RESEARCH Open Access Evaluating Security And Usability Of .

2y ago
7 Views
3 Downloads
767.53 KB
16 Pages
Last View : 17d ago
Last Download : 2m ago
Upload by : Jewel Payne
Transcription

Ullah et al. Journal of Internet Services and Applications 2014, HOpen AccessEvaluating security and usability of profile basedchallenge questions authentication in onlineexaminationsAbrar Ullah*, Hannan Xiao, Trevor Barker and Mariana LilleyAbstractStudent authentication in online learning environments is an increasingly challenging issue due to the inherentabsence of physical interaction with online users and potential security threats to online examinations. This study ispart of ongoing research on student authentication in online examinations evaluating the potential benefits ofusing challenge questions. The authors developed a Profile Based Authentication Framework (PBAF), which utiliseschallenge questions for students’ authentication in online examinations. This paper examines the findings of anempirical study in which 23 participants used the PBAF including an abuse case security analysis of the PBAFapproach. The overall usability analysis suggests that the PBAF is efficient, effective and usable. However, specificquestions need replacement with suitable alternatives due to usability challenges. The results of the currentresearch study suggest that memorability, clarity of questions, syntactic variation and question relevance can causeusability issues leading to authentication failure. A configurable traffic light system was designed and implementedto improve the usability of challenge questions. The security analysis indicates that the PBAF is resistant to informedguessing in general, however, specific questions were identified with security issues. The security analysis identifieschallenge questions with potential risks of informed guessing by friends and colleagues. The study was performedwith a small number of participants in a simulation online course and the results need to be verified in a realeducational context on a larger sample size.Keywords: Security; Usability; Online learning; Online examination; E-learning; MOODLE; Challenge questions;Authentication1. IntroductionThis study investigates student authentication in onlinelearning and examinations. Student identification in online learning is largely reliant upon remote authenticationmechanisms. The absence of face-to-face identificationcan make online learning and high stakes examinationsvulnerable to a number of authentication threats andtherefore, the security of online learning environments ishighly important. Online learning offers a number of advantages including availability, reliability, flexibility and reusability [1,2]. Besides the anticipated benefits of onlinelearning, it has some limitations including the security ofonline examinations as one of the major concerns.* Correspondence: abrar.ullah@gmail.comSchool of Computer Science, University of Hertfordshire, College Lane,Hatfield AL10 9AB, UKIn typical online environments, examination is an integral part of the learning process. In online examinations,face-to-face invigilation is often replaced with authentication systems and therefore, security becomes a criticalfactor with regard to their credibility. Secure authentication is particularly relevant to the success of high stakesonline examinations. Effective authentication approachesare important to ensure secure, reliable and usable student authentication mechanisms in an online learningand examinations context. The implementation of a reliable and secure approach to students’ authentication isvital to ensure trust of the stakeholders in the assessment process. It has been an active research area and anumber of authentication techniques have been implemented in order to ensure secure online examinations.A diverse set of authentication techniques have been developed in earlier research work, which verify online 2014 Ullah et al.; licensee Springer. This is an Open Access article distributed under the terms of the Creative CommonsAttribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproductionin any medium, provided the original work is properly credited.

Ullah et al. Journal of Internet Services and Applications 2014, � identities based on knowledge or “What oneknows” [3], possession of objects or “What one has” [4]and biometrics or “What one is” [5].In our earlier study [6], we developed the Profile BasedAuthentication (PBAF) approach for student authentication in online examinations and presented a usabilityanalysis of using challenge questions as a second factorauthentication. The results of this study have been presented [7]. In them, we discussed the impact of the clarity and memorability of questions on effectiveness of thePBAF method. The study [7] also analysed participants’feedback through an online survey to determine varioususability attributes as well as user satisfaction.The current paper further explores the strengths andweaknesses of the PBAF method in terms of usability,security and the effect of question design on the overallauthentication process. In addition to the above, thispaper presents a detailed analysis of the security of thePBAF method in a follow-up guessing authentication attack to risk assess and mitigate any threat. Participantsof the follow-up abuse case scenario were selected fromthe original users group, who participated in the previous phases of the study. The guessing attack was performed to analyse the resilience of challenge questionsto informed guessing by friends and colleagues. Thefindings also contributed to the design and implementation of a traffic light system in the PBAF.The structure of the paper is organised into 5 sections.The paper starts with an introduction to online learning,examination and authentication challenges in Introduction. The work background and literature review is presented in Background and related work. The researchmethodology including empirical design, participant recruitment and empirical implementation phases are presented in Study design and methodology. The results,analysis and findings of empirical investigations are discussed in Results. The concluding remarks includingwork summary and future directions are presented inConclusion.2. Background and related workThe online examination is an important feature and critical asset of online learning [8]. A number of previousstudies have acknowledged that student authenticationin online examinations faces many security threats. Unethical conduct has been growing in online learning dueto un-controlled environment in online examinations asa result of use of technology and the Internet [9,10].Agulla [9] suggests that it can be a real challenge to verify the identity of an individual in an online environmentwithout any physical interaction. Colwell and Jenks [11]argue that online examinations are more vulnerable toacademic dishonesty than traditional face-to-face examinations. A large number of authentication techniquesPage 2 of 16have therefore been developed, which can be implemented to enhance the security of online examinations.The traditional authentication techniques are classifiedinto three categories: Knowledge Based Authentication (KBA) e.g.login-identifier and password, passphrase,challenge questions Object Based Authentication (OBA) e.g. smartcards, ID cards Characteristics Based Authentication (CBA) orBiometrics e.g. fingerprint, audio or voicerecognition, signature recognition and facerecognition.The above authentication techniques have their strengthsand weaknesses in terms of cost, usability and security,when applied to online learning environments [6]. KBA arethe most prevalent, cost effective and widely accepted approaches [12]. However, KBA approaches can be vulnerable to security attacks including collusion, guessing, lostcredentials, dictionary attacks and brute-force attacks [3].The OBA approaches are widely used in banking, transports, hotels and parking areas, with a potential for use inonline learning [13]. The OBA features may be useful toresist adversaries’ attacks. However, the authentication objects can be shared, lost or stolen for use in authenticationattacks. The OBA features require special purpose inputdevices, which incurs additional cost. The use of specialpurpose input devices may limit the implementation ofOBA in online learning environments. The CBA approaches free individuals from remembering passwordsand carrying cards. An individual’s physical or behaviouralcharacteristics are a key to the identification and therefore,CBA (biometrics) are seen as the most reliable authentication features [14]. The CBA features also require specialpurpose input devices for recording and authentication,which incurs additional cost. The special purpose input devices may limit the scope of CBA implementation in awider Internet context. The CBA approaches have been reported with algorithm challenges like False Accept Rate(FAR), False Reject Rate (FRR), Equal Error Rate (ERR),Failure to Enrol Rate (FER) and Failure to Capture Rate(FCR) [15].In light of the above discussion, it is desirable to develop an authentication feature, which is secure, cost effective and accessible to a large online population usingstandard input devices. The authors designed and developed the PBAF method, which implements challengequestions coupled with login-identifier and passwordfeatures for authentication purposes. The PBAF approach is chosen for a number of reasons. Primarily, thePBAF integrates learning and the examination process,whereby answers to profile questions collected in the

Ullah et al. Journal of Internet Services and Applications 2014, g process are utilised to authenticate students inthe examination process. Unlike biometrics and objectbased methods, the PBAF, being a knowledge-basedmethod, can be implemented to cover a large onlinepopulation using standard input devices. The design, development, implementation and maintenance of the PBAFmethod can be cost effective. In our previous work, we: implemented the PBAF method in an onlinelearning environment, to authenticate students,firstly at a course access level and secondly atexamination access level [6]. organised an empirical study to research theusability of the PBAF method in terms ofmemorability of questions, clarity of questions,syntactic variation and implementation of a trafficlight system [7]. performed an in-depth analysis of the design ofquestions and their impact on the usability attributes.The study reported an analysis of completion time ofthe profile questions and the results of a post studysurvey to present participants’ feedback on layout andusability [16].The challenge questions are a key to the PBAF approach and are designed to be reliable and unique asthey pertain to information known to individual users. Itis widely seen as a credential recovery technique [17].Challenge questions are also employed for customerverification in online and telephone banking [18]. In arecent study, Just and Aspinall [19] reviewed the use ofchallenge questions as a second factor authentication in10 UK banks, which indicated that the method was reliable and used for the security of monetary transactionsin financial institutions.Besides the anticipated benefits, challenge questionshave some limitations. Some studies have reported usability and security issues related to the use of challengequestions in credential recovery [17,20]. In [17], it is alsoargued that the collection of sensitive information aboutusers can raise privacy and ethical issues. The usabilityof any authentication approach is highly important forreliability and security. It is recognized that the memorability of challenge questions and lack of clarity maycause security and usability issues [7,21].From the above discussion, it is evident that challengequestions can be useful as a second factor authentication. However, to achieve effective authentication usingthe PBAF method in online examinations, usability andsecurity issues need to be investigated.2.1 Profile based authenticationThe PBAF is a multi-factor knowledge based authentication approach, which utilises login-identifier and passwordPage 3 of 16and challenge questions. It integrates the learning andexamination processes, whereby answers to profile questions collected during learning activities are utilised forauthentication in the examination process.Using the PBAF method, students are provided with aunique login-identifier and password for logging into thelearning environment. After successful login, studentsare required to answer profile questions in order to gainaccess to learning resources. The profile questions areused to collect answers in order to build and update individuals’ profiles. The profile is a student’s descriptionin the form of questions and answers. It is anticipatedthat learning is a recurrent activity and the students’profiles are consolidated in multiple visits. The secondary authentication process is triggered when students request to access an online examination. They are thenrequired to provide matching answers to a set of challenge questions randomly selected from their profiles.The PBAF being a knowledge-based method can be implemented to cover a large online population and mayprovide adequate security against many authenticationattacks. The PBAF was implemented on a Modular ObjectOriented Dynamic Learning Environment (MOODLE)Learning Management System (LMS) for the purpose ofthis empirical study. MOODLE is a free source environment with a modular and extendable structure. A brief description of how the PBAF approach to studentauthentication works can be found below: PBAF Setup: The PBAF provides a configurable webinterface. This is used to add pre-designed questionsto the library for use as profile and challengequestions. The number of profile and challengequestions requested at learning and authenticationphases are configurable items in this interface. Profile Questions: Profile questions are presented tostudents in order to build their profiles. Each profilequestion is presented to each individual studentonce. The profile questions are a subset ofpre-designed questions added in the PBAF setup.Students are required to supply answers tothese questions on each visit to obtain access tolearning resources. Challenge Questions: The PBAF generates andpresents random challenge questions when access toonline examination is requested. The studentregisters n profile questions, and is presented witht n challenge questions upon authentication [7,22].To an individual student, r t challenge questionsmust be answered correctly in order to access onlineexamination. However, if an error tolerant trafficlight system is implemented, it is sufficient toanswer r t challenge questions correctly in orderto access online examination. The challenge

Ullah et al. Journal of Internet Services and Applications 2014, ns are randomized using a random floatingpoint value v in the range 0 v 1.0, which isgenerated by MySQL database [23]. The students’answers to challenge questions are authenticatedand a timestamp is stored with individual questionsin their respective profiles to exclude questionspresented within the past 24 hours. Traffic Light System: To relax the authenticationconstraints for enhanced usability, a traffic lightsystem is embedded in the PBAF. The traffic lightsystem authenticates users based on the number ofcorrect answers to challenge questions. A threescale classification is adopted to authenticate users,which are red, amber and green. Users in the redclassification are locked out and denied accessto examination. Users in the amber classificationare presented more challenge questions tore-authenticate and users in the green classificationare granted access to examination. Authentication: The authentication algorithmimplements string-to-string comparisons to matchthe answers with the stored information. In earlierstudies, researchers used a combination ofalgorithms for comparative analysis. In their workSchechter et al. [20] implemented an equalityalgorithm for string-to-string comparison, substringalgorithms, and distance algorithms were also used.In another study, Just and Apsinall [24] proposedguidelines for designing usable and secure challengequestions which recommended removing whitespaces, punctuation and capitalization for enhancedusability. The PBAF method implements theequality algorithm for exact match without thepre-processing of answers. The equality algorithmwas chosen for better security and to use the resultsas a benchmark, which could be compared withthose from revised algorithms to be investigated infuture stages of this research. The nature of thisalgorithm means that students are allowed to accessonline examinations only if they provide exactanswers to their challenge questions. The PBAFmethod implements randomization of questionsduring multiple attempts and poses questions whichwere not previously presented in the last 24 hours,in order to be effective against security threatsincluding brute-force guessing attacks [25]. Aspecific number of incorrect answers to challengequestions locks out the user from further attemptsand requires administrator intervention to unlockthe account.3. Study design and methodologyThe aim of this study was to analyse the usability andsecurity of the PBAF method in the context of onlinePage 4 of 16examinations. A set of 20 questions was compiled tocover the academic, personal, contact, favourite and datethemes. The experiment was performed in an online environment and the empirical design and methodologywas approved by the University of Hertfordshire’s research ethics committee. The study was conducted totest the following hypotheses: The PBAF meets standard usability criteria ofefficiency and effectiveness. The traffic light system enhances the usability ofPBAF method by relaxing authentication constraints. The PBAF is secure against informed guessingattacks by friends and colleagues.The above hypotheses were framed to analyse theusability attributes, which were informed by researchwork in the domain of usability and software quality[26,27]. Bevan [28] states that usability and quality complement each other and that usability is quality in use.As in [27], the quality factors include efficiency, effectiveness, satisfaction, accessibility, productivity, safety andinternational-ability. In a similar vein, Nielsen [29] defines usability as a property with multiple dimensionseach consisting of different components. He also suggests that the different factors can conflict with eachother. Nielsen defined a number of usability factors including learnability, efficiency, memorability, errors, andsatisfaction. Learnability defines, how well a new usercan use the system, while the efficient use of the systemby an expert is expressed by efficiency. Effectiveness isthe degree of accuracy and completeness with which theuser achieves a specified task in a certain context [20].If a system is used occasionally the factor memorabilityis used, which dictates effectiveness. Satisfaction is aqualitative attribute which largely depends upon users’feedback based on the effective and efficient use ofthe artefact. The authors evaluate applicable usabilityattributes in the context of online learning and examinations, which include efficiency, effectiveness, satisfaction and memorability of questions. In previous studies,the authors evaluated user satisfaction [16] and memorability [7] attributes, while this work analyses the efficiency and effectiveness of challenge questions used inthe PBAF.Previous research suggests that challenge questions canbe vulnerable to guessing attacks by friends and colleagues[20,25]. Just and Aspinall [22] describe guessing in threecategories, which are “Blind guessing”, “Fo

Knowledge Based Authentication (KBA) e.g. login-identifier and password, passphrase, challenge questions Object Based Authentication (OBA) e.g. smart cards, ID cards Characteristics Based Authentication

Related Documents:

COUNTY Archery Season Firearms Season Muzzleloader Season Lands Open Sept. 13 Sept.20 Sept. 27 Oct. 4 Oct. 11 Oct. 18 Oct. 25 Nov. 1 Nov. 8 Nov. 15 Nov. 22 Jan. 3 Jan. 10 Jan. 17 Jan. 24 Nov. 15 (jJr. Hunt) Nov. 29 Dec. 6 Jan. 10 Dec. 20 Dec. 27 ALLEGANY Open Open Open Open Open Open Open Open Open Open Open Open Open Open Open Open Open Open .

Keywords: Open access, open educational resources, open education, open and distance learning, open access publishing and licensing, digital scholarship 1. Introducing Open Access and our investigation The movement of Open Access is attempting to reach a global audience of students and staff on campus and in open and distance learning environments.

Network Blue Open Access POS Blue Open Access POS Blue Open Access POS Blue Open Access POS Blue Open Access POS Blue Open Access POS Blue Open Access POS Contract code 3UWH 3UWF 3UWD 3UWB 3UW9 3UW7 3UW5 Deductible1 (individual/family) 1,500/ 3,000 1,750/ 3,500 2,000/ 4,000 2,250/ 4,500 2,500/ 5,000 2,750/ 5,500 3,000/ 6,000

Chapter 7: Evaluating Educational Technology and Integration Strategies 10 Chapter 7: Evaluating Educational Technology and Integration Strategies 11 Evaluating Educational Technology Evaluating Software Applications Content Is the software valid? Relate content to school's and state's specific curriculum standards and related benchmarks

RESEARCH ARTICLE Open Access Evaluating the predictive value of biomarkers for efficacy outcomes in response to pertuzumab- and trastuzumab-based therapy: an exploratory analysis of the TRYPHAENA study Andreas Schneeweiss1*, Stephen Chia2, Roberto Hegg3, Christoph Tausch4, Rahul Deb5, Jayantha Ratnayake6,

What is Open Science? § Open Access to articles and lab notebooks § Open Data § Open Source Code § Open Collaboration (e.g., citizen science) § Open Technology (e.g., Makers) § Open Funding OECD (2015), "Making Open Science a Reality", OECD Science, Technology and Industry Policy Papers, No. 25, OECD Publishing,

after open embolectomy procedures versus using it on selective basis with regards to the outcomes in the management of acute lower limb ischemia. A n g i o l o g y :O pe n A c c e s s ISSN: 2329-9495 Angiology: Open Access Elshafei et al., Angiol 2018, 6:4 DOI: 10.4172/2329-9495.1000219 Research Article Open Access Angiol, an open access .

1.3 Evaluating Limits Analytically Calculus 1.3 EVALUATING LIMITS ANALYTICALLY Properties of Limits For many well – behaved functions, evaluating the limit can be done by direct substitution. That is, lim () xc fx fc Such well – behaved functions are continuous at