Making User Authentication More Usable
2 likes643 views
The document discusses user authentication usability and the NIST Special Publication 800-63, which outlines digital identity guidelines for federal use. It emphasizes the importance of considering diverse user needs, such as those of non-English speakers and individuals with disabilities, while exploring various authentication methods and their usability challenges. Recommendations for improving password management and leveraging different types of authenticators aim to enhance security without compromising user accessibility.
Making User Authentication More Usable
- 1. Making User Authentication More Usable Jim Fenton @jimfenton
- 2. Context I’m a consultant to the National Institute of Standards and Technology Focusing on revising US Government digital identity standards Everything here is my own opinion; I don’t speak for NIST! This talk focuses on the usability aspects of authentication, and the security aspects only incidentally
- 3. About SP 800-63 NIST Special Publication 800-63, Digital Identity Guidelines Intended for federal government use, but also widely used commercially and internationally
- 4. Four-volume Set Enrollment and Identity Proofing SP 800-63A Authentication and Lifecycle Management SP 800-63B Federation and Assertions SP 800-63C
- 5. Executive Order 13681, “Improving the Security of Consumer Financial Transactions” “…ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
- 6. Who are the Users? Everybody: Non-English speakers Homeless people Disabled veterans Hospital patients Physicians Elderly Students Usability needs to consider all of these Not just Federal employees! Photo by Rob Curran on Unsplash
- 7. Usability Emphasis in SP 800-63-3 Engaged NIST human-factors specialists Included a Usability Considerations section in each volume (A, B, and C) Invited review on normative requirements that might affect usability
- 8. Related Concepts Accessibility: Can users with various disabilities authenticate? Availability: Can users authenticate under all circumstances?
- 9. Authenticators Nine authenticator types defined Memorized secret (password, PIN, etc.) Look-up secret Out-of-band device Single- and multi-factor OTP device Single- and multi-factor crypto software Single- and multi-factor crypto device
- 10. Factors There are three authentication factors: Something you know (password) Something you have Something you are (biometric) Authenticators may provide 1 or 2 of these
- 11. Memorized Secrets Passwords, passphrases, PINs, etc.
- 12. Memorized Secrets Passwords are: Most used authenticators Most hated authenticators Relatively weak But they’re the only “something you know” Security questions no longer acceptable
- 13. Making Passwords More Usable Action Rationale Get rid of composition rules (include digits, symbols, etc.) Frustrating for users, less benefit than expected Allow all printing characters plus space Maximum freedom in selection; no technical reason otherwise Allow Unicode characters Memorable passwords in all languages Very long maximum length Encourage long passwords, passphrases
- 14. Frustration vs. Security Recommend use of a blacklist for common passwords Unfortunately not very transparent Frustrated users make bad choices Weak passwords allowed Frustrated users Blacklist size
- 15. Password Visibility Passwords are obscured to inhibit “shoulder surfing” Makes correct entry more difficult, and often there is no shoulder-surfing threat Recommend making passwords visible on request Future browser feature??
- 16. Pasting Some sites disallow pasting: <input type="test" onPaste="return false”> Also disables password managers Done to enhance security, but probably encourages weaker passwords SP 800-63B discourages blocking pasting
- 18. Look-up Secrets List of machine-generated one-time secrets Not intended for memorization: typically more complex Less usable/accessible because they require manual transcription, subject to misread/mistyping Cheap and very suitable as a backup authenticator
- 19. Out-of-Band Requires a separate communication channel, usually separate device Availability: cell phone service is not always available Accessibility: Usually requires transcription of a secret from one device to another, often time-limited
- 20. Single-factor One Time Password (OTP) Requires transcription from device to login session Time based OTP imposes a time limit on this process Photo credit: Wikimedia Commons
- 21. Multi-factor OTP Requires transcription of secret from authenticator to login session Typing on small device may be challenging Photo credit: HID
- 22. Cryptographic Software Authenticators Example: client certificate (with or without passphrase) Process for installation of authenticator on user device should be considered Authenticators need to be organized for identification
- 23. Single-factor Cryptographic Device Availability: Requires an interface (e.g., USB) to connect to authenticating device Location of some ports is inconvenient for pushing the button Photo credit: Yubico
- 24. Multi-factor Cryptographic Device Availability: Requires an interface or adapter to connect to authenticating device
- 25. About Biometrics… Need to reproduce conditions of enrollment Choice of finger (fingerprint) Lighting conditions (iris) Facial hair, expression, glasses (face) Many modalities (fingerprint, iris, etc.) are not usable by some people Generally considered convenient to use, but familiarity is important
- 26. Summary There isn’t a perfect authenticator, from either a usability or security standpoint Services should support a variety of ways to authenticate and to enroll multiple authenticators per user
- 27. Identity Proofing
- 28. Identity Proofing Enrollment process: establishing that a digital identity corresponds to a specific individual Generally done only once at enrollment, but may be repeated if all authenticators are lost May be done in-person (preferred) or remotely Less sensitive to convenience, but more sensitive to accessibility (disabled, homeless, etc.)
- 29. Questions?