Assessing Usable Security Of Multifactor Authentication
Journal of Internet Technology and Secured Transactions (JITST), Volume 4, Issue 4, December 2015Assessing Usable Security of Multifactor AuthenticationMaha M. Althobaiti, Pam MayhewSchool of Computing Science University of East AngliaNorwich, EnglandAbstractAuthentication mechanisms are considered thetypical method to secure financial websites. Contextauthentication has become increasingly important inthe arena of online banking, which involves sensitivedata that belong to users who trust their banks.Multifactor authentication is the most commonlyused method of strengthening the log-in process in ebanking. However, developing a usable, secureauthentication approach and method is the mostchallenging area for researchers in the fields ofsecurity and Human-Computer Interaction (HCI).This paper presented our new approach forauthenticating users who access online banking bygiving them the opportunity to choose their preferredmethod to log into e-banking. In our complexexperiment with 100 online banking customers, wesimulate an original online banking platform basedon the proposed approach; then, we evaluate theusability and security of three different methods(fingerprint, secure device and card reader). Theinitial results indicate that the new system model wasable to assess the usability and security of differentmultifactor authentication methods, and it isconsidered a first attempt towards a usable nts are considered the most usable andsecure method from users’ perspectives.1. IntroductionBanking websites are considered high risk, andoverall security is their primary concern, as they aredealing with customers’ personal accounts,transaction histories and card data. Security has alsobecome an important issue in the last several years,because the number of banking users has increased;for example, in the United Kingdom, approximately25 million people used e-banking in 2012 [1].Authentication mechanisms are the access keys tofinancial services, and they work to verify users’identities, so they are highly important. Most often,the level of website security depends on the strengthof the site’s authentication mechanism. tication to provide strong and secureauthentication. It is extremely important to bankowners that user security and the usability of bankingCopyright 2015, Infonomics Societysystems be ensured. However, maintaining usersecurity can also be problematic, because users tendto prefer authentication methods that are simple and,therefore, less secure. Authentication is one of theresearch fields that explores the conflict betweensecurity and usability [2]. Experts in the fields ofHuman-Computer Interaction (HCI) and securityhave addressed this conflict and defined new fieldsfor studies on usability and security (‘usablesecurity’). Whitten and Tygar [3] defined usablesecurity as the user’s ability to identify security tasksby avoiding harmful errors and being confident withthe system interface. The Computing ResearchAssociation [4] identified Human ComputerInteraction Security (HCI-SEC) as one of the “fourGrand Challenges in Trustworthy Computing”.Few research works and publications haveexamined the usability and security of authenticationmechanisms empirically [5]. Thus, our work willnarrow this gap and describes the current empiricalstudy, which we designed and conducted withseveral parallel goals.First: we propose our new authentication approach toe-banking. This approach allows the user to choosethe preferred method to authenticate to online bank.Second: we apply our methodology to evaluate theauthentication method and process by integratingusability criteria and security criteria that related tothe users’ role during the authentication process inonline banking.Third: we assess the usability of three differentmultifactor authentications (fingerprint, securedevice and card reader) based on a real experiencewith each method by a user so more accurate resultscan be gained.2. Related WorkAn authentication mechanism is a security servicethat distinguishes between authorised andunauthorised users. Generally, authenticationmethods are categorised based on the factor used:knowledge-based authentication uses factors such asa PIN and password, token-based authentication usescards or secure devices, and biometric authenticationuses fingerprints. The use of more than one factor iscalled multifactor authentication; most e-bankingsystems today use this method to strengthen theverification process. Usability and security are both421
Journal of Internet Technology and Secured Transactions (JITST), Volume 4, Issue 4, December 2015essential for any secure system or product, includingauthentication methods, and they should go hand-inhand, as usability is concerned with easy access to asystem and security is concerned with secure accessto a system. Few previous studies have empiricallyfocused on the usability and security of multifactorauthentication. For example, Weir et al. [6] comparedthree different token devices as multifactorauthentication methods in an experiment with 50 ebanking customers to compare their security,usability and convenience. These devices were acard-activated token, a push-button token and thechip-and-PIN method. The results of the studyshowed that users considered card-activated tokensusable and secure, but they found the chip-and-PINmethod less usable [6]. Our study aims to find a new,usable and secure approach to authenticate users. Inaddition, we evaluate the security and usability ofthree kinds of multifactor authentication methods(secure device, card reader and fingerprint) thatdiffer from those used in Weir et al.’s study [6].3. ApproachTypical online banking provides the user with onemultifactor authentication method approach.Therefore, our approach first aimed to provide theuser with more than one authentication method. Fig.1 shows the proposed approach model, whichincludes clear steps for the authentication process.Second, we aimed to provide a realistic experience.In the domain of usability studies, the aim is usuallyto encourage users to behave as they do in the realworld so the most accurate results can be obtained.Moreover, dealing with sensitive data and bankingwebsites especially requires more effort to encourageusers to interact securely, as if they are dealing withtheir own information in the real world. To achievethe second goal, we simulated a real online bankingsystem and used the researchers’ own information(card and token). We hoped this would encourageusers to behave securely.Figure 1. Proposed approachCopyright 2015, Infonomics Society3.1. Study QuestionsThe experiment was designed to answer thefollowing questions: Is there a new, usable and secure approach toauthentication?What is the most desirable authentication methodemployed by online banking users?What are the differences between a fingerprint,secure device and card reader in terms ofusability, security and trustworthiness from users’perspectives?3.2. System Design and Study MaterialsFor the experimental study, a system wasprogrammed to simulate an original online bankingsystem in the United Kingdom (HSBC) followingthe proposed authentication scenario model in Figure1. The simulated system provided the user with threekinds of authentication methods (secure device, cardreader and fingerprint). HSBC Bank originally usedone method, which is a secure device, and the securedevice used in this study belongs to the researcher’saccount with HSBC. The finger reader used in thestudy is SecuGen Hamster Plus, and the card readerbelongs to the researcher’s account with BarclaysBank (see Figure 2). The other items used for thisexperiment include a consent form, an electronicsurvey, a scenario sheet and an observation sheet.Figure 2. The used methods3.3. Study Procedure We recruited 100 users in total for ourexperiment by advertising the experiment in themain library of the University of East Anglia. Each user was asked to sign a consent form andwas informed that he or she would need to makea payment using the researchers’ account andthis transaction would be recorded. Each user was given a specific ID, and eachchose his or her preferred method to log into thewebsite and access the account page (See Figure3). Each user utilised all three different methods:the first method to log into the system, thesecond to make the payment and the third toconfirm personal information to receive areceipt.422
Journal of Internet Technology and Secured Transactions (JITST), Volume 4, Issue 4, December 2015 Based on the user’s choice, a proper scenariowith detailed information about the payment wasgiven to the user to follow. At the end of the experiment, the users wereasked to complete an online questionnaire toevaluate all the methods involved. Finally each user has been thanked and given 5as a reward for the participation.4. Assessment MethodologyOur assessment approach depended on thenecessity of evaluating each method and was due tothe unavailability of the existing model to evaluatethe authentication process, as most studies appliedthe normal usability methods. We developed ourapproach to evaluate the methods by integratingexisting evaluation criteria for usability with securitycriteria that were based on users’ awareness ofsecurity indicators. These criteria are describedbelow.4.1. Usability MetricsFigure 3. Home page for the simulated system3.4. Study ScenariosRegarding the study’s requirements, threedifferent scenarios were prepared based on the users’first choice of the first method. For example, if theuser’s first choice was fingerprint, then he or she wasforced to use a secure device to confirm thetransaction process and card reader to receive thereceipt via an email address. Generally, we had threedifferent scenarios, as can be seen in Table 1.The reason behind this is that each user whoparticipated in this study would finish with realexperience with three different methods. In this case,he or she could fill in the survey and evaluate eachmethod based on recent and real experience with allof the methods. Each scenario consisted of all thedetails that the user needed to perform the task. Thetask for this experiment was to log in using an ID,secure question and proposed second method. Thenthe user followed the requested task to transfer acertain amount of money to a specific person, givenall the details for the transfer. By the end, the userneeded to confirm the payment and enter a givenemail address to receive a receipt.Table 1. Scenarios’ designScenario 1FingerprintSecure deviceCard readerScenario 2Scenario 3Secure deviceFingerprintCard readerCard readerFingerprintSecure deviceCopyright 2015, Infonomics SocietyIn the current experiment, usability s and satisfaction. Efficiency wasmeasured by calculating the time required to useeach method. Effectiveness was measured by taskcompletions and numbers of requests for help, eitherby clicking the help link or asking the observer.Satisfaction was measured through the data collectedfrom the questionnaire, and the factors employedwere based on Nielsen’s definition of usability [7].The usability attributes from Nielsen’s definitionsare: learnability, efficiency, memorability, errors andsatisfaction. We have added another two attributesthat are required for a secure system: security andtrustworthiness.4.2. Security MetricsIn the current study, security was measuredthrough assessing attention, caution, motivation,wariness and satisfaction. Attention was measured byobserving users’ awareness and noting a missing‘Secure Socket Layer (SSL)’ in the address bar.Caution was measured by observing users’interaction with requested sensitive information,such as entering an email address in an insecurepage. Motivation was measured by observing usersduring their interaction with authentication methodsand measuring their progressing with providing afingerprint and continuing the authentication process.Wariness was measured by observing users’interaction, behaviour and understanding of awarning message during the authentication process.The warning message used in this study dealt withthe absence of a security certificate. Satisfaction wasassessed through the data collected from thequestionnaire after the experiment.5. Data CollectionData were collected in three different ways:through our database, as the website created a tablescheme to record responses from users to various423
Journal of Internet Technology and Secured Transactions (JITST), Volume 4, Issue 4, December 2015options selected or clicked while browsing thewebpage. The strategy used for capturing responseswas set to FALSE(0) for all expected responses bydefault and was updated to TRUE(1) when the userselected certain options. The experimenter used anobservation sheet as she sat with each participantduring the evaluation session to record anydifficulties with any of the methods and anycomments from participants. The last instrument wasthe questionnaire, an online survey that includedclosed-ended and open-ended questions. It was madeup of four sections. The first section had ten generalinformation questions. The second section had 10statements rated on a five-point Likert scale(1 strongly agree to 5 strongly disagree). Eachrating was repeated for the three used methods. Thethird section had four questions to rank the threemethods in terms of preference, ease of use, securityand trustworthiness. The last section consisted ofopen-ended questions that asked participants aboutwhat they liked and disliked for the used methods.6. Results and DiscussionIn this section, we present our results andpreliminary analysis for these results combined witha discussion for each finding regarding the results.We have divided the section to present thedemographic data results first, followed by usabilityand security results.6.1. Respondents’ profileOne hundred users participated in ourexperiments: 50 female and 50 male (See Table 2 fordemographic data). The participants had differentnationalities, but the majority of the participants(78%) were British. All the participants belonged todifferent age groups, levels of education and schoolsof study. All the subjects had used the Internet formore than three years. Based on this, we can assumethat the IT literacy of respondents was high.Regarding the usage of online banking, 3% of oursubjects have a banking account but had not usedonline banking before, while 97% had used onlinebanking before. More specifically, 12 participantshad used online banking for less than one year, 54participants had used it between one to three years,and 31 of them had used it for more than three years.In general, we can consider this a positive finding, asour subjects had previous experience with onlinebanking. We have also investigated whether thesubjects have an account with our simulated bank,which is HSBC, and we found that 40% of themhave an account with HSBC. Moreover, weinvestigated whether the subjects have experience inthe domain of security. We found that 12% of themhave experience in the domain of security, whileCopyright 2015, Infonomics Society88% have no experience in the domain of security.This allows us to compare the results between thosewho have experience and those who had noexperience and observe their interaction morecarefully.Table 2. Demographic dataGenderFemale50Male50Age18 – 256526 – 301031 – 3520Above ��s Degree10PhD5Internet UsageMore than three years100Online Banking UsageLess than one year12One – three years54More than three years31Monthly Usage of Online Banking0 – 3 times344- 7 times32More than 7 times30Security ExperienceYes12No886.2. Usability ResultsRegarding efficiency, we measured the time spentto learn each method by calculating the time betweenopening the page and the start time to click on therequired button. Fingerprint was the fastest methodin terms of learning (mean: 5.7 s) compared to thesecure device and card reader. The reason behind thisis that fingerprinting does not require several buttonsto click or numbers to generate. It has one step: scana finger on the device. For effectiveness, allparticipants completed the required task and finalisedthe requested steps in the scenario. Regardingsatisfaction, the researchers have so far conducted apreliminary analysis of the data, which has yieldedsome very promising results. The data analysedusing SPSS software and the users’ responses to theten statements for rating the three methods(fingerprint, secure device and card reader) havebeen analysed. The results showed that there is a424
Journal of Internet Technology and Secured Transactions (JITST), Volume 4, Issue 4, December 2015positive relationship between using a fingerprint andthe level of security and usability and Table 3 showthe mean values from the Likert scale for eachmethod and it indicates that users feel that the fingermethod is most usable, the most secure and the mosttrustworthy. This means that, when the fingerprintwas used, the level of usability and securityincreased. Regarding the last section of questionsthat asked the users to rank each method in terms ofpreference, ease of use, security and trustworthiness,the fingerprint was also most preferred by the users.indicate that 85% of users pressed the OK button,which means they continued the process without anywariness, while 15% pressed cancel to avoid harm ordanger. From the observation sheet, the experimenterwas able to divide the participants’ responses to thewarning message into seven groups: Table 3. Mean differences between methods FingerprintSecure deviceCard stworthy3.963.743.856.3. Security ResultsAs mentioned previously, five criteria assessedthe security level of the authentication processregarding the methods by examining the users’awareness and behaviour with the presented securityindicators. During the experiment, regarding theobservation of users’ attention to the missing SSLand availability of a security icon and https in theaddress bar, none of the 100 users recognised theabsence of SSL. However, 12 of the 100 usersindicated they had experience in the domain ofsecurity, which revealed that the users’ attentionregarding the understanding the importance of anSSL connection is very low. Caution was measuredby observing users’ ability to type and provide anemail address in an insecure page. During theexperiment, all the participants provided and typedan email address in an insecure page without anyconcern, which also indicates their weakunderstanding of the harm that could happen as aresult. Regarding motivation, which measure users’responses to the request for providing authenticationmethods, those who used the secure device werehappy to use the method and complete theauthentication process. Regarding those who usedthe card reader, 14 hesitated to use the original card.On the other hand, those who used the fingerprintseemed to enjoy the experience, while three out of100 wondered whether their fingerprint would besaved in the website database, which indicated theircaution to provide their fingerprint was not due toworking in an insecure page but because of theirwariness it would be used in other ways. Finally,wariness was measured by observing users’responses to the warning message that related to themissing security certificate. In this step, we obtainedresults from the table schema created to recordresponses and from the observation sheet. The resultsCopyright 2015, Infonomics Society Those who were confused after reading themessage and decided not to go further (1user).The group that read the message verycarefully and tried to understand its content(f 16).Those who hesitated to proceed with theprocess (f 7).The group (f 5) that requested help fromthe observer.Two that decided to discontinue their work.One user who tried to find instructions tohelp him to decide.Finally, 68 users were not concerned andignored the message.Generally, the results indicate that theparticipants’ level of attention, caution, wariness andmotivation for security during the authentication isweak. In addition, it seems that their backgroundregarding the security of online banking is very low;however, all of them are online banking users.7. ConclusionThe presented study proposed an approach forevaluating different multifactor authentications bygiving users the freedom to choose their preferredmethod to authenticate themselves while onlinebanking. Our methodology that forces each user touse three different methods was successful and endedwith an experiment that gives each user a realisticexperience with each method in order to be able torate each of them and get an accurate result.Moreover, the study’s methodology suggested theintegration of usability metrics with security metricsthat related to the users’ awareness of securityindicators. The results from the experiment indicatethat fingerprinting was the most usable and securemethod from the users’ point of view. Finally, theusers’ level of understanding security indicators isvery low, based on observing their reaction to thesecurity features presented in the study.8. References[1] Hyde, D. (2012). Hackers crack new online bankingsecurity putting 25 m people at risk. This is money.Available from: 096060/Hackerscracknew-online. Availableonline. [Accessed on 13/12/2014].425
Journal of Internet Technology and Secured Transactions (JITST), Volume 4, Issue 4, December 2015[2] Nodder, C. (2005). Users and trust: A Microsoft casestudy. In: L.,Cranor, S.,Garfinkel, editors. Security andUsability. O’Reilly; pp. 589–606 [chapter 29].[3] Whitten, A., and Tygar, J.D. (1999). Why Johnny can’tencrypt: A usability evaluation of PGP 5.0. In: Proceedingsof the 8th USENIX Security Symposium, 99, McGrawHill.[4] Computing Research Association (2003). “ FourGrand Challenged In Trustworthy Computing”, Finalreport of CRA Conference on Grand Challenged inInformation Security and Assurance, Airlie House,Warrenton, Virginia, November 16 – 19.[5] Piazzalunga, U., Savaneschi, P., and Coffetti, P. (2005).The usability of security devices. In: L.,Cranor,S.,Garfinkel, editors. Security and Usability. O’Reilly; pp.221–42 [chapter 12].[6] Weir, C.S., Douglas, D., Carruthers, M, and Jack, M.(2009). User perceptions of security, convenience andusability for ebanking authentication tokens. Computer &Security, 28(1).[7] Nielsen, J. (1993). Usability engineering. SanFrancisco: Morgan Kaufmann.Copyright 2015, Infonomics Society426
unauthorised users. Generally, authentication methods are categorised based on the factor used: knowledge-based authentication uses factors such as a PIN and password, token-based authentication uses cards or secure devices, and biometric authentication uses fingerprints. The use of more than one factor is called . multifactor authentication
Introduction 1 1.1 Purpose 1 1.2 Background 1 1.3 Approach 1 1.4 Enabling Multifactor Authentication 2 1.5 How to Use 2 2 Steps to Maturing the Security Posture 3 2.1 Conduct a data assessment that includes where your data is stored. 3 2.2 Implement multifactor authentication. 4 2.3 Identify ICAM products necessary for federation. 4
Chapter 6. The Arbitrage Pricing Theory and Multifactor Models of Risk and Return [FRM–6] After completing this reading you should be able to: Explain the Arbitrage Pricing Theory (APT), describe its assumptions and compare the APT to the CAPM. Describe the inputs (including factor betas) to a multifactor model.
Multifactor Leadership Questionnaire. The present study divided previous utilization of MLQ into three categories. In the first category, MLQ was presented into 9 factors of leadership (5 for transformational style; 3 for transactional and 1 factor for laissez-fai
MLQ Multifactor Leadership Questionnaire for Transformational Leadership as per Bass and Avolio (1992) MLQ5X Multifactor Leadership Questionnaire for Transformational Leadership short form adapted from Bass and Avolio (1997) NEO-IPIP A measu
This report is based on the MLQ (Multifactor Leadership Questionnaire, Form 5X), a psychometric instrument that has been validated in a wide variety of research programs, including extensive studies in Romania. The Multifactor Leadership Questionnaire (MLQ) is a st
user-authentication techniques to reduce the risk of electronic commerce ( e-commerce) fraud. The guide documents a system in which risk determines when to trigger multifactor authentication (MFA) challenges to existing customers. 1.1 Challenge Volume A of this publication described why the National Cybersecurity Center of Excellence (NCCoE)
The login enhancement, called ACR Login, employs technology from SSO market leader Okta that enables users to enter their login credentials one time on a single page to access all their ACR Login applications. Certain ACR Login applications now require Multifactor Authentication (MFA). MFA necessitates users entering
Excellence Model and its suitability for measuring the levels of business excellence is being demonstrated. The second part is dedicated to the exploration and presentation of alternative ways for attaining the highest possible levels of excellence, while, in the third part a comprehensive comparison among them is being conducted. Finally, in the fourth part, the basic findings are summarized .
