Usability of web authentication systems
Usability of web authentication systems refers to the efficiency and user acceptance of online authentication systems. Examples of web authentication systems are passwords, federated identity systems (e.g. Google oAuth 2.0, Facebook connect, Mozilla persona), email-based single sign-on (SSO) systems (e.g. SAW, Hatchet), QR code-based systems (e.g. Snap2Pass, WebTicket) or any other system used to authenticate a user's identity on the web. Even though the usability of web authentication systems should be a key consideration in selecting a system, very few web authentication systems (other than passwords) have been subjected to formal usability studies or analysis.
Usability and users
A web authentication system needs to be as usable as possible whilst not compromising the security that it needs to ensure. The system needs to restrict access by malicious users whilst allowing access to authorised users. If the authentication system does not have sufficient security, malicious users could easily gain access to the system. On the other hand, if the authentication system is too complicated and restrictive, an authorised user would not be able to (or want to) use it. Strong security is achievable in any system, but even the most secure authentication system can be undermined by the users of the system, often referred to as the "weak links" in computer security.
Users tend to inadvertently increase or decrease security of a system. If a system is not usable, security could suffer as users will try and minimize the effort required to provide input for authentication, such as writing down their passwords on paper. A more usable system could prevent this from happening. Users are more likely to oblige to authentication requests from systems that are important (e.g. online banking), as opposed to less important systems (e.g. a forum that the user visits infrequently) where these mechanisms might just be ignored. Users accept the security measures only up to a certain point before becoming annoyed by complicated authentication mechanisms. An important factor in the usability of a web authentication system is thus the convenience factor for the user around it.
Usability and web applications
The preferred web authentication system for web applications is the password, despite its poor usability and several security concerns. This widely used system usually contains mechanisms that were intended to increase security (e.g. requiring users to have high entropy passwords) but lead to password systems being less usable and inadvertently less secure. This is because users find these high entropy passwords harder to remember. Application creators need to make a paradigm shift to develop more usable authentication systems that take the user’s needs into account. Replacing the ubiquitous password based systems with more usable (and possibly more secure) systems could lead to major benefits for both the owners of the application and its users.
To measure the usability of a web authentication system, one can use the "usability–deployability–security" or "UDS" framework or a standard metric, such as the system usability scale. The UDS framework looks at three broad categories, namely usability deployability and security of a web authentication system and then rates the tested system as either offering or not offering a specific benefit linked to one (or more) of the categories. An authentication system is then classified as either offering or not offering a specific benefit within the categories of usability deployability and security.
Measuring usability of web authentication systems will allow for formal evaluation of a web authentication system and determine the ranking of the system relative to others. While a lot of research regarding web authentication system is currently being done, it tends to focus on security and not usability. Future research should be evaluated formally for usability using a comparable metric or technique. This will enable the comparison of various authentication systems, as well as determining whether an authentication system meets a minimum usability benchmark.
Which web authentication system to choose
It has been found that security experts tend to focus more on security and less on the usability aspects of web authentication systems. This is problematic as there needs to be a balance between the security of a system and its ease-of-use. A study conducted in 2015 found that users tend to prefer Single sign-on (like those provided by Google and Facebook) based systems. Users preferred these systems because they found them fast and convenient to use. Single sign-on based systems have resulted in substantial improvements in both usability and security. SSO reduces the need for users to remember many usernames and passwords as well as the time needed to authenticate themselves, thereby improving the usability of the system.
Other important considerations
- Users prefer systems that are not complicated and require minimal effort to use and understand.
- Users enjoy using biometrics and phone‐based authentication systems. However these types of systems require external devices to function, a higher level of interaction from users and need a fall back mechanism if device is unavailable or fails - which could lead to lower usability
- The current password system used by many web applications could be extended for better usability by using:
Usability will become more and more important as more applications move online and require robust and reliable authentication systems that are both usable and secure. The use of brainwaves in authentication systems have been proposed as a possible way to achieve this. However more research and usability studies are required.
- Christina Braz; Jean-Marc Robert (2006-04-18). "Security and Usability: The Case of the User Authentication Methods". ACM Digital Library. ACM New York, NY, USA. pp. 199–203. Retrieved 24 February 2016.
- Scott Ruoti; Brent Roberts; Kent Seamons. "Authentication Melee: A Usability Analysis of Seven Web Authentication Systems" (PDF). 24th International World Wide Web Conference. pp. 916–926. Retrieved 2016-02-24.
- Schneier, Bruce. "Balancing Security and Usability in Authentication". Schneier on Security. Retrieved 24 February 2016.
- Renaud, Karen. "Quantifying the Quality of Web Authentication Mechanisms A Usability Perspective" (PDF). Journal of Web Engineering. Retrieved 24 February 2016.
- Bonneau, Joseph; Herley, Cormac; van Oorschot, Paul C.; Stajano, Frank (2012). The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes (PDF). 2012 IEEE Symposium on Security and Privacy. University of Cambridge Computer Laboratory. doi:10.1109/SP.2012.44. ISSN 1476-2986.
- Sundararaman, Jeyaraman; Topkara, Umut. Have the cake and eat it too – Infusing usability into text- password based authentication systems (PDF). 21st Annual Computer Security Applications Conference (ACSAC'05). Tucson, AZ: IEEE. doi:10.1109/CSAC.2005.28. ISBN 0-7695-2461-3. ISSN 1063-9527.
- Ma, Y; Feng, J (2011). Evaluating Usability of Three Authentication Methods in Web-Based Application. 2011 9th International Conference on Software Engineering Research, Management and Applications (SERA). Baltimore, MD: IEEE. pp. 81–88. doi:10.1109/SERA.2011.18. ISBN 978-1-4577-1028-5.
- Financial Cryptography and Data Security. Springer Berlin Heidelberg. 2013. pp. 1–16. ISBN 978-3-642-41320-9.
- Martin Georgiev; Suman Jana; Vitaly Shmatikov. "Rethinking Security of Web-Based System Applications" (PDF). 24th International World Wide Web Conference.
- "The usability of passphrases for authentication: An empirical field study". International Journal of Human-Computer Studies. 65: 17–28. doi:10.1016/j.ijhcs.2006.08.005.
- Muhammad Daniel Hafiz Abdullah; Abdul Hanan Abdullah; Norafida Ithnin; Hazinah Kutty Mammi (2008). Towards Identifying Usability and Security Features of Graphical Password in Knowledge Based Authentication Technique. 2008 Second Asia International Conference on Modelling & Simulation (AMS). pp. 396–403. doi:10.1109/AMS.2008.136.
- John Chuang; Hamilton Nguyen; Charles Wang; Benjamin Johnson. "I Think, Therefore, I Am: Usability and Security of Authentication Using Brainwaves". Financial Cryptography and Data Security. Lecture Notes in Computer Science. 7862. Springer Berlin Heidelberg. pp. 1–16. doi:10.1007/978-3-642-41320-9_1. ISBN 978-3-642-41319-3. ISSN 0302-9743.
- Paul T. McCabe (2002). "Usability and User Authentication: Pectoral Password vs PIN". Contemporary Ergonomics, 2003. CRC Press. ISBN 9780203455869.