No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
User perceptions and use of authentication methods: insights from youth in Mexico and Bosnia and Herzegovina
Abstract
Purpose
This paper aims to address the user perspective about usability, security and use of five authentication schemes (text and graphical passwords, biometrics and hardware tokens) from a population not covered previously in the literature. Additionally, this paper explores the criteria users apply in creating their text passwords.
Design/methodology/approach
An online survey study was performed in spring 2019 with university students in Mexico and Bosnia and Herzegovina. A total of 197 responses were collected.
Findings
Fingerprint-based authentication was most frequently perceived as usable and secure. However, text passwords were the predominantly used method for unlocking computer devices. The participants preferred to apply personal criteria for creating text passwords, which, interestingly, coincided with the general password guidelines, e.g. length, combining letters and special characters.
Originality/value
Research on young adults’ perceptions of different authentication methods is driven by the increasing frequency and sophistication of security breaches, as well as their significant consequences. This study provided insight into the commonly used authentication methods among youth from two geographic locations, which have not been accounted for previously.
... As shown by previous studies (e.g., [13]), users perceive biometrics not only as usable but also as secure-their perception of risks related to biometrics usually does not reflect reality. Unfortunately, these incorrect mental models also apply to computer science students [10], representing future IT professionals. Several studies show that it is possible to fool fingerprint authentication in multiple ways (e.g., [8], [4]). ...
... A recent study on the general Android smartphone population [13] showed that users perceived fingerprint authentication as the most usable and secure method compared with PIN and token-based methods. High-security perception of fingerprints can also apply to the IT-savvy participants (44% of computer science students), as shown by [10]. Also, in another study about smartphone authentication mechanisms with the iPhone population, "more than 50% of participants stated that security provided by Touch ID was one of the reasons to use it" [7]. ...
Many services offer fingerprint authentication, including sensitive
services such as mobile banking. This broad adoption could make
an impression to the end-users that fingerprint authentication is
secure. However, fingerprint authentication is vulnerable to various
attacks performed even by not-very-sophisticated attackers, e.g.,
fingerprint forgery. Will participants perceive fingerprint authentication
differently after relevant theory education and the creation
of their fingerprint counterfeit to overcome misunderstandings, especially
regarding security? How will they perceive the fingerprint
forgery process? We prepared a hands-on seminar with fingerprint
forgery simulation. We focused on the difference in perception before
and after the theoretical lecture on biometrics and a practical
seminar on forgery creation. We applied an uncommon approach,
reconstructing the fingerprint from a photo of the actual finger
rather than its print on some surface – to illustrate the case of
an attack based merely on a “thumb-up” photograph. Our results
show that 19% of participants (out of 221) were successful in spoofing,
according to the NIST Biometric Image Software, and 27% of
participants could register their counterfeit into the smartphone.
Participants perceived fingerprint authentication as less secure after
the simulation and reported their intention to use it less for mobile
banking operations. They also perceived the forgery attack as easier
to learn than before the simulation – but harder to perform. Our
study implies that participants intend to change their behaviour
based on their experience from our seminar, however, they did not
consider two-factor authentication as an option.
... While no biometric technology can offer absolute security, experts emphasize that high-cost systems such as iris scanners possess greater accuracy in making identifications compared to low-cost technologies like signature dynamics (Srivastava, 2009). Since there is a wide variety of biometrics technologies available to recognize the person, correctly or erroneously and with or without an individual's permission, biometrics authentication systems can threaten the total system's privacy and security (Hadzidedic et al., 2022). ...
This study is designed to assess several key predictors of user intention to accept biometrics authentication for e-payment. To do so, a research model is constructed based on the prominent unified theory of acceptance and use of technology (UTAUT) framework. Further, the UTAUT model is expanded by integrating three prevalent constructs that are essential to accept biometrics authentication. As the principal analytical tools, structural equation modelling (SEM) and importance performance map analysis (IPMA) are employed. The study reveals significant effects of performance expectancy, effort expectancy, social influence, perceived risk and perceived trust on attitude. Moreover, attitude, facilitating conditions, and perceived trust play a substantial role in predicting user adoption intention to biometrics authentication in e-payment. The IPMA suggests that perceived trust and facilitating conditions fall into the critical zone, requiring special managerial considerations. This research has offered a comprehensive research model to explore users’ biometrics authentication adoption behaviour, particularly in the field of e-payment. This study assesses the initial adoption behaviour of biometrics authentication in e-payments; therefore, assessing users’ continuance usage behaviour of this technology can be a potential for future research
... Authentication is a meaningful way to keep personal information, such as personal data and more, from falling into the wrong hands [7]. Android devices have used authentication schemes, including pin codes or passwords, patterns, fingerprints, and biometrics [8], where patterns, pins, and alphanumeric passwords are still the preferred way to log into Android devices [9], computers, and web applications such as email, cloud storage, and online shopping services [10], [11]. ...
Profound societal shifts result from the inception of the 4.0 age of the Industrial Revolution and rapid technological advancements. The widespread adoption of e-services has resulted in substantial reliance on smartphones to access diverse offerings. Even so, account breaches and data leaks are risks that users take when they rely so heavily on their smartphones. Authentication is an essential method of safeguarding personal information. The purpose of this study is to undertake a thorough review of the literature on the deployment and trends of multimodal biometric authentication on smartphones. The studies will look at several biometric modalities, such as behavioral and physiological characteristics, and the algorithms for pattern recognition used in continuous authentication systems. The results show various biometric authenticators and emphasize the importance of behavioral features in smartphone authentication. In addition, the research underlines the significance of machine learning algorithms in pattern identification for rapid and accurate analysis. This study helps to understand the present authentication technique landscape and gives ideas for future advances in safe and user-friendly smartphone authentication systems.
To accelerate the deployment of fifth-generation (5G) cellular networks, millions of devices are being connected to massive Internet of Things (IoT) networks. However, advances in the scale of connectivity on 5G networks may increase the attack surface of these devices, thereby increasing the number of attack opportunities. To address the potential security risks in IoT systems, one feasible security practice involves the development of secure and efficient user authentication schemes. In 2017, Dhillon and Kalra proposed a three-factor user authentication scheme for IoT. We noted that their scheme suffers from several security weaknesses. In this study, we specifically demonstrate that the scheme proposed by Dhillon and Kalra (1) is not secured from a stolen mobile device attack; (2) does not prevent a user impersonation attack; (3) does not provide a session key agreement; (4) does not have a contingency plan (e.g., a revocation phase) for situations where a user’s private key is compromised, or a mobile device is stolen or lost. We propose an improved three-factor user authentication scheme to resolve these security issues. Furthermore, we demonstrate that the proposed scheme provides desirable attributes for IoT environments and that its computation and communication costs are suitable for extremely low-cost IoT devices.
In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.
Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. Dozens of multi-factor authentication schemes for multi-server environments were successively proposed, yet most of them have been shortly found problematic. The research pattern of this area has fallen into the undesirable “break-fix-break-fix” cycle, in which lots of efforts have been devoted but little real progress has been made. In this paper, we revisit five leading two-factor authenti-cation schemes for multi-server environments (i.e., Xu et al. scheme at ICICS’17, Wu et al. scheme at FC’17, Leu-Hsieh’s scheme at IET IS’14, Zhou et al. scheme at WINET’18 and Roy et al. scheme at IEEE TII’19), and demonstrate that all of them suffer from critical security defects (e.g., no truly multi-factor security and temporary information leakage attack) or are short of important properties (e.g., no user anonymity). Our results invalidate any use of these five schemes for practical applications without further improvement, and underscore some new challenges (e.g., attacks arising from the leakage of session-specific parameters
and from malicious insiders) in designing sound multi-factor schemes for multi-server environments. We also draw some useful lessons from the cryptanalysis results.
This paper presents a comprehensive investigation of authentication schemes for smart mobile devices. We start by providing an overview of existing survey articles published in the recent years that deal with security for mobile devices. Then, we give a classification of threat models in smart mobile devices in five categories, including, identity-based attacks, eavesdropping-based attacks, combined eavesdropping and identity-based attacks, manipulation-based attacks, and service-based attacks. This is followed by a description of multiple existing threat models. We also provide a classification of countermeasures into four types of categories, including, cryptographic functions, personal identification, classification algorithms, and channel characteristics. According to the characteristics of the countermeasure along with the authentication model iteself, we categorize the authentication schemes for smart mobile devices in four categories, namely, 1) biometric-based authentica-tion schemes, 2) channel-based authentication schemes, 3) factors-based authentication schemes, and 4) ID-based au-thentication schemes. In addition, we provide a taxonomy and comparison of authentication schemes for smart mobile devices in form of tables. Finally, we identify open challenges and future research directions.
Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorized user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. They are also still mostly functioning at the point of entry and those performing sort of re-authentication executing it in an intrusive manner. Thus, it is apparent that a more innovative, convenient and secure user authentication solution is vital. This paper reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art and identifying the open problems to be tackled and available solutions to be adopted. It also investigates whether these authentication technologies have the capability to fill the gap between high security and user satisfaction. This is followed by a literature review of the existing research on continuous and transparent multimodal authentication. It concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilized in a universal level. Ultimately, a potential federated biometric authentication solution is presented; however it needs to be developed and extensively evaluated, thus operating in a transparent, continuous and user-friendly manner.
Previous research has identified user concerns about biometric authentication technology, but most of this research has been
conducted in European contexts. There is a lack of research that has investigated attitudes towards biometric technology in
other cultures. To address this issue, data from India, South Africa and the United Kingdom were collected and compared. Cross-cultural
attitudinal differences were seen, with Indian respondents viewing biometrics most positively while respondents from the United
Kingdom were the least likely to have a positive opinion about biometrics. Multiple barriers to the acceptance of biometric
technology were identified with data security and health and safety fears having the greatest overall impact on respondents’
attitudes towards biometrics. The results of this investigation are discussed with reference to Hofstede’s cultural dimensions
and theories of technology acceptance. It is argued that contextual issues specific to each country provide a better explanation
of the results than existing theories based on Hofstede’s model. We conclude that cultural differences have an impact on the
way biometric systems will be used and argue that these factors should be taken into account during the design and implementation
of biometric systems.
Security policies are required that protect information from unauthorised access, and also respect challenges users face in
creating, and particularly managing, increasing numbers of passwords. This paper investigates real password use in the context of daily life. It presents the results of an empirical study where participants completed a password
diary over 7 days, followed by debrief interviews to gain further knowledge and understanding of user behaviour. The results
reported relate to how many passwords are in use, the types of passwords participants created, the relationships between different
passwords and to sensitive services, how participants retrieved their passwords and finally, the different strategies adopted
by users in their management of passwords. The paper concludes by providing a high level set of password guidelines, along
with suggestions for mechanisms to support creating, encoding, retrieving and executing multiple passwords.
It was found that employees spend a total of 2.25 days within 60 days on password-related activities. The time consumed by this is unproductive and has a negative impact on usability. The problem is caused by current text-based user authentication policies in use. This study aims to address this research problem by assessing the effectiveness of a proposed two-tier user authentication solution involving passphrases and keystroke dynamics.
A design science research approach was used to guide this study, the theoretical foundation of which included three theories: the Shannon Entropy theory which was used to calculate the strength of passwords, passphrases and keystroke dynamics; Chunking theory assisted in assessing password and passphrase memorisation issues; and the Keystroke Level model was used to assess password and passphrase typing issues.
Two primary data collection methods were used to evaluate the findings and to ensure that gaps in the research were filled. Firstly, a login assessment experiment was used to collect data on user authentication and user–system interaction for passwords and passphrases and, secondly, an expert review was conducted to validate findings and assess the research artefact in the form of a model.
The model was finalised after it had been updated based on the expert review feedback. The model indicates the components that should be considered to implement the user authentication solution successfully. If all the model components are considered, the proposed two-tier user authentication solution has the potential to improve security and usability in the user authentication process.
Password authentication is still ubiquitous although alternatives have been developed to overcome its shortcomings such as high cognitive load for users. Using an objective rating scheme Bonneau et al. (2012) demonstrated that replacing the password poses a quest that yet remains unsolved. To shine light on this intractable issue we turn towards subjective user perceptions that influence acceptance and actual use of authentication schemes. We first conducted an extensive rating of objective features of authentication schemes to inform our selection of schemes for this research. Building on the findings thereof, 41 users interacted with twelve different authentication schemes in a laboratory study. The participants’ ratings revealed that the password followed by fingerprint authentication scored highest in terms of preference, usability, intention to use and lowest in terms of expected problems and effort. Usability and effort seem to be important factors for users’ preference rating whereas security and privacy ratings were not correlated with preference. One reason for these factors to fall behind might be their opacity and the resulting difficulty to evaluate them from a user perspective. Further, security and usability perceptions deviated from objective factors and should therefore be carefully considered before making decisions in terms of authentication. Suggestions for making security and privacy features more tangible and to allow for an easier integration in the users’ decision process are discussed.
User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to meet the strict password composition policies and to make passwords easy to remember, which in turn reduces the password strength, or write the password down, which may cause the password to be compromised. To overcome the user-generated password security and usability dilemma, we propose Optiwords, which is a new textual-password creation policy that is based on picture superiority effect, which provides users with a direct “drawing-to-text” method for creating user-friendly passwords. Optiwords helps users design separate line drawings on the keyboard as a “password figure” and choose the characters on the lines of the drawings in a certain sequence as the final textual password. A two-part user study with 127 participants was conducted to compare the usability and security of Optiwords with other three popular password policies. The results showed that there was no statistically significant difference compared Optiwords with Basic8 or 3class8 in memorability. The password strength of Optiwords outperformed Basic8 and 3class8. Compared with Random8, Optiwords had a great advantage in usability.
Passwords are the most frequently used authentication mechanism. However, due to increased password numbers, there has been an increase in insecure password behaviors (e.g., password reuse). Therefore, new and innovative ways are needed to increase password memorability and security. Typically, users are asked to input their passwords once in order to access the system, and twice to verify the password, when they create a new account. But what if users were asked to input their passwords three or four times when they create new accounts? In this study, three groups of participants were asked to verify their passwords once (control group), twice, and three times (two experimental groups). Psychological literature suggests that applying repetition in learning to the password process has significant effects on password memorability. However, previous password research has found a trade-off between password security and memorability, and more recently, user convenience. Our results suggest that verifying passwords three times can increase password memorability from 42% (verifying passwords just once as with current practices) to 70%. Even by increasing the verification to just two times can increase password memorability by 17%. However, we found that through increasing the number of verifications did not equate to a decrease in user convenience. What this means is that small changes to the password verification stage can have significant results on password memorability while not necessarily inconveniencing the user. The implications of these results could ultimately have a positive effect on password security, and the consequences of forgetting passwords.
Context
There is a great variety of techniques for performing authentication, like the use of text passwords or smart cards. Some techniques combine others into one, which is known as multi-factor authentication. There is an interest in knowing existing authentication techniques, including those aimed at multi-factor authentication, and the frameworks that can be found in literature that are used to compare and select these techniques according to different criteria.
Objective
This article aims to gather the existing knowledge on authentication techniques and ways to discern the most effective ones for different contexts.
Method
A systematic literature review is performed in order to gather existing authentication techniques proposed in literature and ways to compare and select them in different contexts. A total of 515 single-factor and 442 multi-factor authentication techniques have been found. Furthermore, 17 articles regarding comparison and selection criteria for authentication techniques and 8 frameworks that help in such a task are discussed.
Results
A great variety of single-factor techniques has been found and smart card-based authentication was shown to be the most researched technique. Similarly, multi-factor techniques combine the different single-factor techniques found and the combination of text-passwords and smart cards is the most researched technique. Usability, security and costs are the most used criteria for comparing and selecting authentication schemes, whereas the context is given an important remark as well. No framework among the ones found analyzed in detail both single-factor and multi-factor authentication techniques for the decision-making process.
Conclusion
The review shows that a vast research has been done for authentication techniques, although its use in some contexts has not been researched as much. The lack of works regarding the comparison and selection of authentication techniques is observed.
People are increasingly using the Internet to access health information and the information obtained has an impact on their healthcare outcomes. This paper examines the impacts of IT enablers and health motivators on peoples' online health information search behavior. We characterize users' online health information search behavior along three dimensions: the frequency of online health information search, the diversity of online health information usage, and the preference of the Internet for initial search. Using the 2003 Health Information National Trends Survey (HINTS) data on cancer, we find that ease of access to Internet services and trust in online health information could affect the three dimensional search behavior listed above. While perceived quality of communication with doctors has an impact on diversity of use and preference of use, we surprisingly do not find an impact on the frequency of search for online health information. In addition, our results find that perceived health status could affect both frequency and diversity of search for online health information. But we do not find evidence that perceived health status could lead to a preference for using the Internet as a source for health information.
Researchers at Plymouth University in the UK have conducted a survey on public perceptions of biometrics to find out how accepting society is of the controversial technology.
Numerous graphical password schemes have re-cently been proposed as alternatives to traditional text pass-word authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects, as well as system evaluation. The paper first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security ad-vantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems should address, review methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.
Country comparison”, available at: www.hofstede-insights.com/country-comparison/bosnia-and-herzegovina,mexico
- Hofstede Insights