Usability and Security

More documents

Recommendations

Info

e guessed, which results in a low security level. Thus, having a controlled question/ answer typeresults in a well balanced level of usability and security;• Tokens: tokens are used more commonly for the physical domain and are considered a weakmechanism outside the financial sector because presentation of a valid token does not proveownership and can been stolen. One Time Password (OTP) such as the SecurID are one way ofsignificantly reducing the risk of using passwords. There are weaknesses with using only thisapproach but the chance of someone stealing or fraudulently obtaining the key fob and knowing theuser's id to successfully masquerade as the identity is considered unlikely to happen. Thus, OTPprovides the most balanced level of usability and security;• Biometrics: the different types of biometrics are very dependant of the error tolerance which can bemeasured by the False accept rates (FAR) and False reject rates (FRR). The fingerprint is the mostmature biometric technology and its reliability is well accepted. The Iris is becoming very stableover time and is characterized by its uniqueness. Thus, both fingerprint and Iris provide the mostbalanced level of usability and security.5.1 More secure authenticationThe separate authentication mechanisms as we discussed earlier provides a way to establish security andare in fact forms of single factor authentication. The classic form is the user id and password. This form ofuser authentication while used extensively is relatively weak because the same password is used over andover again, giving many opportunities for it to be illicitly captured 41 . The two way factor authentication isconsidered to be stronger than the single one 41 . Two factor authentications usually involve usingsomething you have and something you know. The most widely used forms are:• Automatic Teller Machine (ATM) card and PIN: one needs the card and needs to know the pincode;• Token and PIN: one needs the token and needs to know the pin code.An even more secure form of user authentication is the three factor authentication. This involves usingsomething you have, something you know and something you are. This involves for example; using anaccess control token, such as a smart card, a PIN to access the smart card and a biometric value held in acentral database. The card will be entered into a reader, the PIN is entered via a special PIN pad orkeyboard, the biometric is read and encrypted under a cryptographic key held on the smart card. The userid, read from the smart card, together with the encrypted biometric are sent to the central access controlsystem where the biometric can be decrypted and compared with the value on the central access controldatabase. Note here that the user PIN is not sent to the central access control system, but is checked locallyby the smart card 41 . Thus, having a more secure environment, by means of two or three way factorauthentication, a user need to perform more steps which is not always efficient.5.2 More usable authenticationThe usage of various multiple application and information systems has grown in the last decade. Usersoften require access to multiple systems or applications using different authentications every time, not24
making it easier and more efficient. Single Sign On (SSO) describes the ability to use one set ofcredentials, an ID and password or a passcode for example, to authenticate and access information across asystem, application and even organizational boundaries35. Even biometric security devices allow theconcept of single sign-on to extend to the physical layer. A person would only have to enroll once to lethis or her biometric characteristics give access to every door, computer, or application that he or she needsaccess to 42 .6 ConclusionIn this thesis we have described the major types of authentication mechanisms, how and why theseauthentication mechanism are necessary and some of the usability issues associated with each. We haveseen that usability and security have many different definitions, each defined in different ways. Thecomponents or aspects of which they consist are highly dependant of what is considered to be useful forthe author or organization. In this chapter we will provide answers to the research questions as defined inparagraph 1.2.What is usability?We define usability as: “The extent to which a product can be used by specified users to achieve specifiedgoals with effectiveness, efficiency and satisfaction in a specified context of use”. Thus, usability refers tousers who interact with information systems or devices with to goal to obtain access to systems orbuildings as efficient, effective and satisfied as possible.What is security?Security is the “preservation of confidentiality, integrity and availability of information”. Thus, securityrelates to the protection of information and information systems from unauthorized individuals in order tosafeguard the accuracy and completeness of the information and it being accessible and usable upondemand.What is the relationship between usability and security?When looked back at the types of authentication mechanisms discussed in this thesis we are able toconclude that each mechanism has its own strengths and weaknesses. We determined that the relationshipbetween usability and security of authentication mechanisms exist and that it’s possible to have a balancedlevel between usability and security.How will the relationship between usability and security develop in the coming years?We believe the trend of combining secure computing and ease of use and quality will not go away andgrow even more in the future. Two-factor and the three-factor authentication for instance provide bettersecurity, without decreasing the level of usability. We further believe that a combination of technologiesand mechanisms securely linked will result in stronger authentication. Access control techniques such asthe single sign on and the use of Radio-frequency identification within organizations will continue todevelop and increase in the next few years.25
Page 1 and 2: Usability and SecurityUniversity: V
Page 3 and 4: ACKNOWLEDGMENTSThis thesis covers t
Page 5 and 6: IntroductionThe developments in Inf
Page 7 and 8: idging the gap between theory and p
Page 9 and 10: 2.1.3 Usability componentsIn order
Page 11 and 12: custom approach 12 . An example of
Page 13: put usability and security amongst
Page 16 and 17: Security aspects:• Confidentialit
Page 18 and 19: ambiguous. Controlled answers offer
Page 20 and 21: 3.3.3 TokensIn this paragraph the t
Page 22 and 23: Security aspects:• Confidentialit
Page 24 and 25: The strengths, weaknesses and usabi
Page 26 and 27: conclude that the most efficient bi
Page 30 and 31: To answer our main research questio
Page 32 and 33: AppendixInterview with Martin Wijnm
Page 34 and 35: Sources1 ISO 9241-11, Part 11: Guid

Usability and Security

Create successful ePaper yourself

Delete template?

Save as template?