The Great Authentication Fatigue – And How to Overcome It

  • M. Angela Sasse
  • Michelle Steves
  • Kat Krol
  • Dana Chisnell
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8528)


We conducted a two-part study to understand the impact of authentication on employees’ behaviour and productivity in a US governmental organisation. We asked 23 participants to keep a diary of all their authentication events within a 24-hour period, and subsequently interviewed them about their experience with authentication. We found that the authentication tasks employees have to perform not only carry significant workload, but that the way in which authentication disrupts primary tasks reduces productivity and creates frustration. Our participants reported a range of coping strategies, including use of tools and re-organising their work to avoid security. Avoidance meant they logged in less frequently, stopped using certain devices and services. They also reported not pursing innovative ideas because of “the battle with security” that would be required. Our case study paints a picture of chronic ‘authentication fatigue’ resulting from current policies and mechanisms, and the negative impact on staff productivity and morale. We propose that organisations need to urgently re-think how they authenticate users in a pervasive technology requirement, and advocate a paradigm shift from explicit to implicit authentication.


Authentication usable security productivity workload diary study 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  2. 2.
    Brostoff, S., Jennett, C., Malheiros, M., Sasse, M.A.: Federated identity to access e-government services: Are citizens ready for this? In: 2013 Workshop on Digital Identity Management, pp. 97–108. ACM (2013)Google Scholar
  3. 3.
    Brostoff, S., Sasse, M.A.: Are PassfacesTM more usable than passwords? A field trial investigation. In: People and Computers XIV—Usability or Else!, pp. 405–424. Springer London (2000)Google Scholar
  4. 4.
    Card, S.K., Moran, T.P., Newell, A.: The keystroke-level model for user performance time with interactive systems. Communications of the ACM 23(7), 396–410 (1980)CrossRefGoogle Scholar
  5. 5.
  6. 6.
    Emotiv (2014),
  7. 7.
    Fairhurst, M.C., Guest, R.M., Deravi, F., George, J.: Using biometrics as an enabling technology in balancing universality and selectivity for management of information access. In: Carbonell, N., Stephanidis, C. (eds.) UI4ALL 2002. LNCS, vol. 2615, pp. 249–259. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Florêncio, D., Herley, C.: A large-scale study of web password habits. In: 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)Google Scholar
  9. 9.
    Hayashi, E., Hong, J.: A diary study of password usage in daily life. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 2627–2630. ACM (2011)Google Scholar
  10. 10.
    Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: Workshop on New Security Paradigms, pp. 133–144. ACM (2009)Google Scholar
  11. 11.
    Herley, C.: More is Not The Answer. IEEE Security & Privacy 12(1), 14–19 (2014)Google Scholar
  12. 12.
    Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: Password use in the wild. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. ACM (2010)Google Scholar
  13. 13.
    ISO 9241-11. Ergonomic requirements for office work with visual display terminals (VDTs)-Part 11-Guidance on usability. Intern. Organisation for Standardisation (1998)Google Scholar
  14. 14.
    Killourhy, K.S., Maxion, R.A.: Comparing anomaly-detection algorithms for keystroke dynamics. In: 2009 Dependable Systems & Networks, pp. 125–134. IEEE (2009)Google Scholar
  15. 15.
    Monsell, S.: Task switching. Trends in Cognitive Sciences 7(3), 134–140 (2003)CrossRefGoogle Scholar
  16. 16.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  17. 17.
    Schiffman, N., Greist-Bousquet, S.: The effect of task interruption and closure on perceived duration. Bulletin of the Psychonomic Society 30(1), 9–11 (1992)CrossRefGoogle Scholar
  18. 18.
    Shi, E., Niu, Y., Jakobsson, M., Chow, R.: Implicit authentication through learning user behavior. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 99–113. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Steves, M., Chisnell, D., Sasse, A., Krol, K., Theofanos, M., Wald, H.: Report: Authentication Diary Study. NISTIR 7983 (2014),
  20. 20.
    Thorpe, J., van Oorschot, P.C., Somayaji, A.: Pass-thoughts: Authenticating with our minds. In: 2005 Workshop on New Security Paradigms, pp. 45–56. ACM (2005)Google Scholar
  21. 21.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: 8th USENIX Security Symposium, vol. 99. McGraw-Hill (1999)Google Scholar
  22. 22.
    Zurko, M.E., Simon, R.T.: User-centered security. In: 1996 Workshop on New Security Paradigms, pp. 27–33. ACM (1996)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • M. Angela Sasse
    • 1
  • Michelle Steves
    • 2
  • Kat Krol
    • 1
  • Dana Chisnell
    • 3
  1. 1.Department of Computer ScienceUniversity College LondonLondonUK
  2. 2.U.S. Dept. of CommerceNational Institute of Standards and TechnologyUSA
  3. 3.UsabilityWorksBostonUSA

Personalised recommendations