“Technology Should Be Smarter Than This!”: A Vision for Overcoming the Great Authentication Fatigue

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8425)

Abstract

Security researchers identified 15 years ago that passwords create too much of a burden on users. But despite much research activity on alternative authentication mechanisms, there has been very little change for users in practice, and the implications for individual and organisations productivity are now severe. I argue that - rather than looking for alternative ‘front-end’ solutions, we must re-think the nature of authentication: we must drastically reduce the number of explicit authentication events users have to participate in, and use advanced technologies to implicitly authenticate users, without disrupting their productive activity.

References

  1. 1.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  2. 2.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8 (SSYM’99), USENIX Association, Berkeley, CA, USA, vol. 8, pp. 14–14 (1999)Google Scholar
  3. 3.
    Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms, pp. 133–144 (2009)Google Scholar
  4. 4.
    Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: NSPW’08: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 47–58 (2008)Google Scholar
  5. 5.
    Reason, J.T.: The Human Contribution: Unsafe Acts, Accidents and Heroic Recoveries. Ashgate Publishing Ltd., Farnham (2008)Google Scholar
  6. 6.
    Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. ACM (2010)Google Scholar
  7. 7.
    Steves, M., Chisnell, D., Sasse, M.A., Krol K., Wald H.: Report: Authentication Diary Study, National Institute of Standards and Technology, Gaithersburg, MD, USA. NISTIR <Publication TBA> (2013)Google Scholar
  8. 8.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  9. 9.
    Kirlappos, I., Beautement, A., Sasse, M.A.: “Comply or Die” is dead: long live security-aware principal agents. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 70–82. Springer, Heidelberg (2013)Google Scholar
  10. 10.
    FIDO alliance. www.fidoalliance.org/
  11. 11.
    Killourhy, K.S., Maxion, R.A.: Comparing anomaly-detection algorithms for keystroke dynamics. In: IEEE/IFIP International Conference on Dependable Systems and Networks 2009, DSN’09, pp. 125–134. IEEE (2009)Google Scholar
  12. 12.
    Gibson, M., Renaud, K., Conrad, M., Maple, C.: Musipass: authenticating me softly with my song. In: Proceedings of the 2009 Workshop on New Security Paradigms, pp. 85–100. ACM (2009)Google Scholar
  13. 13.
    Thorpe, J., van Oorschot, P.C., Somayaji, A.: Pass-thoughts: authenticating with our minds. In: Proceedings of the 2005 Workshop on New Security Paradigms, pp. 45–56. ACM (2005)Google Scholar
  14. 14.

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Human-Centred Technology, Research Institute for Science of Cyber Security, Department of Computer ScienceUniversity College LondonLondonUK

Personalised recommendations