Studies will be performed in relation to: • Usability; • Security; • Authentication techniques; • Relationship between usability and security; • Latest trends and developments on subjects mentioned above. During the whole process we will make use of various types of literature such as: • Books; • Scholarly journals; • Whitepapers and fact sheets; • Articles; • Research Studies.

1.4.2 Case study

The case study is an in-depth, longitudinal examination of different events and will allow us to gain a sharpened understanding of why the instance happened as it did, and what might become important to look at more extensively in future research. The case studies will cover topics on the different types of authentication mechanisms as defined in our research scope and also the usability issues associated with each. These ‘real world’ examples allow the application of theoretical concepts to be demonstrated, thus

3

bridging the gap between theory and practice. This will help us understand the relationship between usability and security and the common problems encountered in practice.

1.4.3 Interviews

We will conduct interviews to obtain more insight on how usability and security are dealt with in practice. We will ask a few questions on the subjects as defined in our research scope, and permit the interviewee to talk freely. We will only intervene to refocus the discussion or probe for additional insight into the key areas (passwords, challenge questions, tokens and biometrics). Because we are choosing to interview people with different backgrounds and experience, it is important to obtain insight from different perspectives and what is important to them.

2 Literary study

2.1 What is usability?

Usability has many different definitions. The English term usability is properly established (at least in the computer) when it comes to the usability of software interfaces and websites. The objective for usability is to enable users to achieve goals and meet needs in a particular context of use.

2.1.1 Definitions

We have seen in the literature that the term usability has been used broadly and is defined in different ways: • ISO (the International Organization for Standardization), a worldwide federation of national

standards bodies defines usability as: “Extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use” 1. To obtain a better understanding of the definition it can be broken down into different ‘components’ for which the following definitions apply: – product: part of the equipment (hardware, software and materials) for which usability is to be

specified or evaluated; – user: person who interacts with the product; – goal: intended outcome; – effectiveness: accuracy and completeness with which users achieve specified goals; – efficiency: resources expended in relation to the accuracy and completeness with which users

achieve goals; – satisfaction: freedom from discomfort, and positive attitudes towards the use of the product; – context of use: users, tasks, equipment (hardware, software and materials), and the physical

and social environments in which a product is used.

4

• Nielsen (1993) points out that usability is a quality attribute that assesses how easy user interfaces are to use. The word "usability" also refers to methods for improving ease-of-use during the design process. According to Nielsen, usability is defined by five quality components: learnability, efficiency, memorability, errors, and satisfaction2;

• Shackel (1991) reports that the definition of usability was probably first attempted by Miller (1971) in terms of measures for “ease of use”. The concept of usability was first fully discussed and a detailed formal definition was attempted by Shackel (1981) in which he defines usability as: the capability in human functional terms to be used easily and effectively by the specified range of users, given specified training and user support, to fulfill the specified range of tasks, within the specified range of tasks, within the specified range of environmental scenarios3;

• Booth (1989) outlines that usability has four factors: usefulness, effectiveness (ease of use), learnability, and attitude (likeability)4;

• Brinck, Gergle, and Wood (2002) share a similar perspective that usability is: functionally correct, efficient to use, easy to learn, easy to remember, error tolerant, and subjectively pleasing5;

• Hix and Hartson (1993) classify usability into initial performance, long-term performance, learnability, retainability, advanced feature usage, first impression and long-term user satisfaction6;

• In addition to those views mentioned above, Gould (1988) defines usability into more components, including system performance (reliability, responsiveness), system functions, user interface, reading materials, language translation, outreach program, ability for customers to modify and extend, installation, field maintenance and service-ability, advertising, and support group users7.

2.1.2 Definition used

As mentioned in the previous paragraph, the term usability is used broadly and is defined in different ways. We have seen that authors/ organizations in the usability community have different opinions and perceptions on what they consider to be a useful attribute/ aspect or as some of them call it components. We are able to conclude that there is clearly an overlap between the various definitions. Some attributes have the same meaning, but are described using other words, e.g. “satisfaction” with “long-term user satisfaction” and “efficiency” with “efficient to use”. Furthermore we noticed that “efficiency” is also one of the quality aspects as defined by NOREA. For our thesis we will use the definition as defined by ISO, which besides from being a standard that is adopted by an international standardizing/standards organization, it suits the purpose of the research question in this thesis. Effectiveness, efficiency and satisfaction can be specified for different goals1:

Usability objective Effectiveness measures Efficiency measures Satisfaction measures

Overall usability Percentage of goals achieved Time to complete a task Rating scale for satisfaction

Percentage of users successful completing task Tasks completed per unit time Frequency of discretionary use

Average accuracy of complete tasks Monetary cost of performing the task Frequency of complaints

Table 1: Examples of measures of usability

5

2.1.3 Usability components

In order to specify or measure usability it is necessary to identify the goals and to decompose effectiveness, efficiency and satisfaction and the components of the context of use into sub-components with measurable and verifiable attributes. The framework on the next page illustrates the components of usability and the relationship between them1.

Figure 1: Usability framework

When specifying or measuring usability the following information is needed: • a description of the intended goals: this includes the criteria that would satisfy the intended goals; • a description of the components of the context of use including users, tasks, equipment, and

environments: this may be a description of an existing context, or a specification of intended contexts;

• target or actual values of effectiveness, efficiency, and satisfaction for the intended contexts: measures of effectiveness relate the goals of the user to the accuracy and completeness with which these goals can be achieved, measures of efficiency relate the level of effectiveness achieved to the expenditure of resources and measures of satisfaction relate the extent to which users are free from discomfort and their attitudes towards the use of the product.

2.2 What is security?

When we talk about security in this thesis, we refer to information security. Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Defining, achieving, maintaining, and improving information security is essential to maintain competitive edge, cash flow, profitability, legal compliance, and commercial image.

6

2.2.1 Definitions

Like usability, we have seen that information security in the literature has been used broadly and is defined in different ways: • Preservation of confidentiality, integrity and availability of information8; • Information Security refers to the processes and methodologies which are designed and

implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption9;

• The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction10;

• Simply put, information security describes all measures taken to prevent unauthorized use of electronic data whether this unauthorized use takes the form of disclosure, alteration, substitution, or destruction of the data concerned11.

2.2.2 Definition used

For the uniformity we use the ISO definition of information security in this thesis which is defined as the: “preservation of confidentiality, integrity and availability of information8”. These three aspects are further defined as: • Confidentiality: the property that information is not made available or disclosed to unauthorized

individuals, entities, or processes; • Integrity: the property of safeguarding the accuracy and completeness of assets; • Availability: the property of being accessible and usable upon demand by an authorized entity.

2.2.3 Security requirements

Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. To establish these security requirements, organizations can refer to different sources8. Once source is derived from assessing risks in the organization by means of a risk assessment. Another source is the legal, statutory and regulatory requirements that an organization has to satisfy. A further source is the particular set of principles, objectives and business requirements for information processing that an organization has developed to support its operations.

2.2.4 Risk assessment

Risk assessments include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the estimated risks against risk criteria to determine the significance of the risks 8. Performing a risk analysis within an organization can be done by means of a standardized approach or a

7

custom approach12. An example of a standardized approach is by means of the code of practice for information security management. The use of this method is simple, standardized and the results can be compared to the norm. We can divide the approach in the following categories12: • Quick scan, by means of external standard questionnaires. The starting point is compliance with

generally accepted standards; • Baseline checklist, where checklists are used to verify if the own baseline requirements are met. The

baseline is a system of the internal security measures of the entire organization. A custom approach is a more profound approach where controls can be determined in detailed. In addition it gives the organization a profound understanding of the dependencies and vulnerabilities of their IT environment. We can distinguish between a qualitative and a quantitative risk analyses12. An example of a qualitative risk analyses is the so called “Afhankelijkheids- en Kwetsbaarheidsanalyse” (A&K-analyse), where four logical steps (“1) inventarisatie, 2) afhankelijkheidsanalyse, 3) kwetsbaarheidsanalyse en 4) resultaat”) are performed to map out the dependencies and vulnerabilities. The business requirements are the central point and are translated to define the requirements of the information systems that support the business processes13. The most profound form of risk analyses is the quantitative risk analysis which methodically follows a similar approach as the qualitative risk analyses. This form however seeks quantification where risk is defined as: risks = probability of an incident × losses per accident12.

2.2.5 Security risks and controls

Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. Risk assessment should be repeated periodically to address any changes that might influence the risk assessment results8. Once security requirements and risks have been identified and decisions for the treatment of risks have been made, appropriate controls should be selected and implemented to ensure risks are reduced to an acceptable level. Controls can be classified in preventative controls, detective controls, repressive controls and corrective controls12 and can be selected from a standard or from other control sets8. New controls can also be designed to meet specific needs as appropriate8. The selection of security controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options, and the general risk management approach applied to the organization, and should also be subject to all relevant national and international legislation and regulations.

8

2.2.6 Access control

The authentication mechanisms discussed in this thesis are commonly used to protect physical and logical access. Access to information, information processing facilities, and business processes should be controlled on the basis of business and security requirements8. The objective is to control access to information. One of the main reasons to have a variety of access-control types is to provide the organization with true in depth defense. Each control type provides a different level of protection and because each level can be adapted to meet the needs of the organization, the security administrator has a very granular level of control over the security mechanisms. The best approach for organizations is to focus the bulk of its controls on prevention because this allows the organization to stop a problem before it starts. The three access-control types include administrative, technical, and physical controls14: 1. Administrative controls are the policies and procedures implemented by the organization. Preventive

administrative controls can include security awareness training, strong password policies, and robust pre-employment checks;

2. Technical controls are the logical controls you have put in place to protect the IT infrastructure. Technical controls include strong authentication (biometrics or two-factor), encryption, network segmentation, demilitarized zones (DMZs), and antivirus controls;

3. Physical Controls are the ones you can most likely see. These controls protect against theft, loss, and unauthorized access. Examples of physical access controls include guards, gates, locks, guard dogs, closed-circuit television (CCTV), and alarms.

3 Case study

3.1 Description of research

Most people are familiar with passwords as a form of authentication. Passwords and Personal Identification Numbers (PINs) are two examples of using "something you know" in order to authenticate. Biometrics, such as fingerprint or voice recognition, represent "something you are," and a physical token, such as a bank card, represents "something you have." These three "something" categories are the common means of classifying authentication techniques. As mentioned before, our research focuses on authentication mechanisms commonly used to protect physical and logical access. The authentication mechanisms discussed in this chapter are: • Passwords; • Challenge questions; • Tokens; • Biometrics. We will discuss and analyze the case studies performed by others, focus on the issues encountered in practice between usability and security but will not conduct any field research ourselves. The intent is to

9

put usability and security amongst one another and map out the relationship between these two aspects for passwords, challenge questions, tokens and biometrics in a “high, moderate and low” scale. Based on the definitions selected for usability (refer to paragraph 2.1.2) and security (refer to paragraph 2.2.2) we have made the following classification for our measurement scale: • Usability, which consists of the aspects effectiveness, efficiency and satisfaction:

– High: all three aspects considered; – Moderate: two aspects considered; – Low: one or none considered.

• Security, which consists of the aspects confidentiality, integrity and availability: – High: all three aspects considered; – Moderate: two aspects considered; – Low: one or none considered.

3.2 Authentication in general

Security systems are designed to let authorized people in (the permission problem), and to keep unauthorized people out (the prevention problem)15. This involves three distinct steps: • Identification is the process of identifying yourself to an authentication service14. • Authentication is a process where a person or a computer program proves their identity in order to

access information16; • Authorization is the act of granting a person or other entity permission to use resources in a secured

environment17. People authenticate themselves by what they know (memometrics)18, by what they recognize (cognometrics), by what they hold, or by what they are (biometrics). In the case of the first three, the system and the person share a secret (the authentication key) 19. At enrollment, the user and the system agree on what the secret is; at authentication time, the system determines whether the person being authenticated has possession of the pre-agreed secret. If the user proves knowledge of the secret, the system will authenticate her. In the case of biometrics, the system records a digital representation of some aspect of a person's physiology or behavior at enrollment, and this is confirmed at authentication time.

3.3 Authentication mechanisms

3.3.1 Passwords

Passwords are a mechanism designed to authenticate a user; that is, to bind the identity of the user to an entity on the computer. A password is a sequence of characters that confirms the user's identity20. Using a user id and password, is the most classic form of single factor authentication. Remembering a single, frequently used password is a perfectly manageable task for most users. But most users today have many knowledge-based authentication items to deal with. We have multiple and frequently changed passwords

10

in the work context, in addition to passwords and personal identification numbers outside work, some of which are used infrequently or require regular change. The limitations of human memory make it not easy for users to cope with the memory performance this requires. For example, it is hard for most people to remember: • Complicated and/or complex passwords; • Many different passwords; • Passwords that change frequently; • Passwords for systems that are used infrequently. As a result, users behave in ways forbidden by most security policies: • Users write passwords down21: Externalizing items we have to remember is the most common way

of dealing with memory problems. In office environments, users stick notes with passwords onto their screens, or maintain a list of current passwords on the nearest whiteboard. Similarly, many bank customers write their PINs on their cards. A less common remedy is to write or scratch the PIN on the ATM or its surroundings;

• Users share passwords with other users21: Another common way of preventing loss of data due to the vagaries of human memory is by sharing the information widely, so if you cannot remember the password, you are likely to find a colleague who can;

• Users choose passwords that are memorable but not secure22 when the mechanism allows this. Many users choose passwords or PINs that are memorable but easy to crack such as names of spouses or favorite sports stars, birth dates, 1234, 8888);

• Passwords may be transmitted23 over a network either in plaintext, or encoded in a way which can be readily converted back to plaintext;

• Passwords may be stored on a workstation23, server or backup media in plaintext, or encoded in a way which can be readily converted back to plaintext.

According to Thomas Baekdal; “Security companies and IT people constantly tell us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones”24. Choosing passwords, which are usable, are in fact harder to hack according to Baekdal (figure 2).

11

Figure 2: Hackability of types of passwords

To investigate the tradeoffs between security and memorability in a real-world context, an experiment was conducted involving 400 first-year students at the University of Cambridge25. The experiment compared the effects of giving three alternative forms of advice about password selection and measured the effect that this advice had on the security and memorability of passwords. The students were provided with an account on a central computing facility, using a user ID and a randomly generated initial password. The experiment resulted in the following results and recommendations: • Users have difficulty remembering random passwords; • Instruct users to choose mnemonic-based passwords, as these are as memorable as naively selected

passwords while being as hard to guess as randomly chosen ones; • In applications where one user can be harmed by another user's negligence, screen users' password

choices and reject weak ones; • When devising your advice to users and writing your password-screening code, pay attention to

password length but also to entropy per character. The lessons learned from this experiment are that theoretical analysis does not guarantee the security of systems. It is often necessary to study systems as they are used in practice. Furthermore, what engineers expect to work and what users actually make to work are two different things. Rigorous experimental testing of interface usability is one of the necessary ingredients for robust secure systems.

3.3.1.1 Recapitulation and analysis

Usability aspects: • Effectiveness: the users’ goal with effectiveness is to log into the system accurately and complete;

this is not the case if the password complexity is set at the highest category. Thus this aspect is considered in the low, moderate-low and moderate-high password complexity categories;

• Efficiency: the users’ goal with efficiency is to log into the system accurately and complete using minimal resources (e.g. time) as possible. Passwords in the ‘high’ password complexity categories lead to “work arounds” such as “post it’s” on monitors with passwords which in this case is very efficient for the user. In addition a lower category will lead to easy to remember passwords, thus more efficient. Therefore this aspect is considered in all password complexity categories;

• Satisfaction: the users’ goal with satisfaction is a positive attitude towards the use of the system, in this case logging into the system without encountering any discomfort. An example would be a user trying to log into a system, assuming that the password is correct, when the password is actually incorrect. Thus this aspect is only considered in the low and moderate-low password complexity categories.

12

Security aspects: • Confidentiality: in this aspect the property that information is not made available to unauthorized

individuals is important. Passwords in the ‘high’ password complexity categories lead to behavior forbidden by many security policies increasing the risk of being obtained by unauthorized individuals. This aspect is therefore only considered in the moderate-low password complexity category;

• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets is important. Passwords in the ‘high’ password complexity categories lead to “work arounds” increasing the risk of being obtained by unauthorized individuals. This aspect is only considered in the moderate-low and moderate-high password complexity categories;

• Availability: in this aspect the property of being accessible and usable upon demand by an authorized user, in this case the system is important. Passwords in the ‘high’ password complexity categories lead to “work arounds” increasing the risk of being obtained by unauthorized individuals who can manipulate or remove data (= information) in the system, making the data unavailable. This aspect is therefore only considered in the moderate-low and moderate-high password complexity categories.

As discussed in this paragraph, the goal is to get access to the system by means of password security. We have seen that users need to cope with complicated and/or complex passwords for different systems. Enforcing users to change their password periodically through the system makes it even more difficult for users to remember their password. Passwords for systems that are not being used frequently are even more difficult to remember. Users therefore behave in ways forbidden by security policies and ‘best practices’. We have also seen that there are ways to use both secure and usable passwords, but this is often not supported by the system. Furthermore we think that the more complex and difficult to remember passwords are, the more ways users will find to make it more usable, thus decreasing the level of security. The table below illustrates the results of our classification based upon the analyses performed in this paragraph: Aspects Password complexity categories

Usability Security

Effectiveness Efficiency Satisfaction Level Confidentiality Integrity Availability Level

High X Low Low

Moderate-High X X Moderate X X Moderate

Moderate-Low X X X High X X X High

Low X X X High Low

Table 2: Password levels

3.3.2 Challenge questions

Challenge questions are amongst others used as an automated means of password or credential recovery. This can be performed by a help-desk call or performed automatically through confirmation of a user’s response to previously stored questions and answers. During recovery, the user is challenged with a question and therefore required to provide the correct answer. Challenge questions offer the same potential

13

for abuse in case the system is not usable (e.g. writing down the password). And if not usable, then users may also be unwilling or unable to automatically recover, thereby triggering more expensive, manual recovery. Thus, the security and usability of the system is a major concern. A poorly designed challenge question system can dramatically weaken the security of an otherwise strong password system26. With regards to the types of questions we are able to make a distinction between three types27: • Fixed: system provides a list of administrator-chosen questions to a user, where the user’s choice of

question can only be taken “as-is” from this list; • Open: a user has complete choice and control over the question; the question construction may be

provided to the user but the user enters the question in free-form text; • Controlled: it permits a shorter list of general questions to be constructed by the system manager.

This inherently provides some guidance for the user (relative to an open question) and allows further personal customization.

According to Mike Just there are some issues related to the types of questions and answers27: Types of Questions • Security: With a fixed question, users are prevented from poor question selection, e.g. “What

color is my car?” This is a poor question since the resulting answer space is insecure, resulting from low entropy. Therefore a security advantage is provided since the likelihood of choosing a “bad question” is reduced. With an open question, users might select a question that is “bad”, though capable users are able to select more secure questions. Controlled questions offer a balanced alternative helpful for question design in case an exhaustive list of suitable fixed questions cannot be constructed. However, controlled questions also share the weaknesses of open questions as the question or hint entered by the user can be insecure;

• Usability: With fixed questions, users are not required to construct their own questions at registration. This offers both an advantage and disadvantage depending on the ability and desire of a user to choose their own questions. An open question would offer similar disadvantages and advantages. As discussed above for the security issues, a controlled question allows some guidance to be provided for the user, in the form of a general yet partially focused question, while allowing some flexibility via customization. Repeatability and memorability of the hint are not a concern since the hint is shown to the user upon answer presentation.

Types of answers A fixed answer set involves user selection of an answer from a preset list of answers. The other extreme is an open answer, which involves a user manually entering his response. Guidance may be provided as part of answer registration, but the answer is entered in free-form by the user. A subtle variation is a controlled answer, where the answer space is neither fixed nor open26: • Security: With a fixed answer set, users are prevented from selecting insecure answers. With open

answers, larger variation in the answer space is provided, though for certain questions, a user would be able to select highly probable answers. There does not seem to be any significant security advantages offered by using a controlled answer other than supporting a large answer space.

• Usability: With a fixed answer list, memorability and repeatability may be hampered if there is no unique answer to satisfy a user’s preference. With an open answer list, memorability and repeatability may be better than fixed, though also problematic if the registered answer is

14

ambiguous. Controlled answers offer an alternative whereby a large answer space can be used, but control over the possible values improves repeatability.

To investigate the tradeoffs between the usability and security aspects of the challenge questions mechanisms a challenge question system was designed in support of Canada’s Government OnLine solution26. Input to some of the design decisions came from a focus group consisting of 17 individuals from the general population that had Internet experience. The participants were provided with the following three types of questions: • Question 1; consists of 15 fixed questions, where the focus group input was used to determine

several of these questions. The corresponding answer is open, both at registration and recovery. Some of the fixed questions proposed for this fixed list included: "What was my first pet’s name?" "Where did I first meet my significant other?" and "What was the last name of my childhood best friend?";

• Question 2: consists of a controlled question, "Please choose a person who is memorable to you," and an open hint. Originally, a fixed hint was used, but participants were not comfortable with the choices it offered as they had difficulty mapping their desired hint to a single selection of a fixed hint;

• Question 3: consists of a controlled question, "Please choose a date that is memorable to you," and an open hint. The corresponding answer is controlled at both registration and recovery, consisting of drop-down selections for each of year, month, and day.

The lessons learned from the focus group include the following: • Although questions related to “first-time” events are good for repeatability, they can be more

difficult for older users to recall; • Regarding questions with calendar date answers, participants indicated an inability to recall more

than a half-dozen dates. However, even in this situation, such a question offers strength against a random attack, while being more susceptible to a targeted attack. Thus, additional questions and/or complementary security techniques should also be used;

• Although participants indicated a preference for open questions, the candidate list of questions they provided did confirm the designers’ assumptions that an insufficient level of security would be attained for open questions.

3.3.2.1 Recapitulation & analysis

In this paragraph we recapitulate and analyze the case study discussed above. In this analysis we assume that common users select bad questions and answers and that they prefer to choose. Furthermore we assume that IT Professionals select more secure questions and answers given their background. Hereafter, Question(s) and Answer(s) has been abbreviated as ‘Q&A’. Usability aspects: • Effectiveness: the users’ goal with effectiveness is to recover credentials as accurate and complete

as possible. Regardless of the Q&A type, the right answer always needs to be provided. Users can

15

eventually call the department in question or person responsible to retrieve their credentials, thus this aspect is always considered;

• Efficiency: the users’ goal with efficiency is to recover credentials as accurate and complete as possible, using minimal resources (e.g. time). Users prefer to choose easy to remember Q&A and have trouble with remembering fixed Q&A types and therefore prefer open Q&A types. This aspect is only considered in open and controlled Q&A types;

• Satisfaction: the users’ goal with satisfaction is a positive attitude towards the use of the system, in this case recovering credentials without encountering any discomfort. The fact that users prefer to choose to be in control gives the most satisfaction during the whole process of the Q&A types. This aspect is therefore only considered in open and controlled Q&A types.


individuals is important. Having fixed Q&A types is the most secure, considering the fact that IT professionals select secure Q&A types. Users however choose “easy”/ poor Q&A types, which are easily traceable/ guessable. Thus this aspect is only considered in fixed Q&A types;

• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets is important. The fact that users choose “easy”/ poor Q&A types that are easily traceable/ guessable increases the risk of it being obtained by unauthorized individuals. This aspect is therefore considered in controlled and fixed Q&A types;

• Availability: in this aspect the property of being accessible and usable upon demand by an authorized user, in this case the ability to recover credentials and it being available to the right user is important. The fact that users choose “easy”/ poor Q&A types that are easily traceable/ guessable increases the risk of it being obtained by unauthorized individuals who can manipulate or remove data (= information) in the system, making the data unavailable. This aspect is therefore considered in controlled and fixed Q&A types.

In this paragraph we have seen that there are three types of questions and answers, each with their set of strengths and weaknesses. Fixed questions prevent users from poor question selection and depends on the ability and desire of the user to choose the right one. With open questions there is a risk that the user might choose a ‘bad’ question. This may differ depending the users background and knowledge. Controlled questions offer a balanced alternative but share the same weakness as the open question which is the possibility of the question or hint being insecure. With regards to the three types of answers, we have seen that memorability and repeatability play an important factor in de type of answer that is being selected. The table below illustrates the results of our classification based upon the analyses performed in this paragraph: Aspects Types of Q&A

Usability Security


Fixed X Low X X X High

Open X X X High Low

Controlled X X X High X X Moderate

Table 3: Q&A levels

16

3.3.3 Tokens

In this paragraph the token authentication mechanism will come up for discussion. We will discuss two types of token-based authentication which are tokens and One Time Password Tokens, hereafter OTP. We have selected only these types of token-based authentication as they are most commonly used. Tokens have been used more commonly for the physical domain. Tokens can be used as a one factor authentication process, e.g. swipe cards for door access. According to Sasse, this is a fairly weak mechanism since a token may be stolen or found by a potential attacker, who can use it until the loss/theft is discovered and the token is revoked28. Therefore, tokens are more often combined with another authentication mechanism; e.g. the combination of bank cards and PINs for ATM being the most widely used. OTP fall into the category of security devices that do not have to be plugged in29. Similar to the shape of a small pocket calculator, OTP display authentication data that users type in manually and the authentication data changes each time a user authenticates. These tokens such as the SecurID have been used, with apparent success, for remote access by financial institutions. On the other hand, the high cost of replacing lost tokens and/or lost working time has led companies in other sectors to abandon it28. The secureID by RSA, is one way of significantly reducing the risk of using passwords. Unlike passwords which are changed every 60-90 days or longer, a secureID token works differently. On the small screen of the key fob the user carries with them are numbers that change every 60 seconds. The numbers displayed on the screen change randomly to the end user are generated by a mathematical algorithm that is only known to the enterprise security server30. There are however weaknesses by using only this approach. For instance, if someone is able to steal or fraudulently obtain the key fob and they also know the user's id, then they will be able to successfully masquerade as the identity30. According to Anderson, token-based authentication requires token construction and distribution, which is far from trivial and has led to documented financial loss31.The token must be physically presented to the computer system, which requires additional hardware for reading the token. Both token and token reader cost money, and a reader must be available at every point a user might be authenticated. As costs of tokens and readers become less, this will be less of an issue. However, presentation of a valid token does not prove ownership; the token may have been stolen. And although a token may be hard to forge, it does not mean it is impossible or uneconomic to do so32. Without two-factor authentication, stealing the device would allow an attacker to impersonate the owner of the device; with two-factor authentication, the attacker would still have another authentication burden to overcome33. The city of Turin had undertaken a trial to perform the first large-scale attempt to issue smartcards to citizens for access to services and payment of local taxes (Torinofacile 2003). Based on 2,655 smartcards issued, the number of tokens that were lost in the post/stolen in the first six months was low (16). The majority of citizens who registered for the card were male, well educated and aged between 19 and 45; the number of cards issued to males was three times higher than for female citizens. Since most home and small business PCs are currently not fitted with smartcard readers, the trial issued digital certificates for users who needed them. The initial phase has seen a high number of calls to the helpdesk, the majority of which (83) were due to problems with using these digital certificates. The second most frequent problem was that personal details registered about the owners of the cards were incorrect. These insights offer some pointers as to logistical aspects and the costs that are likely to be associated with issuing such tokens

17

to a large number of citizens. At the same time, small businesses, single traders and professionals report significant time savings and benefits from online access and payments compared to paper-based system and access restricted to office hours. Smartcards can offer additional usability benefits: once the login procedure is completed, the token can be used to carry sessions from one machine to another, thus removing the need to log out or lock the screen when leaving the machine unattended for brief periods. They can also offer additional security features for applications such as credit cards. One usability concern arising from the increasing popularity of tokens is that users may end up being ‘weighed down’ by a collection of tokens that they find hard to manage. There are two possible ways in which this might be prevented28: • Single tokens carrying multiple credentials. A single token, such as a smartcard, could be used to

store users’ credentials for multiple systems. The single token could either store data for multiple identification and verification mechanisms operated by different organizations (providing the user with a personal ‘credential/password manager’), or have a single strong verification (providing the user with a ‘magic key’). Both approaches would require an open standard for credentials, and the second would also require agreement on a single form of authentication and a high degree of trust between participating organizations. The ‘magic key’ model would create less work for the user, but also create a single point of attack;

• Miniaturization of tokens. Organizations continue to issue their own tokens and decide their own access control mechanisms, but the tokens are so small (for example, RFID chips) that users can keep all of their tokens on them at all times, for example, in a smartcard-type device to which individual chips can be added.


Usability aspects: • Effectiveness: the users’ goal with effectiveness is to get access to a building or remote access as

accurate and complete as possible. If the token does not work, the user is able to get it solved by the department in question or person responsible. With regards to an OTP, users in most cases receive a new token when having problems connecting. However, in a normal situation this aspect is applicable for both types. This aspect is therefore considered when using tokens and OTP;

• Efficiency: the users’ goal with efficiency is to get access to a building or remote access as accurate and complete as possible, using minimal resources (e.g. time). Users are able to use tokens for physical access, using the swipe principle. With regards to an OTP token, a user needs to remember his/ her key fob and enter the code which is indicated on the screen of the OTP token. In this case both are efficient to use. This aspect is therefore considered when using tokens and OTP;

• Satisfaction: the users’ goal with satisfaction is a positive attitude towards getting access to a building or remote access, without encountering any discomfort. Users use the token for physical access and OTP for remote access. If the token does not work, the user is able to get it solved by the department in question or person responsible within an acceptable timeframe. With regards to an OTP, users in most cases receive a new token when having problems connecting, thus the user will not be able to get remote access. This aspect is therefore only considered for tokens.

18


individuals is important. When a token gets lots or stolen, the risk of unauthorized individuals getting access to a building increases. In the case of an OTP, an unauthorized user would still require the key fob and userid to obtain remote access. This aspect is therefore considered when using OTP;

• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets is important. When a token gets lots or stolen, the risk of unauthorized individuals getting access to a building increases. In the case of an OTP, an unauthorized user would still require the key fob and userid to obtain remote access. This aspect is therefore considered when using OTP;

• Availability: in this aspect the property of being accessible and usable upon demand by an authorized user, in this case getting access to a building or remote access is important. When a token gets lots or stolen, the risk of unauthorized individuals getting access to a building increases. In the case of an OTP, an unauthorized user would still require the key fob and userid to obtain remote access. This aspect is therefore considered when using OTP.

In this paragraph we have seen that tokens are primarily used as a one factor authentication process for physical domains, e.g. swipe cards for door access. It is considered to be a weak mechanism as a valid token can be been stolen and does not prove ownership. OTP such as the SecurID is one way of significantly reducing the risk of using passwords. The chance of someone stealing or fraudulently obtaining the key fob and knowing the user's id to successfully masquerade as the identity is considered unlikely to happen. The table below illustrates the results of our classification based upon the analyses performed in this paragraph: Aspects Types of tokens

Usability Security


Token X X X High Low

OTP Token X X High X X X High

Table 4: Token levels

3.3.4 Biometrics

In this paragraph the biometric authentication mechanism will come up for discussion. We will discuss handprint, fingerprint, retina, Iris and face as biometric-based authentication. We have selected only these types of biometric authentication mechanisms as they are most commonly researched. Biometrics are automated methods of identity verification or identification based on the principle of measurable physiological or behavioral characteristics such as fingerprints, hand, the patterns of retinas, veins, Irises and faces. Behavioral biometrics techniques include those based on voice, signature and typing behavior. These biometrics approaches follow a similar operation: a digital template is created during an enrollment process; the template is stored in a database or in some cases on the chip of a card. On attempted verification, the relevant template is extracted and compared with the data input, say in the form of a fingerprint, or an acquired Iris image, for positive identification. Each technique has its own

19

unique set of advantages and disadvantages. Cost, size, and method of use often dictate applicability to any given situation. Fingerprints, retinal scanning and Iris scanning are the only biometrics types that can accurately identify an individual. Biometrics technologies have a wide range of accuracy, reliability, and usability. Thus, despite the difficulty in comparing biometrics, they will always have some comparable accuracy versus usability balance that can be compared with other technologies34. With regards to the security aspects around biometrics; incorporating biometrics techniques into the organizations security architecture may increase information security by means of eliminating the ability of sharing passwords and making it much more difficult to counterfeit or steal the security key. The specific level of security provided by a device also depends on the number of “reference points,” which are the individual metrics taken in each scan35. According to Purnell & Marks, Iris scanners capture 200+ reference points while fingerprint readers typically capture around 80. Furthermore, the effectiveness of the reference points also depends on the algorithms used. More reference points can mean more false negative identifications35. This means using better accuracy might result in rejecting the right individual. While more reference points theoretically mean a better “signature,” it can also mean that there are more chances for failure in the secondary scan. In relation to this, if the individual using the device is not positioned in a correct way, then the scanner may not pick up each reference point properly. The individual sensitivity settings on a device control whether it will error the side of caution (rejection) or convenience (acceptance)35. The accuracy of many biometric systems is still not high enough for some applications e.g. negative identification or matching against a very large database36. Facial recognition systems are often used to create a manageable subset of possible identities, but must be scrutinized by a human observer. Thus, facial systems may not be suitable for real-time identification37. The actual performance of these devices is typically measured in terms of two measures34: • False accept rates (FAR). The likelihood that the wrong person will be able to access the system; • False reject rates (FRR). The likelihood that a legitimate person will be denied access. Setting the sensitivity too high can result in too many False Rejection Rate (FRR) and setting it too low can increase the False Acceptance Rate (FAR)35. Reported values for FAR and FRR are usually based on theoretical calculations performed with clean, high-quality data, instead on actual observations and real-world performance34. The realized performance may not be as good as the predicted performance. Performance estimates are often far more impressive than actual performance38. Many systems do not live up to expectations because they prove unable to cope with the enormous variations among large populations, or fail to take into account people’s needs and behaviors39. Regarding the usability aspects around biometrics; various biometric sensors require more or less involvement of the users. An important aspect is the nature of the signatures collected that impact the ease of enrollment and implementation of the equipment35.

20

The strengths, weaknesses and usability (area of use) of the various biometric form factors are outlined according to Wilson as follows40:

Biometrics Strength Weakness Usability

Hand • Small template (approximately 10

bytes)

• Low failure to enroll rate

• Unaffected by skin condition

• Physical size of

acquisition device

• Physical contact required

• Juvenile finger growth

• Hampered by temporary

physical injury

• Physical access control

• Time and attendance

Fingerprint • Most mature biometric technology

• Accepted reliability

• Many vendors

• Small template (less than 500 bytes)

• Small sensors that can be built into

mice, keyboards or portable devices

• Physical contact required

(a problem in some

cultures)

• Association with criminal

justice

• Vendor incompatibility

• Hampered by temporary

physical injury

Retina • Stable over time

• Uniqueness

• Requires user training and

cooperation

• High user resistance

• Slow read time

• Dependent on a single

vendor’s technology

• IS access control,

especially for high

security government

agencies


(same as IS access

control)

Iris • Very stable over time

• Uniqueness

• Potential user resistance

• Requires user training

• Dependant on a single

vendor’s technology

Face • Universally present • Cannot distinguish

identical siblings

• Religious or cultural

prohibitions


Table 5: Strengths, weaknesses and usability of various types of biometrics Purnell & Marks also discuss the various types of biometrics and outline the following35: • Handprint: usually most appropriate for fixed physical locations requiring very high assurance of

identify since it combines the hand biometric with essentially five different fingerprint biometrics. The security and reliability can be even further enhanced by combining a handprint with really any of the other form factors. However, handprint reader use for normal commercial and light industrial building access is waiting for identification algorithms to become reliable so that building managers can stop issuing access cards;

• Fingerprint: involves a finger size identification sensor with a low-cost biometric chip. Fingerprint provides the best option for most uses of biometric verification, especially attached to specific

21

computer and network assets. The relatively small size and low cost allow them to be easily incorporated into devices and are fairly reliable;

• Retina: scanning involves examining the unique patterns on the back of a person’s eye. The retina is the part of the eye that translates light into the electrical impulses sent to the brain. Because of the complexity of current scanners, most retina biometric devices require a relatively large footprint. Most are still used to protect fixed physical assets. Using a retina scanner is also less convenient because the user must position himself a certain distance away from the scanner and then rest his or her head on a support or look into a hood. This is necessary in order to effectively read the back of the eye;

• Iris: Iris scanning is similar to retina, but the scanner is looking at the unique patterns on a person’s Iris. This is the “colored” part of the eye and is visible. A key benefit for Iris over Retina is that Iris scanners do not need to be nearly as close to the eye and do not need the eye to be as precisely positioned;

• Face: recognition involves scanning the unique features of a person’s face. Because some aspects change over time, this is a less reliable form factor. Face recognition is less attractive for up-close verification than for long distance identification. Once a person is close enough to a physical asset in order to get a high quality biometric scan, other form factors are viable and are currently much more reliable.

Wilson also outlines the usability (effort) and the security value for the different types of biometric form factors40:

Figure 3: Usability (effort) and security values


Usability aspects: • Effectiveness: the users’ goal with effectiveness is to get access to a system or building as accurate

and complete as possible. Facial recognition is still not mature enough and handprints change over time (e.g. juvenile finger growth). Perhaps for other form factors more effort is needed, but in this case we consider all types with the exception of the facial and handprint type;

• Efficiency: the users’ goal with efficiency is to get access to a system or building as accurate and complete as possible, using minimal resources (e.g. time). Based on the discussions above we can

22

conclude that the most efficient biometric types are Iris and fingerprint, followed by face and handprint. Retina takes a long time for scanning, thus not efficient. We therefore consider all types with the exception of the retina type;

• Satisfaction: the users’ goal with satisfaction is a positive attitude towards getting access to a system or building, without encountering any discomfort. Based on the discussions above we can conclude that the Iris, fingerprint, face and handprint types are effortless to use. Most convenient is fingerprint, followed by handprint and face. We therefore consider all types with the exception of the retina type.


individuals is important. However biometrics concerns the component “something you are”. The risk of obtaining a ‘finger’ to forge the fingerprint reader or have access by identical siblings is considered very low. Based on the discussions above we can conclude that in this case the most secure biometric types are Iris, fingerprint and retina;

• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets is important. Same explanation as confidentiality;

• Availability: in this aspect the property of being accessible and usable upon demand by an authorized user, in this case getting access to a building or remote access is important. Same explanation as confidentiality.

In this paragraph we have seen that the different biometric technologies have a wide range of accuracy, reliability and usability. The actual performance of these devices are measured using False Accept Rates (FAR), False Reject Rates (FRR) and depend on the number of reference points and algorithms used. Each biometric type has its strengths and weaknesses and is primarily used for physical and information system access. The table below illustrates the results of our classification based upon the analyses performed in this paragraph: Aspects Types of biometrics

Usability Security


Handprint x x Moderate Low

Fingerprint x x x High x x x High

Iris x x x High x x x High

Retina x Low x x x High

Face x x Moderate Low

Table 6: Biometric type levels The relationship between usability and security will be discussed in chapter five.

23

4 Interviews

We have chosen two conduct two interviews to discuss the four authentication mechanisms discussed in the previous chapter. The purpose of the interview was to obtain insights on how the authentication mechanisms are dealt with in practice and how the relationship between usability and security is portrayed. We have deliberately chosen to conduct one interview with Martin Wijmaalen who provided input from a security perspective and the other interview with Eric Velleman, who provided input from a usability perspective. Martin is senior manager at Ernst & Young EDP Audit in the Netherlands and has more than 8 years experience in information security and IT assurance. Eric Velleman is technical director and accessibility expert. He has worked for more than twenty years at ‘Stichting Bartiméus Accessibility’ with the visually impaired and has conducted research on accessibility, usability and user profiles for people with disabilities and ICT. Based upon the interviews we are able to conclude the following (for a summary of the interviews, please refer to the appendix): • Identity and access management is one of the most important and most time consuming activities

addressed within organizations; • Companies spent a lot of time improving IT and operational efficiencies (e.g. password resets); • Passwords and/or PIN codes are difficult to remember and are often written down or a ‘work

around’ is chosen such as choosing an easy to guess password, which effects the security level; • Preference in the use of biometrics as an authentication mechanism is shown, but it’s not commonly

used by organizations. The use of biometrics would improve the usability; • Creating awareness amongst suppliers and emphasizing the importance of accessibility and usability

is very important, but is unfortunately very low on the agenda on most organizations; • Usability and security are not taken into consideration from the start of the design phase.

5 The optimal balance between usability and security

In the previous chapters we have discussed the definitions of usability and security, the various types of authentication mechanisms and we have defined their usability and security levels. When we look more closely into the different types of the authentication mechanisms we are able to conclude that each mechanism has its own strengths and weaknesses. We discussed four types of authentication mechanisms and were able to establish the following relationships between usability and security: • Passwords: Passwords in a high password complexity category result in a low level of both usability

and security. Users have trouble with memorizing the passwords and therefore write it down. Passwords in a low password complexity category result in a high usability level but a low security level. In this case users are able to memorize the passwords easily but are not obliged to change it often which is at the expense of the security. Thus, passwords in a moderate complexity category result in a well balanced level of usability and security;

• Challenge questions: a fixed question type results in questions defined by administrators which are secure for users such as IT professionals, but not for the common users, who are then obliged to use questions from a fixed list. Using an open question/ answer type results in a user defined input which provides flexibility and ease of use. On the other hand this tends to be less secure and easy to

24

be guessed, which results in a low security level. Thus, having a controlled question/ answer type results in a well balanced level of usability and security;

• Tokens: tokens are used more commonly for the physical domain and are considered a weak mechanism outside the financial sector because presentation of a valid token does not prove ownership and can been stolen. One Time Password (OTP) such as the SecurID are one way of significantly reducing the risk of using passwords. There are weaknesses with using only this approach but the chance of someone stealing or fraudulently obtaining the key fob and knowing the user's id to successfully masquerade as the identity is considered unlikely to happen. Thus, OTP provides the most balanced level of usability and security;

• Biometrics: the different types of biometrics are very dependant of the error tolerance which can be measured by the False accept rates (FAR) and False reject rates (FRR). The fingerprint is the most mature biometric technology and its reliability is well accepted. The Iris is becoming very stable over time and is characterized by its uniqueness. Thus, both fingerprint and Iris provide the most balanced level of usability and security.

5.1 More secure authentication

The separate authentication mechanisms as we discussed earlier provides a way to establish security and are in fact forms of single factor authentication. The classic form is the user id and password. This form of user authentication while used extensively is relatively weak because the same password is used over and over again, giving many opportunities for it to be illicitly captured41. The two way factor authentication is considered to be stronger than the single one41. Two factor authentications usually involve using something you have and something you know. The most widely used forms are: • Automatic Teller Machine (ATM) card and PIN: one needs the card and needs to know the pin

code; • Token and PIN: one needs the token and needs to know the pin code. An even more secure form of user authentication is the three factor authentication. This involves using something you have, something you know and something you are. This involves for example; using an access control token, such as a smart card, a PIN to access the smart card and a biometric value held in a central database. The card will be entered into a reader, the PIN is entered via a special PIN pad or keyboard, the biometric is read and encrypted under a cryptographic key held on the smart card. The user id, read from the smart card, together with the encrypted biometric are sent to the central access control system where the biometric can be decrypted and compared with the value on the central access control database. Note here that the user PIN is not sent to the central access control system, but is checked locally by the smart card41. Thus, having a more secure environment, by means of two or three way factor authentication, a user need to perform more steps which is not always efficient.

5.2 More usable authentication

The usage of various multiple application and information systems has grown in the last decade. Users often require access to multiple systems or applications using different authentications every time, not

25

making it easier and more efficient. Single Sign On (SSO) describes the ability to use one set of credentials, an ID and password or a passcode for example, to authenticate and access information across a system, application and even organizational boundaries35. Even biometric security devices allow the concept of single sign-on to extend to the physical layer. A person would only have to enroll once to let his or her biometric characteristics give access to every door, computer, or application that he or she needs access to42.

6 Conclusion

In this thesis we have described the major types of authentication mechanisms, how and why these authentication mechanism are necessary and some of the usability issues associated with each. We have seen that usability and security have many different definitions, each defined in different ways. The components or aspects of which they consist are highly dependant of what is considered to be useful for the author or organization. In this chapter we will provide answers to the research questions as defined in paragraph 1.2. What is usability? We define usability as: “The extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use”. Thus, usability refers to users who interact with information systems or devices with to goal to obtain access to systems or buildings as efficient, effective and satisfied as possible. What is security? Security is the “preservation of confidentiality, integrity and availability of information”. Thus, security relates to the protection of information and information systems from unauthorized individuals in order to safeguard the accuracy and completeness of the information and it being accessible and usable upon demand. What is the relationship between usability and security? When looked back at the types of authentication mechanisms discussed in this thesis we are able to conclude that each mechanism has its own strengths and weaknesses. We determined that the relationship between usability and security of authentication mechanisms exist and that it’s possible to have a balanced level between usability and security. How will the relationship between usability and security develop in the coming years? We believe the trend of combining secure computing and ease of use and quality will not go away and grow even more in the future. Two-factor and the three-factor authentication for instance provide better security, without decreasing the level of usability. We further believe that a combination of technologies and mechanisms securely linked will result in stronger authentication. Access control techniques such as the single sign on and the use of Radio-frequency identification within organizations will continue to develop and increase in the next few years.

26

To answer our main research question: "To what extent is it possible to have a sufficient level of security, without losing usability? We have performed literary studies and analyzed case studies of tradeoffs between usability and security for various authentication mechanisms. We can conclude that a balanced level of usability and security can be obtained for each authentication mechanism and that security is not at the expense of usability or vice versa. Usability and security can co-exist and the extent to which an optimal balance between these two aspects can be achieved is particularly determined by the following factors: • type of organization; • type of process; • the importance and sensitivity of the information that needs to be protected; • target audience.

7 Reflection

Terren Chong I have always been very interested in doing business online (e-commerce) and have been involved (and still is) in various website projects. Already familiar with the term web usability and research papers of Jacob Nielsen (some say, the ‘usability guru’), I knew I had to do something with usability. In the beginning, I wasn’t sure how to incorporate the subject so it would relate to the postgraduate IT audit program, but found out soon that this would not be an issue. The idea to investigate the relationship between usability and security started when a client told me that their employees were writing their passwords down because they could not remember it. I was actually a bit surprised, because the password policy at that time was not in line with best practice. The ‘real work’ started for me in January when I came back from my holidays. We had handed over our plan of approach the month before and the actual work was ahead of us. Not sure what we would find on literature, we kicked-off our literary study mid-January. The initial plan was to write the thesis in Dutch, but after a few days searching on the Internet, including electronic book repositories (e-books), I realized that there wasn’t sufficient material available or studies conducted in Dutch that would support the research question and overall topic. One-fourth of the thesis was already written in Dutch and with a busy period at work and overseeing that the actual time left to work on the thesis was limited, Andrew and I decided to ‘switch’ to English. In my opinion it was the right choice to make. The risk of a possible delay was accepted, but could not be avoided as the pressure was clearly felt in the last two weeks. Sundays became a typical ‘thesis day’ were I would meet with Andrew for the day. The financial statement audit is important in meeting investor expectations. As an IT-auditor and having key-role in the financial statement audit, I feel that we need to pay more attention when writing our recommendations and not only recommend because it is considered to be a best practice, but to make the recommendation a piece of advise that the company would actually use or at least consider to implement. A good example is e.g. our advice on password policies. This not only concerns our role in financial statement audits, but any audit and assurance related assignments where we are involved in.

27

I would concentrate future research on creating a framework for usability and security. A framework that would take the following elements into consideration:

- Type of organization/ industry; - The information being protected; - Authentication mechanism; - Component; - Usability level; - Security level; - Overall rating.

Furthermore I have gained more interest in learning about RFID, single sign on implementations and the possibilities of three-factor authentication mechanisms. Andrew Cheung I have experienced a lot of times at client’s site during financial audits that we only focus on the security part and make recommendations which are actually justifiable but it does not take into account the actual usability of the specific process would drop dramatically. That’s why I wanted to focus on this subject, to be able to make an initial discussion to determine the relationship between usability and security. During the studies period, I was sent to Germany for a project, so every week I fly off and on, which was not that beneficial to the thesis and also the time I could spend on my studies. That’s why Sundays became a typical ‘thesis day’ were we would meet with each other for the whole day. We also found out there was quite limited information (or hard to find) to be able to understand the relationship between usability and security. For further research I would recommend is to focus on the actual types of two or three way factor authentication and performing an inquiry, more interviews and performing field researches to investigate and actually measure the tradeoff between usability and security in practice. Furthermore I would also focus on the possibility to use two of three way factor authentication with single sign on. Another research which we think is also of great value is to develop a framework to assess both usability and security

28

Appendix

Interview with Martin Wijnmaalen Afgestemd op 25 Maart 2008

Each year we see the business environment become more complex and the scope of information security expand. New technologies, global connectivity and increased regulatory requirements continue to push information security to new levels. When asked about the different authentication mechanisms discussed in this thesis, Martin says that identity and access management are one of the most important and most time consuming activities to address within organizations. Furthermore he says that security functions within companies spent a lot of time improving IT and operational efficiencies (e.g. password resets). Martin feels that the level of security depends on how important the data or object is that users, thus organizations want to protect. A good example is the four-digit pin code used by the bank industry on ATM cards. “No one wants unauthorized people to withdraw cash from the ATM using their ATM card. Keeping the four-digit pin code a secret is therefore not a problem for most users and the level of security is considered to be sufficient, even if it’s not in line with ‘best practices’ when talking about password requirements. Another example he gives is his own Blackberry. “The current pin code settings are so strict that it has become in such a way ‘unusable’ and that easy to guess combinations are used, as a result making the level of security lower”. Using physical access devices for information systems authentication such as biometrics is one activity within organizations he hasn’t come across so often. “Biometrics has been an active research field for the last five years or so, stating that it could replace the use of passwords in the future but to my surprise it’s still low on the agenda within many organizations” says Martin. On good reason might be the IT support organization that is required when implementing the use of biometrics in organizations. The type of organizations is also a key factor when deciding on the type of measures to implement. An atomic power plant e.g. would put more emphasis on adequate physical controls, than e.g. a bank, that would stress more on adequate logical access controls. One access control method that could improve usability is Single Sign On (SSO) says Martin. The technical complexity and the use of legacy systems within organizations can however make it difficult, time-consuming, and expensive to retrofit to existing applications. The ‘security function’ perspective also needs to be considered when talking about the relationship between usability and security. Audit trail e.g. can be a very useful detective measure to implement but, needs to be setup in such a way that it can be used; “if not, what’s the use?”. According to Martin the starting point is identifying the risks and implementing appropriate measures that are efficient and thus easy to use. The use of RFID (Radio-frequency identification) is a development we want to keep a close watch on says Martin as he expects the use to increase rapidly in the coming years.

29

Interview with Eric Velleman

“The Bartiméus Accessibility Foundation was founded in 2001 and provides education and outreach in the form of information and training to businesses, (local) governments and other organizations concerning the accessibility of the Internet for the elderly and people with disabilities” says Eric. The foundation is accredited for performing accessibility and usability inspections on websites based on multimedia formats used by the World Wide Web Consortium (W3C) and other consortia, such as the Web Content Accessibility Guidelines (WCAG). In addition the foundation is involved in various projects. When asked about the relationship between usability and security Eric gives an example of the Cito exam, an end of primary school test in the Netherlands, which is taken using a personal computer. He says that from a security perspective they’ve decided to enforce the computer to run only one application (the Cito exam application) at a time to prevent students from using a dictionary. This however, was making it impossible to run other applications at the same time that would allow e.g. visibly impaired students to take the test. “This results in a less accessible and user-friendly system” he says. Furthermore he says that an important factor is creating awareness amongst suppliers, emphasizing the importance of accessibility and usability. Eric doesn’t feel that there is a negative relationship between usability and security. “If usability is taken into consideration from the start of the design phase neither usability or security would be an issue” he says. A good example is ‘the talking digipass’ introduced by the SNS Bank to make online banking for visually impaired possible. “SNS Bank was keen on making online banking accessible for everyone. If security was a major issue, another solution would be required, but apparently it was not”. He supports the use of biometrics as an authentication mechanism and feels will help increase the level of both usability and security. “I know a lot of people that have their PIN code written down on a piece of paper or scratched on their ATM card” he says. This especially concerns elderly people. “The group of elderly people will grow extensively in the next few years. This is almost 25% of the entire population” he says. Authentication mechanisms are therefore required to be made more usable so we can service different target groups. Another example he gave was about the use of credit cards. He has been a victim of credit card fraud three times, where he was charged on his company credit card unwillingly. “This can be done very easily” he says. “When you use your credit card at e.g. a restaurant, your credit card details can easily be copied

30

Sources

1 ISO 9241-11, Part 11: Guidance on usability, 1998; 2 Jakob Nielsen, Usability 101: Introduction to Usability, 2003; 3 Brian Shackel, Simon J. Richardson, Human Factors for Informatics Usability, 1991; 4 Paul A. Booth, An Introduction to Human-Computer Interaction, 1989; 5 Tom Brinck, Darren Gergle, Scott D. Wood, Usability for the Web: Designing Web Sites that Work, 2002; 6 Deborah Hix and H. Rex Hartson, Developing User Interfaces: Ensuring Usability Through Product & Process,

1993; 7 Judy Jeng, Usability Assessment of Academic Digital Libraries: Effectiveness, Efficiency, Satisfaction, and

Learnability by, 2005; 8 ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security

management,:2005; 9 SANS Institute, http://www.sans.org/information_security.php; 10 US CODE: Title 44,3542. Definitions, http://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003542--

--000-.html; 11 An Introduction to Information Security http://pages.stern.nyu.edu/~abernste/teaching/Spring2001/security.html; 12 Paul Overbeek, Edo Roos Lindgreen, MArcel Spruit, Informatiebeveiliging onder controle 2e Editie, 2005; 13 Jan van Praat, Hans Suerink, Inleiding EDP-auditing, 2004; 14 CISSP Exam Cram™ 2, by By Michael Gregg,; 15 B. Schneier, Sensible Authentication, ACM Queue 1, 2004; 16 RSA Information Security Glossary, http://www.rsa.com/glossary/default.asp?id=1006; 17 RSA Information Security Glossary, http://www.rsa.com/glossary/default.asp?id=1007; 18 Nomenclature introduced by http://www.realuser.com/technology/; 19 R. E. Smith, Authentication: From Passwords to Public Keys, 2002; 20 Matt Bishop, Computer Security: Art and Science Reading, 2003; 21 M. Angela Sasse, Sacha Brostoff, Dirk Weirich, "Transforming the 'weakest link': a human-computer interaction

approach to usable and effective security, 2001; 22 M. Angela Sasse, Sacha Brostoff, Ten strikes and you're out: increasing the number of login attempts can improve

password usability, 2003; 23 Password Management Best Practices, http://psynch.com/docs/password-management-best-practices.html; 24 Thomas Baekdal , The Usability of Passwords, 2007; 25 Lorrie Faith Cranor, Simson Garfinkel, Security and Usability, 2005; 26 Mike Just, Designing Authentication Systems with Challenge Questions, 2005; 27 Mike Just, Designing Secure Yet Usable Credential Recovery Systems With Challenge Questions, 2003; 28 M. Angela Sasse, Usability and trust in information systems, 2004; 29 R. E. Smith, Authentication: From Passwords to Public Keys, 2002; 30 Authentication - Security Tokens, http://www.authenticationworld.com, 2006; 31 Anderson, R. J., Why Cryptosystems Fail, 1994; 32 Svigals, J., Smartcards - a Security Assessment, 1994;

31

33 Fred B. Schneider, Something You Know, Have, or Are, 2005; 34 Lynne Coventry, Usable Biometrics, 2005; 35 RSA Information Security Glossary, http://www.rsa.com/glossary/default.asp?id=1049; 36 Andrew S. Patrick, Usability and Acceptability of Biometric Security Systems, 2004; 37 "Tomorrow's Markets," Biometric Technology Today, 2004; 38 Mansfield, Wayman, U.K. biometric working group best practice document, 2002; 39 S. G. Davies, How Biometric Technology Will Fuse Flesh and Machine, 1994; 40 Orville Wilson, Privacy & Identity - Security and Usability: The viability of Passwords & Biometrics, 2004; 41 Thales e-Security, Advanced Authentication, 2003; 42 Hunter Purnell, Dan Marks, Enterprise Biometric Security, 2003.

Documents

Usability and Security - vurore.nl