Designing a User-Experience-First, Privacy-Respectful, High-Security Mutual-Multifactor Authentication Solution

  • Chris Drake
  • Praveen GauravaramEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 969)


The rush for improved security, particularly in banking, presents a frightening erosion of privacy. As fraud and theft rise, anti-fraud techniques subject user privacy, identity, and activity to ever-increasing risks. Techniques like behavioral analytics, biometric data exchange, persistent device identifiers, GPS/geo-fencing, knowledge-based authentication, on-line user activity tracking, social mapping and browser fingerprinting secretly share, profile, and feed sensitive user data into backend anti-fraud systems. This is usually invisible, and usually without user consent or awareness. It is also, unfortunately, necessary, partly because contemporary authentication is increasingly ineffective against modern attacks, but mostly because the idea of “usable” is confused with “invisible” most of the time. In the mind of a CISO, “stronger authentication” means a slower, less convenient, and more complicated experience for the user. Security and privacy tend to lose most battles against usability, particularly when friction impacts customer adoption or increases support costs.


Multifactor authentication Usability Security & privacy MitM attack 



We thank the reviewers and numerous industry security experts who freely and eagerly gave up their time to review our solution and their quest to try and find possible oversights in it.


  1. 1.
    Avast Forum. List of online banking sites in your country. Accessed 28 06 2018
  2. 2.
    Bursztein, E., Aigrain, J., Moscicki, A., Mitchell, J.C.: The end is nigh: generic solving of text-based captchas. In: 8th USENIX Workshop on Offensive Technologies (WOOT 2014). USENIX Association (2014)Google Scholar
  3. 3.
    Castelluccia, C., Narayanan, A.: Privacy considerations of online behavioural tracking. In: The European Network and Information Security Agency (ENISA) (2012)Google Scholar
  4. 4.
    Clifton, B.: Understanding Web Analytics Accuracy (2010). Accessed 28 06 2018
  5. 5.
    Dunkelman, O., Keller, N., Shamir, A.: A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. Cryptology ePrint Archive: Report 2010/013 (2010).
  6. 6.
    Krol, K., Philippou, E., De Cristofaro, E., A Sasse, M.: They brought in the horrible key ring thing! Analysing the usability of two-factor authentication in UK online banking. In: NDSS Workshop on Usable Security, USEC 2015 (2015)Google Scholar
  7. 7.
    Panjwani, S., Prakash, A.: Crowdsourcing attacks on biometric systems. In: The Tenth Symposium on Usable Privacy and Security (SOUPS). USENIX Association (2014)Google Scholar
  8. 8.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators an evaluation of website authentication and the effect of role playing on usability studies. In: The 2007 IEEE Symposium on Security and Privacy (2007)Google Scholar
  9. 9.
    Verizon. 2016 Data Breach Investigations Report (DBIR). Accessed 28 06 2018

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.CryptoPhoto Suite 2, 3, 4Noosa HeadsAustralia
  2. 2.Tata Consultancy Services LimitedBrisbaneAustralia

Personalised recommendations