Usability and Security

Usability and SecurityUniversity: Vrije Universiteit AmsterdamFaculty of Economics and Business AdministrationPostgraduate program: IT AuditDe Boelelaan 11051081 HV AmsterdamAuthors: Andrew CheungTerren ChongTeam: 829Date: March 31 st 2008Thesis coordinator VU: J. Steen, Vrije Universiteit AmsterdamMentor: J.G.G.V. van den Boom, Ernst & Young EDP AuditUniversity coach: E. Koning, DNB

ABSTRACTIn the modern multi-user computer environment, Internet-capable networks provide connectivity thatallows a large portion of the user population to access information from sources around the world.Because of the ease with which information can be accessed, computer security breaches may occur unlesssystems are restricted and information stored therein are kept secure. Breaches of security can have seriousconsequences, including theft of confidential corporate documents, compromise of intellectual property,unauthorized modification of systems and data, denial of service, and others. Considerable research hasbeen conducted on threats to security. Numerous sophisticated security methods have been developed,many of which rely on individuals to implement and use them correctly. Despite the apparent influence ofusability, surprisingly little research has been conducted on the relation between usability and the degreeof security provided by the various information security methods. In this thesis, we review the variousinformation security methods that are used, appraise the usability issues and map the relationship betweenthese two aspects.

ACKNOWLEDGMENTSThis thesis covers the last and third year of the postgraduate program and is based on the work of anExecutive Master in IT Auditing thesis in the Faculty of Economics and Business Administration of theVrije Universiteit Amsterdam.It is a pleasure to thank the many people who made this thesis possible. To start with, we would like tothank our university coach, Evert Koning and our mentor, Guill van den Boom who throughout the thesiswritingperiod provided sound advice and explained things clearly and simply. We would also like tothank our interviewees, Eric Velleman and Martin Wijnmaalen, for their time and good input. Last but notleast we would like to thank Rene Bestebreurtje, for his good teaching, ideas and encouragement.The Hague, March 31 st 2008

CONTENTSIntroduction 11.1 Objective 11.2 Research question 11.3 Research scope 21.4 Research method 21.4.1 Literary study 21.4.2 Case study 21.4.3 Interviews 32 Literary study 32.1 What is usability? 32.1.1 Definitions 32.1.2 Definition used 42.1.3 Usability components 52.2 What is security? 52.2.1 Definitions 62.2.2 Definition used 62.2.3 Security requirements 62.2.4 Risk assessment 62.2.5 Security risks and controls 72.2.6 Access control 83 Case study 83.1 Description of research 83.2 Authentication in general 93.3 Authentication mechanisms 93.3.1 Passwords 93.3.2 Challenge questions 123.3.3 Tokens 163.3.4 Biometrics 184 Interviews 235 The optimal balance between usability and security 235.1 More secure authentication 245.2 More usable authentication 246 Conclusion 257 Reflection 26Appendix 28Interview with Martin Wijnmaalen Afgestemd op 25 Maart 2008 28Interview with Eric Velleman 29Sources 30

IntroductionThe developments in Information Technology (IT) are continually growing. Management is faced withcomplicated technologies, which directly or indirectly, support the business processes in the organization.It is the responsibility of management to decide on the level, nature and extent of the measures that need tobe taken. In addition, two aspects play an important role. On the one hand, it is the desire of theorganization that an automated system supports the business in their day-to-day activities, in such a waythat the business shows great willingness to use this system. From that point of view, the system must beuser-friendly. This user-friendliness is strongly determined by a number of specific characteristics of asystem: 'Gewin' or perceived pay-off, 'Gemak' or level of difficulty or discomfort when making use of thesystem and 'Genot' or subjective personal interest in and response to the system. On the other hand, from asecurity system perspective a system must be robust, which means that a system behaves ‘reasonably’,even in circumstances that were not anticipated in the requirements specification. This means, however,that measures should be taken which by definition are not user-friendly. It is therefore important that aproper balance is struck between these two principles and that management carefully considers theimplementation of measures that need to be taken.1.1 ObjectiveMany people believe that there is an inherent tradeoff between security and usability. A computer withoutpasswords is usable, but not very secure. On the other hand, a computer that makes you authenticate everyfive minutes with a password length of eight characters might be very secure, but nobody would want touse it. The purpose of this thesis is to research the relationship between usability and security. The intent isto put usability and security amongst one another and map out the relationship between these two aspectsfor different authentication mechanisms in a “high, moderate and low” scale.1.2 Research questionThe main research question runs as follows:"To what extent is it possible to have a sufficient level of security, without losing usability?In order to answer the main research question, the following sub-questions need to be considered:• What is usability?• What is security?• What is the relationship between usability and security?• How will the relationship between usability and security develop in the coming years?1

1.3 Research scopeThe research questions formulated above limit the scope of the thesis to a large extent. The two mainsubjects discussed in this thesis are usability and security:1. Security; here we focus on techniques for identifying and authenticating computer users tosystems that are both local and remote, which are passwords, mechanisms with a challengequestion, tokens and biometrics. These authentication mechanisms are commonly used to protectphysical- and logical access;2. Usability; here we focus on the usability issues associated with each of the authenticationmechanisms. The human-interaction-processing (‘human factor’) characteristics will not come upfor discussion in this thesis. However, where necessary it will be outlined as many authenticationmechanisms require cognitive activity.1.4 Research method1.4.1 Literary studyThe purpose of the literary study is to obtain more information about the subject and to help find answersto the research questions. We will carry out a literary study on usability and security and the techniquesfor identifying and authenticating computer users to systems. The literary study will also serve as a basisfor performing different case studies and interviews. Studies will be performed in relation to:• Usability;• Security;• Authentication techniques;• Relationship between usability and security;• Latest trends and developments on subjects mentioned above.During the whole process we will make use of various types of literature such as:• Books;• Scholarly journals;• Whitepapers and fact sheets;• Articles;• Research Studies.1.4.2 Case studyThe case study is an in-depth, longitudinal examination of different events and will allow us to gain asharpened understanding of why the instance happened as it did, and what might become important tolook at more extensively in future research. The case studies will cover topics on the different types ofauthentication mechanisms as defined in our research scope and also the usability issues associated witheach. These ‘real world’ examples allow the application of theoretical concepts to be demonstrated, thus2

idging the gap between theory and practice. This will help us understand the relationship betweenusability and security and the common problems encountered in practice.1.4.3 InterviewsWe will conduct interviews to obtain more insight on how usability and security are dealt with in practice.We will ask a few questions on the subjects as defined in our research scope, and permit the interviewee totalk freely. We will only intervene to refocus the discussion or probe for additional insight into the keyareas (passwords, challenge questions, tokens and biometrics). Because we are choosing to interviewpeople with different backgrounds and experience, it is important to obtain insight from differentperspectives and what is important to them.2 Literary study2.1 What is usability?Usability has many different definitions. The English term usability is properly established (at least in thecomputer) when it comes to the usability of software interfaces and websites. The objective for usability isto enable users to achieve goals and meet needs in a particular context of use.2.1.1 DefinitionsWe have seen in the literature that the term usability has been used broadly and is defined in differentways:• ISO (the International Organization for Standardization), a worldwide federation of nationalstandards bodies defines usability as: “Extent to which a product can be used by specified users toachieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use” 1 .To obtain a better understanding of the definition it can be broken down into different ‘components’for which the following definitions apply:– product: part of the equipment (hardware, software and materials) for which usability is to bespecified or evaluated;– user: person who interacts with the product;– goal: intended outcome;– effectiveness: accuracy and completeness with which users achieve specified goals;– efficiency: resources expended in relation to the accuracy and completeness with which usersachieve goals;– satisfaction: freedom from discomfort, and positive attitudes towards the use of the product;– context of use: users, tasks, equipment (hardware, software and materials), and the physicaland social environments in which a product is used.3

• Nielsen (1993) points out that usability is a quality attribute that assesses how easy user interfacesare to use. The word "usability" also refers to methods for improving ease-of-use during the designprocess. According to Nielsen, usability is defined by five quality components: learnability,efficiency, memorability, errors, and satisfaction 2 ;• Shackel (1991) reports that the definition of usability was probably first attempted by Miller (1971)in terms of measures for “ease of use”. The concept of usability was first fully discussed and adetailed formal definition was attempted by Shackel (1981) in which he defines usability as: thecapability in human functional terms to be used easily and effectively by the specified range ofusers, given specified training and user support, to fulfill the specified range of tasks, within thespecified range of tasks, within the specified range of environmental scenarios 3 ;• Booth (1989) outlines that usability has four factors: usefulness, effectiveness (ease of use),learnability, and attitude (likeability) 4 ;• Brinck, Gergle, and Wood (2002) share a similar perspective that usability is: functionally correct,efficient to use, easy to learn, easy to remember, error tolerant, and subjectively pleasing 5 ;• Hix and Hartson (1993) classify usability into initial performance, long-term performance,learnability, retainability, advanced feature usage, first impression and long-term user satisfaction 6 ;• In addition to those views mentioned above, Gould (1988) defines usability into more components,including system performance (reliability, responsiveness), system functions, user interface, readingmaterials, language translation, outreach program, ability for customers to modify and extend,installation, field maintenance and service-ability, advertising, and support group users 7 .2.1.2 Definition usedAs mentioned in the previous paragraph, the term usability is used broadly and is defined in differentways. We have seen that authors/ organizations in the usability community have different opinions andperceptions on what they consider to be a useful attribute/ aspect or as some of them call it components.We are able to conclude that there is clearly an overlap between the various definitions. Some attributeshave the same meaning, but are described using other words, e.g. “satisfaction” with “long-term usersatisfaction” and “efficiency” with “efficient to use”. Furthermore we noticed that “efficiency” is also oneof the quality aspects as defined by NOREA. For our thesis we will use the definition as defined by ISO,which besides from being a standard that is adopted by an international standardizing/standardsorganization, it suits the purpose of the research question in this thesis.Effectiveness, efficiency and satisfaction can be specified for different goals 1 :Usability objective Effectiveness measures Efficiency measures Satisfaction measuresOverall usability Percentage of goals achieved Time to complete a task Rating scale for satisfactionPercentage of users successful completing task Tasks completed per unit time Frequency of discretionary useAverage accuracy of complete tasks Monetary cost of performing the task Frequency of complaintsTable 1: Examples of measures of usability4

2.1.3 Usability componentsIn order to specify or measure usability it is necessary to identify the goals and to decomposeeffectiveness, efficiency and satisfaction and the components of the context of use into sub-componentswith measurable and verifiable attributes. The framework on the next page illustrates the components ofusability and the relationship between them 1 .Figure 1: Usability frameworkWhen specifying or measuring usability the following information is needed:• a description of the intended goals: this includes the criteria that would satisfy the intended goals;• a description of the components of the context of use including users, tasks, equipment, andenvironments: this may be a description of an existing context, or a specification of intendedcontexts;• target or actual values of effectiveness, efficiency, and satisfaction for the intended contexts:measures of effectiveness relate the goals of the user to the accuracy and completeness with whichthese goals can be achieved, measures of efficiency relate the level of effectiveness achieved to theexpenditure of resources and measures of satisfaction relate the extent to which users are free fromdiscomfort and their attitudes towards the use of the product.2.2 What is security?When we talk about security in this thesis, we refer to information security. Information is an asset that,like other important business assets, is essential to an organization’s business and consequently needs tobe suitably protected. Defining, achieving, maintaining, and improving information security is essential tomaintain competitive edge, cash flow, profitability, legal compliance, and commercial image.5

2.2.1 DefinitionsLike usability, we have seen that information security in the literature has been used broadly and isdefined in different ways:• Preservation of confidentiality, integrity and availability of information 8 ;• Information Security refers to the processes and methodologies which are designed andimplemented to protect print, electronic, or any other form of confidential, private and sensitiveinformation or data from unauthorized access, use, misuse, disclosure, destruction, modification, ordisruption 9 ;• The term “information security” means protecting information and information systems fromunauthorized access, use, disclosure, disruption, modification, or destruction 10 ;• Simply put, information security describes all measures taken to prevent unauthorized use ofelectronic data whether this unauthorized use takes the form of disclosure, alteration, substitution,or destruction of the data concerned 11 .2.2.2 Definition usedFor the uniformity we use the ISO definition of information security in this thesis which is defined as the:“preservation of confidentiality, integrity and availability of information 8 ”. These three aspects are furtherdefined as:• Confidentiality: the property that information is not made available or disclosed to unauthorizedindividuals, entities, or processes;• Integrity: the property of safeguarding the accuracy and completeness of assets;• Availability: the property of being accessible and usable upon demand by an authorized entity.2.2.3 Security requirementsMany information systems have not been designed to be secure. The security that can be achieved throughtechnical means is limited and should be supported by appropriate management and procedures.Identifying which controls should be in place requires careful planning and attention to detail. To establishthese security requirements, organizations can refer to different sources 8 . Once source is derived fromassessing risks in the organization by means of a risk assessment. Another source is the legal, statutoryand regulatory requirements that an organization has to satisfy. A further source is the particular set ofprinciples, objectives and business requirements for information processing that an organization hasdeveloped to support its operations.2.2.4 Risk assessmentRisk assessments include the systematic approach of estimating the magnitude of risks (risk analysis) andthe process of comparing the estimated risks against risk criteria to determine the significance of the risks8 . Performing a risk analysis within an organization can be done by means of a standardized approach or a6

custom approach 12 . An example of a standardized approach is by means of the code of practice forinformation security management. The use of this method is simple, standardized and the results can becompared to the norm. We can divide the approach in the following categories 12 :• Quick scan, by means of external standard questionnaires. The starting point is compliance withgenerally accepted standards;• Baseline checklist, where checklists are used to verify if the own baseline requirements are met. Thebaseline is a system of the internal security measures of the entire organization.A custom approach is a more profound approach where controls can be determined in detailed. In additionit gives the organization a profound understanding of the dependencies and vulnerabilities of their ITenvironment. We can distinguish between a qualitative and a quantitative risk analyses 12 . An example of aqualitative risk analyses is the so called “Afhankelijkheids- en Kwetsbaarheidsanalyse” (A&K-analyse),where four logical steps (“1) inventarisatie, 2) afhankelijkheidsanalyse, 3) kwetsbaarheidsanalyse en 4)resultaat”) are performed to map out the dependencies and vulnerabilities. The business requirements arethe central point and are translated to define the requirements of the information systems that support thebusiness processes 13 .The most profound form of risk analyses is the quantitative risk analysis which methodically follows asimilar approach as the qualitative risk analyses. This form however seeks quantification where risk isdefined as: risks = probability of an incident × losses per accident 12 .2.2.5 Security risks and controlsSecurity requirements are identified by a methodical assessment of security risks. Expenditure on controlsneeds to be balanced against the business harm likely to result from security failures. The results of therisk assessment will help to guide and determine the appropriate management action and priorities formanaging information security risks and for implementing controls selected to protect against these risks.Risk assessment should be repeated periodically to address any changes that might influence the riskassessment results 8 .Once security requirements and risks have been identified and decisions for the treatment of risks havebeen made, appropriate controls should be selected and implemented to ensure risks are reduced to anacceptable level. Controls can be classified in preventative controls, detective controls, repressive controlsand corrective controls 12 and can be selected from a standard or from other control sets 8 . New controls canalso be designed to meet specific needs as appropriate 8 . The selection of security controls is dependentupon organizational decisions based on the criteria for risk acceptance, risk treatment options, and thegeneral risk management approach applied to the organization, and should also be subject to all relevantnational and international legislation and regulations.7

2.2.6 Access controlThe authentication mechanisms discussed in this thesis are commonly used to protect physical and logicalaccess. Access to information, information processing facilities, and business processes should becontrolled on the basis of business and security requirements 8 . The objective is to control access toinformation.One of the main reasons to have a variety of access-control types is to provide the organization with truein depth defense. Each control type provides a different level of protection and because each level can beadapted to meet the needs of the organization, the security administrator has a very granular level ofcontrol over the security mechanisms. The best approach for organizations is to focus the bulk of itscontrols on prevention because this allows the organization to stop a problem before it starts. The threeaccess-control types include administrative, technical, and physical controls 14 :1. Administrative controls are the policies and procedures implemented by the organization. Preventiveadministrative controls can include security awareness training, strong password policies, and robustpre-employment checks;2. Technical controls are the logical controls you have put in place to protect the IT infrastructure.Technical controls include strong authentication (biometrics or two-factor), encryption, networksegmentation, demilitarized zones (DMZs), and antivirus controls;3. Physical Controls are the ones you can most likely see. These controls protect against theft, loss, andunauthorized access. Examples of physical access controls include guards, gates, locks, guard dogs,closed-circuit television (CCTV), and alarms.3 Case study3.1 Description of researchMost people are familiar with passwords as a form of authentication. Passwords and PersonalIdentification Numbers (PINs) are two examples of using "something you know" in order to authenticate.Biometrics, such as fingerprint or voice recognition, represent "something you are," and a physical token,such as a bank card, represents "something you have." These three "something" categories are thecommon means of classifying authentication techniques.As mentioned before, our research focuses on authentication mechanisms commonly used to protectphysical and logical access. The authentication mechanisms discussed in this chapter are:• Passwords;• Challenge questions;• Tokens;• Biometrics.We will discuss and analyze the case studies performed by others, focus on the issues encountered inpractice between usability and security but will not conduct any field research ourselves. The intent is to8

put usability and security amongst one another and map out the relationship between these two aspects forpasswords, challenge questions, tokens and biometrics in a “high, moderate and low” scale.Based on the definitions selected for usability (refer to paragraph 2.1.2) and security (refer to paragraph2.2.2) we have made the following classification for our measurement scale:• Usability, which consists of the aspects effectiveness, efficiency and satisfaction:– High: all three aspects considered;– Moderate: two aspects considered;– Low: one or none considered.• Security, which consists of the aspects confidentiality, integrity and availability:– High: all three aspects considered;– Moderate: two aspects considered;– Low: one or none considered.3.2 Authentication in generalSecurity systems are designed to let authorized people in (the permission problem), and to keepunauthorized people out (the prevention problem) 15 . This involves three distinct steps:• Identification is the process of identifying yourself to an authentication service 14 .• Authentication is a process where a person or a computer program proves their identity in order toaccess information 16 ;• Authorization is the act of granting a person or other entity permission to use resources in a securedenvironment 17 .People authenticate themselves by what they know (memometrics) 18 , by what they recognize(cognometrics), by what they hold, or by what they are (biometrics). In the case of the first three, thesystem and the person share a secret (the authentication key) 19 . At enrollment, the user and the systemagree on what the secret is; at authentication time, the system determines whether the person beingauthenticated has possession of the pre-agreed secret. If the user proves knowledge of the secret, thesystem will authenticate her. In the case of biometrics, the system records a digital representation of someaspect of a person's physiology or behavior at enrollment, and this is confirmed at authentication time.3.3 Authentication mechanisms3.3.1 PasswordsPasswords are a mechanism designed to authenticate a user; that is, to bind the identity of the user to anentity on the computer. A password is a sequence of characters that confirms the user's identity 20 . Using auser id and password, is the most classic form of single factor authentication. Remembering a single,frequently used password is a perfectly manageable task for most users. But most users today have manyknowledge-based authentication items to deal with. We have multiple and frequently changed passwords9

Figure 2: Hackability of types of passwordsTo investigate the tradeoffs between security and memorability in a real-world context, an experiment wasconducted involving 400 first-year students at the University of Cambridge 25 . The experiment comparedthe effects of giving three alternative forms of advice about password selection and measured the effectthat this advice had on the security and memorability of passwords. The students were provided with anaccount on a central computing facility, using a user ID and a randomly generated initial password.The experiment resulted in the following results and recommendations:• Users have difficulty remembering random passwords;• Instruct users to choose mnemonic-based passwords, as these are as memorable as naively selectedpasswords while being as hard to guess as randomly chosen ones;• In applications where one user can be harmed by another user's negligence, screen users' passwordchoices and reject weak ones;• When devising your advice to users and writing your password-screening code, pay attention topassword length but also to entropy per character.The lessons learned from this experiment are that theoretical analysis does not guarantee the security ofsystems. It is often necessary to study systems as they are used in practice. Furthermore, what engineersexpect to work and what users actually make to work are two different things. Rigorous experimentaltesting of interface usability is one of the necessary ingredients for robust secure systems.3.3.1.1 Recapitulation and analysisUsability aspects:• Effectiveness: the users’ goal with effectiveness is to log into the system accurately and complete;this is not the case if the password complexity is set at the highest category. Thus this aspect isconsidered in the low, moderate-low and moderate-high password complexity categories;• Efficiency: the users’ goal with efficiency is to log into the system accurately and complete usingminimal resources (e.g. time) as possible. Passwords in the ‘high’ password complexity categorieslead to “work arounds” such as “post it’s” on monitors with passwords which in this case is veryefficient for the user. In addition a lower category will lead to easy to remember passwords, thusmore efficient. Therefore this aspect is considered in all password complexity categories;• Satisfaction: the users’ goal with satisfaction is a positive attitude towards the use of the system, inthis case logging into the system without encountering any discomfort. An example would be a usertrying to log into a system, assuming that the password is correct, when the password is actuallyincorrect. Thus this aspect is only considered in the low and moderate-low password complexitycategories.11

Security aspects:• Confidentiality: in this aspect the property that information is not made available to unauthorizedindividuals is important. Passwords in the ‘high’ password complexity categories lead to behaviorforbidden by many security policies increasing the risk of being obtained by unauthorizedindividuals. This aspect is therefore only considered in the moderate-low password complexitycategory;• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets isimportant. Passwords in the ‘high’ password complexity categories lead to “work arounds”increasing the risk of being obtained by unauthorized individuals. This aspect is only considered inthe moderate-low and moderate-high password complexity categories;• Availability: in this aspect the property of being accessible and usable upon demand by anauthorized user, in this case the system is important. Passwords in the ‘high’ password complexitycategories lead to “work arounds” increasing the risk of being obtained by unauthorized individualswho can manipulate or remove data (= information) in the system, making the data unavailable.This aspect is therefore only considered in the moderate-low and moderate-high passwordcomplexity categories.As discussed in this paragraph, the goal is to get access to the system by means of password security. Wehave seen that users need to cope with complicated and/or complex passwords for different systems.Enforcing users to change their password periodically through the system makes it even more difficult forusers to remember their password. Passwords for systems that are not being used frequently are even moredifficult to remember. Users therefore behave in ways forbidden by security policies and ‘best practices’.We have also seen that there are ways to use both secure and usable passwords, but this is often notsupported by the system. Furthermore we think that the more complex and difficult to rememberpasswords are, the more ways users will find to make it more usable, thus decreasing the level of security.The table below illustrates the results of our classification based upon the analyses performed in thisparagraph:AspectsUsabilitySecurityEffectiveness Efficiency Satisfaction Level Confidentiality Integrity Availability LevelPassword complexity categoriesHigh X Low LowModerate-High X X Moderate X X ModerateModerate-Low X X X High X X X HighLow X X X High LowTable 2: Password levels3.3.2 Challenge questionsChallenge questions are amongst others used as an automated means of password or credential recovery.This can be performed by a help-desk call or performed automatically through confirmation of a user’sresponse to previously stored questions and answers. During recovery, the user is challenged with aquestion and therefore required to provide the correct answer. Challenge questions offer the same potential12

for abuse in case the system is not usable (e.g. writing down the password). And if not usable, then usersmay also be unwilling or unable to automatically recover, thereby triggering more expensive, manualrecovery. Thus, the security and usability of the system is a major concern. A poorly designed challengequestion system can dramatically weaken the security of an otherwise strong password system 26 . Withregards to the types of questions we are able to make a distinction between three types 27 :• Fixed: system provides a list of administrator-chosen questions to a user, where the user’s choice ofquestion can only be taken “as-is” from this list;• Open: a user has complete choice and control over the question; the question construction may beprovided to the user but the user enters the question in free-form text;• Controlled: it permits a shorter list of general questions to be constructed by the system manager.This inherently provides some guidance for the user (relative to an open question) and allowsfurther personal customization.According to Mike Just there are some issues related to the types of questions and answers 27 :Types of Questions• Security: With a fixed question, users are prevented from poor question selection, e.g. “Whatcolor is my car?” This is a poor question since the resulting answer space is insecure, resulting fromlow entropy. Therefore a security advantage is provided since the likelihood of choosing a“bad question” is reduced. With an open question, users might select a question that is “bad”,though capable users are able to select more secure questions. Controlled questions offer a balancedalternative helpful for question design in case an exhaustive list of suitable fixed questionscannot be constructed. However, controlled questions also share the weaknesses of openquestions as the question or hint entered by the user can be insecure;• Usability: With fixed questions, users are not required to construct their own questions atregistration. This offers both an advantage and disadvantage depending on the ability and desire of auser to choose their own questions. An open question would offer similar disadvantages andadvantages. As discussed above for the security issues, a controlled question allows someguidance to be provided for the user, in the form of a general yet partially focusedquestion, while allowing some flexibility via customization. Repeatability and memorability ofthe hint are not a concern since the hint is shown to the user upon answer presentation.Types of answersA fixed answer set involves user selection of an answer from a preset list of answers. The other extreme isan open answer, which involves a user manually entering his response. Guidance may be provided as partof answer registration, but the answer is entered in free-form by the user. A subtle variation is a controlledanswer, where the answer space is neither fixed nor open 26 :• Security: With a fixed answer set, users are prevented from selecting insecure answers. With openanswers, larger variation in the answer space is provided, though for certain questions, a userwould be able to select highly probable answers. There does not seem to be any significantsecurity advantages offered by using a controlled answer other than supporting a large answerspace.• Usability: With a fixed answer list, memorability and repeatability may be hampered if there isno unique answer to satisfy a user’s preference. With an open answer list, memorability andrepeatability may be better than fixed, though also problematic if the registered answer is13

ambiguous. Controlled answers offer an alternative whereby a large answer space can beused, but control over the possible values improves repeatability.To investigate the tradeoffs between the usability and security aspects of the challenge questionsmechanisms a challenge question system was designed in support of Canada’s Government OnLinesolution 26 . Input to some of the design decisions came from a focus group consisting of 17 individualsfrom the general population that had Internet experience. The participants were provided with thefollowing three types of questions:• Question 1; consists of 15 fixed questions, where the focus group input was used to determineseveral of these questions. The corresponding answer is open, both at registration and recovery.Some of the fixed questions proposed for this fixed list included: "What was my first pet’s name?""Where did I first meet my significant other?" and "What was the last name of my childhood bestfriend?";• Question 2: consists of a controlled question, "Please choose a person who is memorable to you,"and an open hint. Originally, a fixed hint was used, but participants were not comfortable with thechoices it offered as they had difficulty mapping their desired hint to a single selection of a fixedhint;• Question 3: consists of a controlled question, "Please choose a date that is memorable to you," andan open hint. The corresponding answer is controlled at both registration and recovery, consisting ofdrop-down selections for each of year, month, and day.The lessons learned from the focus group include the following:• Although questions related to “first-time” events are good for repeatability, they can be moredifficult for older users to recall;• Regarding questions with calendar date answers, participants indicated an inability to recall morethan a half-dozen dates. However, even in this situation, such a question offers strength against arandom attack, while being more susceptible to a targeted attack. Thus, additional questions and/orcomplementary security techniques should also be used;• Although participants indicated a preference for open questions, the candidate list of questions theyprovided did confirm the designers’ assumptions that an insufficient level of security would beattained for open questions.3.3.2.1 Recapitulation & analysisIn this paragraph we recapitulate and analyze the case study discussed above. In this analysis we assumethat common users select bad questions and answers and that they prefer to choose. Furthermore weassume that IT Professionals select more secure questions and answers given their background. Hereafter,Question(s) and Answer(s) has been abbreviated as ‘Q&A’.Usability aspects:• Effectiveness: the users’ goal with effectiveness is to recover credentials as accurate and completeas possible. Regardless of the Q&A type, the right answer always needs to be provided. Users can14

eventually call the department in question or person responsible to retrieve their credentials, thusthis aspect is always considered;• Efficiency: the users’ goal with efficiency is to recover credentials as accurate and complete aspossible, using minimal resources (e.g. time). Users prefer to choose easy to remember Q&A andhave trouble with remembering fixed Q&A types and therefore prefer open Q&A types. This aspectis only considered in open and controlled Q&A types;• Satisfaction: the users’ goal with satisfaction is a positive attitude towards the use of the system, inthis case recovering credentials without encountering any discomfort. The fact that users prefer tochoose to be in control gives the most satisfaction during the whole process of the Q&A types. Thisaspect is therefore only considered in open and controlled Q&A types.Security aspects:• Confidentiality: in this aspect the property that information is not made available to unauthorizedindividuals is important. Having fixed Q&A types is the most secure, considering the fact that ITprofessionals select secure Q&A types. Users however choose “easy”/ poor Q&A types, which areeasily traceable/ guessable. Thus this aspect is only considered in fixed Q&A types;• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets isimportant. The fact that users choose “easy”/ poor Q&A types that are easily traceable/ guessableincreases the risk of it being obtained by unauthorized individuals. This aspect is thereforeconsidered in controlled and fixed Q&A types;• Availability: in this aspect the property of being accessible and usable upon demand by anauthorized user, in this case the ability to recover credentials and it being available to the right useris important. The fact that users choose “easy”/ poor Q&A types that are easily traceable/ guessableincreases the risk of it being obtained by unauthorized individuals who can manipulate or removedata (= information) in the system, making the data unavailable. This aspect is therefore consideredin controlled and fixed Q&A types.In this paragraph we have seen that there are three types of questions and answers, each with their set ofstrengths and weaknesses. Fixed questions prevent users from poor question selection and depends on theability and desire of the user to choose the right one. With open questions there is a risk that the user mightchoose a ‘bad’ question. This may differ depending the users background and knowledge. Controlledquestions offer a balanced alternative but share the same weakness as the open question which is thepossibility of the question or hint being insecure. With regards to the three types of answers, we have seenthat memorability and repeatability play an important factor in de type of answer that is being selected.The table below illustrates the results of our classification based upon the analyses performed in thisparagraph:AspectsUsabilitySecurityTypes of Q&AEffectiveness Efficiency Satisfaction Level Confidentiality Integrity Availability LevelFixed X Low X X X HighOpen X X X High LowControlled X X X High X X ModerateTable 3: Q&A levels15

3.3.3 TokensIn this paragraph the token authentication mechanism will come up for discussion. We will discuss twotypes of token-based authentication which are tokens and One Time Password Tokens, hereafter OTP. Wehave selected only these types of token-based authentication as they are most commonly used.Tokens have been used more commonly for the physical domain. Tokens can be used as a one factorauthentication process, e.g. swipe cards for door access. According to Sasse, this is a fairly weakmechanism since a token may be stolen or found by a potential attacker, who can use it until the loss/theftis discovered and the token is revoked 28 . Therefore, tokens are more often combined with anotherauthentication mechanism; e.g. the combination of bank cards and PINs for ATM being the most widelyused. OTP fall into the category of security devices that do not have to be plugged in 29 . Similar to theshape of a small pocket calculator, OTP display authentication data that users type in manually and theauthentication data changes each time a user authenticates. These tokens such as the SecurID have beenused, with apparent success, for remote access by financial institutions. On the other hand, the high cost ofreplacing lost tokens and/or lost working time has led companies in other sectors to abandon it 28 .The secureID by RSA, is one way of significantly reducing the risk of using passwords. Unlike passwordswhich are changed every 60-90 days or longer, a secureID token works differently. On the small screen ofthe key fob the user carries with them are numbers that change every 60 seconds. The numbers displayedon the screen change randomly to the end user are generated by a mathematical algorithm that is onlyknown to the enterprise security server 30 . There are however weaknesses by using only this approach. Forinstance, if someone is able to steal or fraudulently obtain the key fob and they also know the user's id,then they will be able to successfully masquerade as the identity 30 . According to Anderson, token-basedauthentication requires token construction and distribution, which is far from trivial and has led todocumented financial loss 31 .The token must be physically presented to the computer system, whichrequires additional hardware for reading the token. Both token and token reader cost money, and a readermust be available at every point a user might be authenticated. As costs of tokens and readers become less,this will be less of an issue. However, presentation of a valid token does not prove ownership; the tokenmay have been stolen. And although a token may be hard to forge, it does not mean it is impossible oruneconomic to do so 32 . Without two-factor authentication, stealing the device would allow an attacker toimpersonate the owner of the device; with two-factor authentication, the attacker would still have anotherauthentication burden to overcome 33 .The city of Turin had undertaken a trial to perform the first large-scale attempt to issue smartcards tocitizens for access to services and payment of local taxes (Torinofacile 2003). Based on 2,655 smartcardsissued, the number of tokens that were lost in the post/stolen in the first six months was low (16). Themajority of citizens who registered for the card were male, well educated and aged between 19 and 45; thenumber of cards issued to males was three times higher than for female citizens. Since most home andsmall business PCs are currently not fitted with smartcard readers, the trial issued digital certificates forusers who needed them. The initial phase has seen a high number of calls to the helpdesk, the majority ofwhich (83) were due to problems with using these digital certificates. The second most frequent problemwas that personal details registered about the owners of the cards were incorrect. These insights offersome pointers as to logistical aspects and the costs that are likely to be associated with issuing such tokens16

to a large number of citizens. At the same time, small businesses, single traders and professionals reportsignificant time savings and benefits from online access and payments compared to paper-based systemand access restricted to office hours. Smartcards can offer additional usability benefits: once the loginprocedure is completed, the token can be used to carry sessions from one machine to another, thusremoving the need to log out or lock the screen when leaving the machine unattended for brief periods.They can also offer additional security features for applications such as credit cards.One usability concern arising from the increasing popularity of tokens is that users may end up being‘weighed down’ by a collection of tokens that they find hard to manage. There are two possible ways inwhich this might be prevented 28 :• Single tokens carrying multiple credentials. A single token, such as a smartcard, could be used tostore users’ credentials for multiple systems. The single token could either store data for multipleidentification and verification mechanisms operated by different organizations (providing the userwith a personal ‘credential/password manager’), or have a single strong verification (providing theuser with a ‘magic key’). Both approaches would require an open standard for credentials, and thesecond would also require agreement on a single form of authentication and a high degree of trustbetween participating organizations. The ‘magic key’ model would create less work for the user, butalso create a single point of attack;• Miniaturization of tokens. Organizations continue to issue their own tokens and decide their ownaccess control mechanisms, but the tokens are so small (for example, RFID chips) that users cankeep all of their tokens on them at all times, for example, in a smartcard-type device to whichindividual chips can be added.3.3.3.1 Recapitulation & analysisUsability aspects:• Effectiveness: the users’ goal with effectiveness is to get access to a building or remote access asaccurate and complete as possible. If the token does not work, the user is able to get it solved by thedepartment in question or person responsible. With regards to an OTP, users in most cases receive anew token when having problems connecting. However, in a normal situation this aspect isapplicable for both types. This aspect is therefore considered when using tokens and OTP;• Efficiency: the users’ goal with efficiency is to get access to a building or remote access as accurateand complete as possible, using minimal resources (e.g. time). Users are able to use tokens forphysical access, using the swipe principle. With regards to an OTP token, a user needs to rememberhis/ her key fob and enter the code which is indicated on the screen of the OTP token. In this caseboth are efficient to use. This aspect is therefore considered when using tokens and OTP;• Satisfaction: the users’ goal with satisfaction is a positive attitude towards getting access to abuilding or remote access, without encountering any discomfort. Users use the token for physicalaccess and OTP for remote access. If the token does not work, the user is able to get it solved by thedepartment in question or person responsible within an acceptable timeframe. With regards to anOTP, users in most cases receive a new token when having problems connecting, thus the user willnot be able to get remote access. This aspect is therefore only considered for tokens.17

Security aspects:• Confidentiality: in this aspect the property that information is not made available to unauthorizedindividuals is important. When a token gets lots or stolen, the risk of unauthorized individualsgetting access to a building increases. In the case of an OTP, an unauthorized user would stillrequire the key fob and userid to obtain remote access. This aspect is therefore considered whenusing OTP;• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets isimportant. When a token gets lots or stolen, the risk of unauthorized individuals getting access to abuilding increases. In the case of an OTP, an unauthorized user would still require the key fob anduserid to obtain remote access. This aspect is therefore considered when using OTP;• Availability: in this aspect the property of being accessible and usable upon demand by anauthorized user, in this case getting access to a building or remote access is important. When atoken gets lots or stolen, the risk of unauthorized individuals getting access to a building increases.In the case of an OTP, an unauthorized user would still require the key fob and userid to obtainremote access. This aspect is therefore considered when using OTP.In this paragraph we have seen that tokens are primarily used as a one factor authentication process forphysical domains, e.g. swipe cards for door access. It is considered to be a weak mechanism as a validtoken can be been stolen and does not prove ownership. OTP such as the SecurID is one way ofsignificantly reducing the risk of using passwords. The chance of someone stealing or fraudulentlyobtaining the key fob and knowing the user's id to successfully masquerade as the identity is consideredunlikely to happen. The table below illustrates the results of our classification based upon the analysesperformed in this paragraph:AspectsUsabilitySecurityTypes of tokensEffectiveness Efficiency Satisfaction Level Confidentiality Integrity Availability LevelToken X X X High LowOTP Token X X High X X X HighTable 4: Token levels3.3.4 BiometricsIn this paragraph the biometric authentication mechanism will come up for discussion. We will discusshandprint, fingerprint, retina, Iris and face as biometric-based authentication. We have selected only thesetypes of biometric authentication mechanisms as they are most commonly researched.Biometrics are automated methods of identity verification or identification based on the principle ofmeasurable physiological or behavioral characteristics such as fingerprints, hand, the patterns of retinas,veins, Irises and faces. Behavioral biometrics techniques include those based on voice, signature andtyping behavior. These biometrics approaches follow a similar operation: a digital template is createdduring an enrollment process; the template is stored in a database or in some cases on the chip of a card.On attempted verification, the relevant template is extracted and compared with the data input, say in theform of a fingerprint, or an acquired Iris image, for positive identification. Each technique has its own18

unique set of advantages and disadvantages. Cost, size, and method of use often dictate applicability toany given situation.Fingerprints, retinal scanning and Iris scanning are the only biometrics types that can accurately identifyan individual. Biometrics technologies have a wide range of accuracy, reliability, and usability. Thus,despite the difficulty in comparing biometrics, they will always have some comparable accuracy versususability balance that can be compared with other technologies 34 . With regards to the security aspectsaround biometrics; incorporating biometrics techniques into the organizations security architecture mayincrease information security by means of eliminating the ability of sharing passwords and making itmuch more difficult to counterfeit or steal the security key. The specific level of security provided by adevice also depends on the number of “reference points,” which are the individual metrics taken in eachscan 35 . According to Purnell & Marks, Iris scanners capture 200+ reference points while fingerprintreaders typically capture around 80. Furthermore, the effectiveness of the reference points also depends onthe algorithms used. More reference points can mean more false negative identifications 35 . This meansusing better accuracy might result in rejecting the right individual. While more reference pointstheoretically mean a better “signature,” it can also mean that there are more chances for failure in thesecondary scan. In relation to this, if the individual using the device is not positioned in a correct way,then the scanner may not pick up each reference point properly. The individual sensitivity settings on adevice control whether it will error the side of caution (rejection) or convenience (acceptance) 35 . Theaccuracy of many biometric systems is still not high enough for some applications e.g. negativeidentification or matching against a very large database 36 . Facial recognition systems are often used tocreate a manageable subset of possible identities, but must be scrutinized by a human observer. Thus,facial systems may not be suitable for real-time identification 37 .The actual performance of these devices is typically measured in terms of two measures 34 :• False accept rates (FAR). The likelihood that the wrong person will be able to access the system;• False reject rates (FRR). The likelihood that a legitimate person will be denied access.Setting the sensitivity too high can result in too many False Rejection Rate (FRR) and setting it too lowcan increase the False Acceptance Rate (FAR) 35 . Reported values for FAR and FRR are usually based ontheoretical calculations performed with clean, high-quality data, instead on actual observations and realworldperformance 34 . The realized performance may not be as good as the predicted performance.Performance estimates are often far more impressive than actual performance 38 . Many systems do not liveup to expectations because they prove unable to cope with the enormous variations among largepopulations, or fail to take into account people’s needs and behaviors 39 .Regarding the usability aspects around biometrics; various biometric sensors require more or lessinvolvement of the users. An important aspect is the nature of the signatures collected that impact the easeof enrollment and implementation of the equipment 35 .19

The strengths, weaknesses and usability (area of use) of the various biometric form factors are outlinedaccording to Wilson as follows 40 :Biometrics Strength Weakness UsabilityHand • Small template (approximately 10 • Physical size of • Physical access controlbytes)acquisition device• Time and attendance• Low failure to enroll rate• Physical contact required• Unaffected by skin condition• Juvenile finger growth• Hampered by temporaryphysical injuryFingerprint • Most mature biometric technology• Physical contact required• Accepted reliability(a problem in some• Many vendorscultures)• Small template (less than 500 bytes)• Association with criminal• Small sensors that can be built intojusticemice, keyboards or portable devices• Vendor incompatibility• Hampered by temporaryphysical injuryRetina • Stable over time• Requires user training and • IS access control,• Uniquenesscooperationespecially for high• High user resistancesecurity government• Slow read timeagencies• Dependent on a single • Physical access controlvendor’s technology(same as IS accesscontrol)Iris • Very stable over time• Potential user resistance• Uniqueness• Requires user training• Dependant on a singlevendor’s technologyFace • Universally present • Cannot distinguish • Physical access controlidentical siblings• Religious or culturalprohibitionsTable 5: Strengths, weaknesses and usability of various types of biometricsPurnell & Marks also discuss the various types of biometrics and outline the following 35 :• Handprint: usually most appropriate for fixed physical locations requiring very high assurance ofidentify since it combines the hand biometric with essentially five different fingerprint biometrics.The security and reliability can be even further enhanced by combining a handprint with really anyof the other form factors. However, handprint reader use for normal commercial and light industrialbuilding access is waiting for identification algorithms to become reliable so that building managerscan stop issuing access cards;• Fingerprint: involves a finger size identification sensor with a low-cost biometric chip. Fingerprintprovides the best option for most uses of biometric verification, especially attached to specific20

computer and network assets. The relatively small size and low cost allow them to be easilyincorporated into devices and are fairly reliable;• Retina: scanning involves examining the unique patterns on the back of a person’s eye. The retina isthe part of the eye that translates light into the electrical impulses sent to the brain. Because of thecomplexity of current scanners, most retina biometric devices require a relatively large footprint.Most are still used to protect fixed physical assets. Using a retina scanner is also less convenientbecause the user must position himself a certain distance away from the scanner and then rest his orher head on a support or look into a hood. This is necessary in order to effectively read the back ofthe eye;• Iris: Iris scanning is similar to retina, but the scanner is looking at the unique patterns on a person’sIris. This is the “colored” part of the eye and is visible. A key benefit for Iris over Retina is that Irisscanners do not need to be nearly as close to the eye and do not need the eye to be as preciselypositioned;• Face: recognition involves scanning the unique features of a person’s face. Because some aspectschange over time, this is a less reliable form factor. Face recognition is less attractive for up-closeverification than for long distance identification. Once a person is close enough to a physical assetin order to get a high quality biometric scan, other form factors are viable and are currently muchmore reliable.Wilson also outlines the usability (effort) and the security value for the different types of biometric formfactors 40 :Figure 3: Usability (effort) and security values3.3.4.1 Recapitulation & analysisUsability aspects:• Effectiveness: the users’ goal with effectiveness is to get access to a system or building as accurateand complete as possible. Facial recognition is still not mature enough and handprints change overtime (e.g. juvenile finger growth). Perhaps for other form factors more effort is needed, but in thiscase we consider all types with the exception of the facial and handprint type;• Efficiency: the users’ goal with efficiency is to get access to a system or building as accurate andcomplete as possible, using minimal resources (e.g. time). Based on the discussions above we can21

conclude that the most efficient biometric types are Iris and fingerprint, followed by face andhandprint. Retina takes a long time for scanning, thus not efficient. We therefore consider all typeswith the exception of the retina type;• Satisfaction: the users’ goal with satisfaction is a positive attitude towards getting access to asystem or building, without encountering any discomfort. Based on the discussions above we canconclude that the Iris, fingerprint, face and handprint types are effortless to use. Most convenient isfingerprint, followed by handprint and face. We therefore consider all types with the exception ofthe retina type.Security aspects:• Confidentiality: in this aspect the property that information is not made available to unauthorizedindividuals is important. However biometrics concerns the component “something you are”. Therisk of obtaining a ‘finger’ to forge the fingerprint reader or have access by identical siblings isconsidered very low. Based on the discussions above we can conclude that in this case the mostsecure biometric types are Iris, fingerprint and retina;• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets isimportant. Same explanation as confidentiality;• Availability: in this aspect the property of being accessible and usable upon demand by anauthorized user, in this case getting access to a building or remote access is important. Sameexplanation as confidentiality.In this paragraph we have seen that the different biometric technologies have a wide range of accuracy,reliability and usability. The actual performance of these devices are measured using False Accept Rates(FAR), False Reject Rates (FRR) and depend on the number of reference points and algorithms used. Eachbiometric type has its strengths and weaknesses and is primarily used for physical and information systemaccess.The table below illustrates the results of our classification based upon the analyses performed in thisparagraph:AspectsUsabilitySecurityTypes of biometricsEffectiveness Efficiency Satisfaction Level Confidentiality Integrity Availability LevelHandprint x x Moderate LowFingerprint x x x High x x x HighIris x x x High x x x HighRetina x Low x x x HighFace x x Moderate LowTable 6: Biometric type levelsThe relationship between usability and security will be discussed in chapter five.22

4 InterviewsWe have chosen two conduct two interviews to discuss the four authentication mechanisms discussed inthe previous chapter. The purpose of the interview was to obtain insights on how the authenticationmechanisms are dealt with in practice and how the relationship between usability and security isportrayed. We have deliberately chosen to conduct one interview with Martin Wijmaalen who providedinput from a security perspective and the other interview with Eric Velleman, who provided input from ausability perspective. Martin is senior manager at Ernst & Young EDP Audit in the Netherlands and hasmore than 8 years experience in information security and IT assurance. Eric Velleman is technical directorand accessibility expert. He has worked for more than twenty years at ‘Stichting Bartiméus Accessibility’with the visually impaired and has conducted research on accessibility, usability and user profiles forpeople with disabilities and ICT.Based upon the interviews we are able to conclude the following (for a summary of the interviews, pleaserefer to the appendix):• Identity and access management is one of the most important and most time consuming activitiesaddressed within organizations;• Companies spent a lot of time improving IT and operational efficiencies (e.g. password resets);• Passwords and/or PIN codes are difficult to remember and are often written down or a ‘workaround’ is chosen such as choosing an easy to guess password, which effects the security level;• Preference in the use of biometrics as an authentication mechanism is shown, but it’s not commonlyused by organizations. The use of biometrics would improve the usability;• Creating awareness amongst suppliers and emphasizing the importance of accessibility and usabilityis very important, but is unfortunately very low on the agenda on most organizations;• Usability and security are not taken into consideration from the start of the design phase.5 The optimal balance between usability and securityIn the previous chapters we have discussed the definitions of usability and security, the various types ofauthentication mechanisms and we have defined their usability and security levels. When we look moreclosely into the different types of the authentication mechanisms we are able to conclude that eachmechanism has its own strengths and weaknesses. We discussed four types of authentication mechanismsand were able to establish the following relationships between usability and security:• Passwords: Passwords in a high password complexity category result in a low level of both usabilityand security. Users have trouble with memorizing the passwords and therefore write it down.Passwords in a low password complexity category result in a high usability level but a low securitylevel. In this case users are able to memorize the passwords easily but are not obliged to change itoften which is at the expense of the security. Thus, passwords in a moderate complexity categoryresult in a well balanced level of usability and security;• Challenge questions: a fixed question type results in questions defined by administrators which aresecure for users such as IT professionals, but not for the common users, who are then obliged to usequestions from a fixed list. Using an open question/ answer type results in a user defined inputwhich provides flexibility and ease of use. On the other hand this tends to be less secure and easy to23

e guessed, which results in a low security level. Thus, having a controlled question/ answer typeresults in a well balanced level of usability and security;• Tokens: tokens are used more commonly for the physical domain and are considered a weakmechanism outside the financial sector because presentation of a valid token does not proveownership and can been stolen. One Time Password (OTP) such as the SecurID are one way ofsignificantly reducing the risk of using passwords. There are weaknesses with using only thisapproach but the chance of someone stealing or fraudulently obtaining the key fob and knowing theuser's id to successfully masquerade as the identity is considered unlikely to happen. Thus, OTPprovides the most balanced level of usability and security;• Biometrics: the different types of biometrics are very dependant of the error tolerance which can bemeasured by the False accept rates (FAR) and False reject rates (FRR). The fingerprint is the mostmature biometric technology and its reliability is well accepted. The Iris is becoming very stableover time and is characterized by its uniqueness. Thus, both fingerprint and Iris provide the mostbalanced level of usability and security.5.1 More secure authenticationThe separate authentication mechanisms as we discussed earlier provides a way to establish security andare in fact forms of single factor authentication. The classic form is the user id and password. This form ofuser authentication while used extensively is relatively weak because the same password is used over andover again, giving many opportunities for it to be illicitly captured 41 . The two way factor authentication isconsidered to be stronger than the single one 41 . Two factor authentications usually involve usingsomething you have and something you know. The most widely used forms are:• Automatic Teller Machine (ATM) card and PIN: one needs the card and needs to know the pincode;• Token and PIN: one needs the token and needs to know the pin code.An even more secure form of user authentication is the three factor authentication. This involves usingsomething you have, something you know and something you are. This involves for example; using anaccess control token, such as a smart card, a PIN to access the smart card and a biometric value held in acentral database. The card will be entered into a reader, the PIN is entered via a special PIN pad orkeyboard, the biometric is read and encrypted under a cryptographic key held on the smart card. The userid, read from the smart card, together with the encrypted biometric are sent to the central access controlsystem where the biometric can be decrypted and compared with the value on the central access controldatabase. Note here that the user PIN is not sent to the central access control system, but is checked locallyby the smart card 41 . Thus, having a more secure environment, by means of two or three way factorauthentication, a user need to perform more steps which is not always efficient.5.2 More usable authenticationThe usage of various multiple application and information systems has grown in the last decade. Usersoften require access to multiple systems or applications using different authentications every time, not24

making it easier and more efficient. Single Sign On (SSO) describes the ability to use one set ofcredentials, an ID and password or a passcode for example, to authenticate and access information across asystem, application and even organizational boundaries35. Even biometric security devices allow theconcept of single sign-on to extend to the physical layer. A person would only have to enroll once to lethis or her biometric characteristics give access to every door, computer, or application that he or she needsaccess to 42 .6 ConclusionIn this thesis we have described the major types of authentication mechanisms, how and why theseauthentication mechanism are necessary and some of the usability issues associated with each. We haveseen that usability and security have many different definitions, each defined in different ways. Thecomponents or aspects of which they consist are highly dependant of what is considered to be useful forthe author or organization. In this chapter we will provide answers to the research questions as defined inparagraph 1.2.What is usability?We define usability as: “The extent to which a product can be used by specified users to achieve specifiedgoals with effectiveness, efficiency and satisfaction in a specified context of use”. Thus, usability refers tousers who interact with information systems or devices with to goal to obtain access to systems orbuildings as efficient, effective and satisfied as possible.What is security?Security is the “preservation of confidentiality, integrity and availability of information”. Thus, securityrelates to the protection of information and information systems from unauthorized individuals in order tosafeguard the accuracy and completeness of the information and it being accessible and usable upondemand.What is the relationship between usability and security?When looked back at the types of authentication mechanisms discussed in this thesis we are able toconclude that each mechanism has its own strengths and weaknesses. We determined that the relationshipbetween usability and security of authentication mechanisms exist and that it’s possible to have a balancedlevel between usability and security.How will the relationship between usability and security develop in the coming years?We believe the trend of combining secure computing and ease of use and quality will not go away andgrow even more in the future. Two-factor and the three-factor authentication for instance provide bettersecurity, without decreasing the level of usability. We further believe that a combination of technologiesand mechanisms securely linked will result in stronger authentication. Access control techniques such asthe single sign on and the use of Radio-frequency identification within organizations will continue todevelop and increase in the next few years.25

To answer our main research question: "To what extent is it possible to have a sufficient level of security,without losing usability?We have performed literary studies and analyzed case studies of tradeoffs between usability and securityfor various authentication mechanisms. We can conclude that a balanced level of usability and securitycan be obtained for each authentication mechanism and that security is not at the expense of usability orvice versa. Usability and security can co-exist and the extent to which an optimal balance between thesetwo aspects can be achieved is particularly determined by the following factors:• type of organization;• type of process;• the importance and sensitivity of the information that needs to be protected;• target audience.7 ReflectionTerren ChongI have always been very interested in doing business online (e-commerce) and have been involved (andstill is) in various website projects. Already familiar with the term web usability and research papers ofJacob Nielsen (some say, the ‘usability guru’), I knew I had to do something with usability. In thebeginning, I wasn’t sure how to incorporate the subject so it would relate to the postgraduate IT auditprogram, but found out soon that this would not be an issue.The idea to investigate the relationship between usability and security started when a client told me thattheir employees were writing their passwords down because they could not remember it. I was actually abit surprised, because the password policy at that time was not in line with best practice.The ‘real work’ started for me in January when I came back from my holidays. We had handed over ourplan of approach the month before and the actual work was ahead of us. Not sure what we would find onliterature, we kicked-off our literary study mid-January. The initial plan was to write the thesis in Dutch,but after a few days searching on the Internet, including electronic book repositories (e-books), I realizedthat there wasn’t sufficient material available or studies conducted in Dutch that would support theresearch question and overall topic. One-fourth of the thesis was already written in Dutch and with a busyperiod at work and overseeing that the actual time left to work on the thesis was limited, Andrew and Idecided to ‘switch’ to English. In my opinion it was the right choice to make. The risk of a possible delaywas accepted, but could not be avoided as the pressure was clearly felt in the last two weeks. Sundaysbecame a typical ‘thesis day’ were I would meet with Andrew for the day.The financial statement audit is important in meeting investor expectations. As an IT-auditor and havingkey-role in the financial statement audit, I feel that we need to pay more attention when writing ourrecommendations and not only recommend because it is considered to be a best practice, but to make therecommendation a piece of advise that the company would actually use or at least consider to implement.A good example is e.g. our advice on password policies. This not only concerns our role in financialstatement audits, but any audit and assurance related assignments where we are involved in.26

I would concentrate future research on creating a framework for usability and security. A framework thatwould take the following elements into consideration:- Type of organization/ industry;- The information being protected;- Authentication mechanism;- Component;- Usability level;- Security level;- Overall rating.Furthermore I have gained more interest in learning about RFID, single sign on implementations and thepossibilities of three-factor authentication mechanisms.Andrew CheungI have experienced a lot of times at client’s site during financial audits that we only focus on the securitypart and make recommendations which are actually justifiable but it does not take into account the actualusability of the specific process would drop dramatically. That’s why I wanted to focus on this subject, tobe able to make an initial discussion to determine the relationship between usability and security.During the studies period, I was sent to Germany for a project, so every week I fly off and on, which wasnot that beneficial to the thesis and also the time I could spend on my studies. That’s why Sundays becamea typical ‘thesis day’ were we would meet with each other for the whole day. We also found out there wasquite limited information (or hard to find) to be able to understand the relationship between usability andsecurity.For further research I would recommend is to focus on the actual types of two or three way factorauthentication and performing an inquiry, more interviews and performing field researches to investigateand actually measure the tradeoff between usability and security in practice. Furthermore I would alsofocus on the possibility to use two of three way factor authentication with single sign on. Another researchwhich we think is also of great value is to develop a framework to assess both usability and security27

AppendixInterview with Martin WijnmaalenAfgestemd op 25 Maart 2008Each year we see the business environment become more complex and the scope of information securityexpand. New technologies, global connectivity and increased regulatory requirements continue to pushinformation security to new levels. When asked about the different authentication mechanisms discussedin this thesis, Martin says that identity and access management are one of the most important and mosttime consuming activities to address within organizations. Furthermore he says that security functionswithin companies spent a lot of time improving IT and operational efficiencies (e.g. password resets).Martin feels that the level of security depends on how important the data or object is that users, thusorganizations want to protect. A good example is the four-digit pin code used by the bank industry onATM cards. “No one wants unauthorized people to withdraw cash from the ATM using their ATM card.Keeping the four-digit pin code a secret is therefore not a problem for most users and the level of securityis considered to be sufficient, even if it’s not in line with ‘best practices’ when talking about passwordrequirements. Another example he gives is his own Blackberry. “The current pin code settings are so strictthat it has become in such a way ‘unusable’ and that easy to guess combinations are used, as a resultmaking the level of security lower”.Using physical access devices for information systems authentication such as biometrics is one activitywithin organizations he hasn’t come across so often. “Biometrics has been an active research field for thelast five years or so, stating that it could replace the use of passwords in the future but to my surprise it’sstill low on the agenda within many organizations” says Martin. On good reason might be the IT supportorganization that is required when implementing the use of biometrics in organizations. The type oforganizations is also a key factor when deciding on the type of measures to implement. An atomic powerplant e.g. would put more emphasis on adequate physical controls, than e.g. a bank, that would stress moreon adequate logical access controls.One access control method that could improve usability is Single Sign On (SSO) says Martin. Thetechnical complexity and the use of legacy systems within organizations can however make it difficult,time-consuming, and expensive to retrofit to existing applications.The ‘security function’ perspective also needs to be considered when talking about the relationshipbetween usability and security. Audit trail e.g. can be a very useful detective measure to implement but,needs to be setup in such a way that it can be used; “if not, what’s the use?”.According to Martin the starting point is identifying the risks and implementing appropriate measures thatare efficient and thus easy to use. The use of RFID (Radio-frequency identification) is a development wewant to keep a close watch on says Martin as he expects the use to increase rapidly in the coming years.28

Interview with Eric Velleman“The Bartiméus Accessibility Foundation was founded in 2001 and provides education and outreach in theform of information and training to businesses, (local) governments and other organizations concerningthe accessibility of the Internet for the elderly and people with disabilities” says Eric. The foundation isaccredited for performing accessibility and usability inspections on websites based on multimedia formatsused by the World Wide Web Consortium (W3C) and other consortia, such as the Web ContentAccessibility Guidelines (WCAG). In addition the foundation is involved in various projects.When asked about the relationship between usability and security Eric gives an example of the Cito exam,an end of primary school test in the Netherlands, which is taken using a personal computer. He says thatfrom a security perspective they’ve decided to enforce the computer to run only one application (the Citoexam application) at a time to prevent students from using a dictionary. This however, was making itimpossible to run other applications at the same time that would allow e.g. visibly impaired students totake the test. “This results in a less accessible and user-friendly system” he says.Furthermore he says that an important factor is creating awareness amongst suppliers, emphasizing theimportance of accessibility and usability.Eric doesn’t feel that there is a negative relationship between usability and security. “If usability is takeninto consideration from the start of the design phase neither usability or security would be an issue” hesays. A good example is ‘the talking digipass’ introduced by the SNS Bank to make online banking forvisually impaired possible. “SNS Bank was keen on making online banking accessible for everyone. Ifsecurity was a major issue, another solution would be required, but apparently it was not”.He supports the use of biometrics as an authentication mechanism and feels will help increase the level ofboth usability and security. “I know a lot of people that have their PIN code written down on a piece ofpaper or scratched on their ATM card” he says. This especially concerns elderly people. “The group ofelderly people will grow extensively in the next few years. This is almost 25% of the entire population” hesays. Authentication mechanisms are therefore required to be made more usable so we can servicedifferent target groups.Another example he gave was about the use of credit cards. He has been a victim of credit card fraud threetimes, where he was charged on his company credit card unwillingly. “This can be done very easily” hesays. “When you use your credit card at e.g. a restaurant, your credit card details can easily be copied29

Sources1 ISO 9241-11, Part 11: Guidance on usability, 1998;2 Jakob Nielsen, Usability 101: Introduction to Usability, 2003;3 Brian Shackel, Simon J. Richardson, Human Factors for Informatics Usability, 1991;4 Paul A. Booth, An Introduction to Human-Computer Interaction, 1989;5 Tom Brinck, Darren Gergle, Scott D. Wood, Usability for the Web: Designing Web Sites that Work, 2002;6 Deborah Hix and H. Rex Hartson, Developing User Interfaces: Ensuring Usability Through Product & Process,1993;7 Judy Jeng, Usability Assessment of Academic Digital Libraries: Effectiveness, Efficiency, Satisfaction, andLearnability by, 2005;8 ISO/IEC 27002, Information technology — Security techniques — Code of practice for information securitymanagement,:2005;9 SANS Institute, http://www.sans.org/information_security.php;10 US CODE: Title 44,3542. Definitions, http://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003542----000-.html;11 An Introduction to Information Security http://pages.stern.nyu.edu/~abernste/teaching/Spring2001/security.html;12 Paul Overbeek, Edo Roos Lindgreen, MArcel Spruit, Informatiebeveiliging onder controle 2e Editie, 2005;13 Jan van Praat, Hans Suerink, Inleiding EDP-auditing, 2004;14 CISSP Exam Cram 2, by By Michael Gregg,;15 B. Schneier, Sensible Authentication, ACM Queue 1, 2004;16RSA Information Security Glossary, http://www.rsa.com/glossary/default.asp?id=1006;17 RSA Information Security Glossary, http://www.rsa.com/glossary/default.asp?id=1007;18 Nomenclature introduced by http://www.realuser.com/technology/;19 R. E. Smith, Authentication: From Passwords to Public Keys, 2002;20 Matt Bishop, Computer Security: Art and Science Reading, 2003;21 M. Angela Sasse, Sacha Brostoff, Dirk Weirich, "Transforming the 'weakest link': a human-computer interactionapproach to usable and effective security, 2001;22 M. Angela Sasse, Sacha Brostoff, Ten strikes and you're out: increasing the number of login attempts can improvepassword usability, 2003;23 Password Management Best Practices, http://psynch.com/docs/password-management-best-practices.html;24 Thomas Baekdal , The Usability of Passwords, 2007;25 Lorrie Faith Cranor, Simson Garfinkel, Security and Usability, 2005;26 Mike Just, Designing Authentication Systems with Challenge Questions, 2005;27 Mike Just, Designing Secure Yet Usable Credential Recovery Systems With Challenge Questions, 2003;28 M. Angela Sasse, Usability and trust in information systems, 2004;29 R. E. Smith, Authentication: From Passwords to Public Keys, 2002;30 Authentication - Security Tokens, http://www.authenticationworld.com, 2006;31 Anderson, R. J., Why Cryptosystems Fail, 1994;32 Svigals, J., Smartcards - a Security Assessment, 1994;30

33 Fred B. Schneider, Something You Know, Have, or Are, 2005;34 Lynne Coventry, Usable Biometrics, 2005;35 RSA Information Security Glossary, http://www.rsa.com/glossary/default.asp?id=1049;36 Andrew S. Patrick, Usability and Acceptability of Biometric Security Systems, 2004;37"Tomorrow's Markets," Biometric Technology Today, 2004;38 Mansfield, Wayman, U.K. biometric working group best practice document, 2002;39 S. G. Davies, How Biometric Technology Will Fuse Flesh and Machine, 1994;40 Orville Wilson, Privacy & Identity - Security and Usability: The viability of Passwords & Biometrics, 2004;41 Thales e-Security, Advanced Authentication, 2003;42 Hunter Purnell, Dan Marks, Enterprise Biometric Security, 2003.31