Skip to main content

A Field Study of User Behavior and Perceptions in Smartcard Authentication

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNISA,volume 6949)

Abstract

A field study of 24 participants over 10 weeks explored user behavior and perceptions in a smartcard authentication system. Ethnographic methods used to collect data included diaries, surveys, interviews, and field observations. We observed a number of issues users experienced while they integrated smartcards into their work processes, including forgetting smartcards in readers, forgetting to use smartcards to authenticate, and difficulty understanding digital signatures and encryption. The greatest perceived benefit was the use of an easy-to-remember PIN in replacement of complicated passwords. The greatest perceived drawback was the lack of smartcard-supported applications. Overall, most participants had a positive experience using smartcards for authentication. Perceptions were influenced by personal benefits experienced by participants rather than an increase in security.

Keywords

  • Human factors
  • multi-factor authentication
  • security
  • smartcard

References

  1. Arora, S.: National e-ID card schemes: A European overview. Information Security Technical Report 13(2), 46–53 (2008)

    CrossRef  Google Scholar 

  2. Aussel, J.: Smartcards and Digital Security. Computer Network Security 1, 42–56 (2007)

    CrossRef  Google Scholar 

  3. Baldwin, M.K., Malone, B.M.: Utilizing Smart Cards for Authentication and Compliance Tracking in a Diabetes Case Management System. In: Proceedings of ACM Conference on Software Engineering, pp. 521–522 (2008)

    Google Scholar 

  4. Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-Factor Authentication: Somebody You Know. In: Proceedings of ACM CCS, pp. 168–178 (2006)

    Google Scholar 

  5. Braz, C., Robert, J.M.: Security and Usability: The Case of the User Authentication Methods. In: Proceedings of d’Interaction Homme-Machine, pp. 199–203 (2006)

    Google Scholar 

  6. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of ACM Conference on the World Wide Web, pp. 657–666 (2007)

    Google Scholar 

  7. Herley, C.: So Long and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In: Proceedings of New Security Perspectives Workshop 2009 (2009)

    Google Scholar 

  8. Identity, Credential and Access Management Subcommittee.: The Realized Value of the Federal Public Key Infrastructure (FPKI) v1.0.0. January 29 (2010), http://www.idmanagement.gov/

  9. Information Technology Sector Coordinating Council.: Response to White House Cyber Review Questions. ITSCC March 20 (2009), http://www.it-scc.org/documents/itscc/ITSCCandCommunicationsSCCJointResponsetotheWhiteHouseCyberspacePolicyReview_3_20_2009.pdf

  10. Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of ACM Conference on Computer-Human Interaction, pp. 383–392 (2010)

    Google Scholar 

  11. Irwin, C.S., Taylor, D.C.: Identity, Credential, and Access Management at NASA, from Zachman to Attributes. In: Proceedings of IDtrust 2009, pp. 1–14 (2009)

    Google Scholar 

  12. Jakobsson, M., Shi, E., Golle, P., Chow, R.: Implicit Authentication for Mobile Devices. In: Proceedings of USENIX Workshop on HotSec (2009)

    Google Scholar 

  13. Karger, P.A.: Privacy and Security Threat Analysis of the Federal Employee Personal Identity Verification (PIV) Program. In: Proceedings of the Symposium on Usable Privacy and Security 2006, pp. 114–121 (2006)

    Google Scholar 

  14. Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: Proceedings of IEEE Symposium on Security & Privacy 2010, pp. 433–446 (2010)

    Google Scholar 

  15. National Institute of Standards and Technology: Personal identity verification (PIV) for federal employees and contractors. FIPS PUB 201-1 (2006)

    Google Scholar 

  16. O’Gorman, L.: Comparing Passwords, Tokens, and Biometrics for User Authentication. Proc. IEEE 91(12), 2019–2040 (2003)

    CrossRef  Google Scholar 

  17. Proctor, R.W., Lien, M.C., Salvendy, G., Schultz, E.E.: A Task Analysis of Usability in Third-Party Authentication. Information Security Bulletin 5(3), 49–56 (2000)

    Google Scholar 

  18. Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ’weakest link’ – a human/computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–131 (2001)

    CrossRef  Google Scholar 

  19. Sasse, M.A.: Usability and Trust in Information Systems. In: Cyber Trust & Crime Prevention Project. University College, London (2004)

    Google Scholar 

  20. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s New Security Indicators. In: Proceedings of IEEE Symposium on Security & Privacy 2007, pp. 51–65 (2007)

    Google Scholar 

  21. Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proc. ACM CHI 2009, pp. 1983–1992 (2009)

    Google Scholar 

  22. Strouble, D.D., Schechtman, G.M., Alsop, A.S.: Productivity and Usability Effects of Using a Two-Factor Security System. In: Proceedings of SAIS, pp. 196–201 (2009)

    Google Scholar 

  23. Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of WISICT 2004, pp. 1–6 (2004)

    Google Scholar 

  24. U.S. Department of Homeland Security: Policy for a common identification standard for federal employees and contractors. Homeland Security Presidential Directive HSPD-12, August 27 (2004)

    Google Scholar 

  25. U.S. Department of State: Cost/Benefit Comparison between PKI/BLADE and Password-based Authentication v1.0, July 2010 (2010), Point of contact, Steven Gregory, gregoryse@state.gov

    Google Scholar 

  26. Weir, C.S., Douglas, G., Richardson, T., Jack, M.: Usable security: User preferences for authentication methods in eBanking and the effects of experience. Interacting with Computers 22(3), 153–164 (2010)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2011 IFIP International Federation for Information Processing

About this paper

Cite this paper

Paul, C.L., Morse, E., Zhang, A., Choong, YY., Theofanos, M. (2011). A Field Study of User Behavior and Perceptions in Smartcard Authentication. In: Campos, P., Graham, N., Jorge, J., Nunes, N., Palanque, P., Winckler, M. (eds) Human-Computer Interaction – INTERACT 2011. INTERACT 2011. Lecture Notes in Computer Science, vol 6949. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23768-3_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23768-3_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23767-6

  • Online ISBN: 978-3-642-23768-3

  • eBook Packages: Computer ScienceComputer Science (R0)