A Field Study of User Behavior and Perceptions in Smartcard Authentication

  • Celeste Lyn Paul
  • Emile Morse
  • Aiping Zhang
  • Yee-Yin Choong
  • Mary Theofanos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6949)

Abstract

A field study of 24 participants over 10 weeks explored user behavior and perceptions in a smartcard authentication system. Ethnographic methods used to collect data included diaries, surveys, interviews, and field observations. We observed a number of issues users experienced while they integrated smartcards into their work processes, including forgetting smartcards in readers, forgetting to use smartcards to authenticate, and difficulty understanding digital signatures and encryption. The greatest perceived benefit was the use of an easy-to-remember PIN in replacement of complicated passwords. The greatest perceived drawback was the lack of smartcard-supported applications. Overall, most participants had a positive experience using smartcards for authentication. Perceptions were influenced by personal benefits experienced by participants rather than an increase in security.

Keywords

Human factors multi-factor authentication security smartcard 

References

  1. 1.
    Arora, S.: National e-ID card schemes: A European overview. Information Security Technical Report 13(2), 46–53 (2008)CrossRefGoogle Scholar
  2. 2.
    Aussel, J.: Smartcards and Digital Security. Computer Network Security 1, 42–56 (2007)CrossRefGoogle Scholar
  3. 3.
    Baldwin, M.K., Malone, B.M.: Utilizing Smart Cards for Authentication and Compliance Tracking in a Diabetes Case Management System. In: Proceedings of ACM Conference on Software Engineering, pp. 521–522 (2008)Google Scholar
  4. 4.
    Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-Factor Authentication: Somebody You Know. In: Proceedings of ACM CCS, pp. 168–178 (2006)Google Scholar
  5. 5.
    Braz, C., Robert, J.M.: Security and Usability: The Case of the User Authentication Methods. In: Proceedings of d’Interaction Homme-Machine, pp. 199–203 (2006)Google Scholar
  6. 6.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of ACM Conference on the World Wide Web, pp. 657–666 (2007)Google Scholar
  7. 7.
    Herley, C.: So Long and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In: Proceedings of New Security Perspectives Workshop 2009 (2009)Google Scholar
  8. 8.
    Identity, Credential and Access Management Subcommittee.: The Realized Value of the Federal Public Key Infrastructure (FPKI) v1.0.0. January 29 (2010), http://www.idmanagement.gov/
  9. 9.
    Information Technology Sector Coordinating Council.: Response to White House Cyber Review Questions. ITSCC March 20 (2009), http://www.it-scc.org/documents/itscc/ITSCCandCommunicationsSCCJointResponsetotheWhiteHouseCyberspacePolicyReview_3_20_2009.pdf
  10. 10.
    Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of ACM Conference on Computer-Human Interaction, pp. 383–392 (2010)Google Scholar
  11. 11.
    Irwin, C.S., Taylor, D.C.: Identity, Credential, and Access Management at NASA, from Zachman to Attributes. In: Proceedings of IDtrust 2009, pp. 1–14 (2009)Google Scholar
  12. 12.
    Jakobsson, M., Shi, E., Golle, P., Chow, R.: Implicit Authentication for Mobile Devices. In: Proceedings of USENIX Workshop on HotSec (2009)Google Scholar
  13. 13.
    Karger, P.A.: Privacy and Security Threat Analysis of the Federal Employee Personal Identity Verification (PIV) Program. In: Proceedings of the Symposium on Usable Privacy and Security 2006, pp. 114–121 (2006)Google Scholar
  14. 14.
    Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: Proceedings of IEEE Symposium on Security & Privacy 2010, pp. 433–446 (2010)Google Scholar
  15. 15.
    National Institute of Standards and Technology: Personal identity verification (PIV) for federal employees and contractors. FIPS PUB 201-1 (2006)Google Scholar
  16. 16.
    O’Gorman, L.: Comparing Passwords, Tokens, and Biometrics for User Authentication. Proc. IEEE 91(12), 2019–2040 (2003)CrossRefGoogle Scholar
  17. 17.
    Proctor, R.W., Lien, M.C., Salvendy, G., Schultz, E.E.: A Task Analysis of Usability in Third-Party Authentication. Information Security Bulletin 5(3), 49–56 (2000)Google Scholar
  18. 18.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ’weakest link’ – a human/computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–131 (2001)CrossRefGoogle Scholar
  19. 19.
    Sasse, M.A.: Usability and Trust in Information Systems. In: Cyber Trust & Crime Prevention Project. University College, London (2004)Google Scholar
  20. 20.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s New Security Indicators. In: Proceedings of IEEE Symposium on Security & Privacy 2007, pp. 51–65 (2007)Google Scholar
  21. 21.
    Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proc. ACM CHI 2009, pp. 1983–1992 (2009)Google Scholar
  22. 22.
    Strouble, D.D., Schechtman, G.M., Alsop, A.S.: Productivity and Usability Effects of Using a Two-Factor Security System. In: Proceedings of SAIS, pp. 196–201 (2009)Google Scholar
  23. 23.
    Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of WISICT 2004, pp. 1–6 (2004)Google Scholar
  24. 24.
    U.S. Department of Homeland Security: Policy for a common identification standard for federal employees and contractors. Homeland Security Presidential Directive HSPD-12, August 27 (2004) Google Scholar
  25. 25.
    U.S. Department of State: Cost/Benefit Comparison between PKI/BLADE and Password-based Authentication v1.0, July 2010 (2010), Point of contact, Steven Gregory, gregoryse@state.govGoogle Scholar
  26. 26.
    Weir, C.S., Douglas, G., Richardson, T., Jack, M.: Usable security: User preferences for authentication methods in eBanking and the effects of experience. Interacting with Computers 22(3), 153–164 (2010)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Celeste Lyn Paul
    • 1
  • Emile Morse
    • 2
  • Aiping Zhang
    • 2
  • Yee-Yin Choong
    • 2
  • Mary Theofanos
    • 2
  1. 1.University of Maryland Baltimore CountyBaltimoreUnited States
  2. 2.National Institute of Standards and TechnologyGaithersburgUnited States

Personalised recommendations