O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Making User Authentication More Usable

412 visualizações

Publicada em

A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process.

Presentation to BayCHI, December 12, 2017

Publicada em: Internet
  • Entre para ver os comentários

Making User Authentication More Usable

  1. 1. Making
 User Authentication
 More Usable Jim Fenton
  2. 2. Context I’m a consultant to the National Institute of Standards and Technology Focusing on revising US Government digital identity standards Everything here is my own opinion; I don’t speak for NIST! This talk focuses on the usability aspects of authentication, and the security aspects only incidentally
  3. 3. About SP 800-63 NIST Special Publication 800-63, Digital Identity Guidelines Intended for federal government use, but also widely used commercially and internationally
  4. 4. Four-volume Set Enrollment and
 Identity Proofing
 SP 800-63A Authentication and
 Lifecycle Management
 SP 800-63B Federation and Assertions
 SP 800-63C
  5. 5. Executive Order 13681, “Improving the Security
 of Consumer Financial Transactions” “…ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
  6. 6. Who are the Users? Everybody: Non-English speakers Homeless people Disabled veterans Hospital patients Physicians Elderly Students Usability needs to consider all of these Not just Federal employees! Photo by Rob Curran on Unsplash
  7. 7. Usability Emphasis in
 SP 800-63-3 Engaged NIST human-factors specialists Included a Usability Considerations section in each volume (A, B, and C) Invited review on normative requirements that might affect usability
  8. 8. Related Concepts Accessibility: Can users with various disabilities authenticate? Availability: Can users authenticate under all circumstances?
  9. 9. Authenticators Nine authenticator types defined Memorized secret (password, PIN, etc.) Look-up secret Out-of-band device Single- and multi-factor OTP device Single- and multi-factor crypto software Single- and multi-factor crypto device
  10. 10. Factors There are three authentication factors: Something you know (password) Something you have Something you are (biometric) Authenticators may provide 1 or 2 of these
  11. 11. Memorized Secrets Passwords, passphrases, PINs, etc.
  12. 12. Memorized Secrets Passwords are: Most used authenticators Most hated authenticators Relatively weak But they’re the only “something you know” Security questions no longer acceptable
  13. 13. Making Passwords More Usable Action Rationale Get rid of composition rules (include digits, symbols, etc.) Frustrating for users, less benefit than expected Allow all printing characters plus space Maximum freedom in selection; no technical reason otherwise Allow Unicode characters Memorable passwords in all languages Very long maximum length Encourage long passwords, passphrases
  14. 14. Frustration vs. Security Recommend use of a blacklist for common passwords Unfortunately not very transparent Frustrated users make bad choices Weak passwords allowed Frustrated users Blacklist size
  15. 15. Password Visibility Passwords are obscured to inhibit “shoulder surfing” Makes correct entry more difficult, and often there is no shoulder-surfing threat Recommend making passwords visible on request Future browser feature??
  16. 16. Pasting Some sites disallow pasting: <input type="test" onPaste="return false”> Also disables password managers Done to enhance security, but probably encourages weaker passwords SP 800-63B discourages blocking pasting
  17. 17. Other Authenticators
  18. 18. Look-up Secrets List of machine-generated one-time secrets Not intended for memorization: typically more complex Less usable/accessible because they require manual transcription, subject to misread/mistyping Cheap and very suitable as a backup authenticator
  19. 19. Out-of-Band Requires a separate communication channel, usually separate device Availability: cell phone service is not always available Accessibility: Usually requires transcription of a secret from one device to another, often time-limited
  20. 20. Single-factor One Time Password (OTP) Requires transcription from device to login session Time based OTP imposes a time limit on this process Photo credit: Wikimedia Commons
  21. 21. Multi-factor OTP Requires transcription of secret from authenticator to login session Typing on small device may be challenging Photo credit: HID
  22. 22. Cryptographic Software Authenticators Example: client certificate (with or without passphrase) Process for installation of authenticator on user device should be considered Authenticators need to be organized for identification
  23. 23. Single-factor
 Cryptographic Device Availability: Requires an interface (e.g., USB) to connect to authenticating device Location of some ports is inconvenient for pushing the button Photo credit: Yubico
  24. 24. Multi-factor Cryptographic Device Availability: Requires an interface or adapter to connect to authenticating device
  25. 25. About Biometrics… Need to reproduce conditions of enrollment Choice of finger (fingerprint) Lighting conditions (iris) Facial hair, expression, glasses (face) Many modalities (fingerprint, iris, etc.) are not usable by some people Generally considered convenient to use, but familiarity is important
  26. 26. Summary There isn’t a perfect authenticator, from either a usability or security standpoint Services should support a variety of ways to authenticate and to enroll multiple authenticators per user
  27. 27. Identity Proofing
  28. 28. Identity Proofing Enrollment process: establishing that a digital identity corresponds to a specific individual Generally done only once at enrollment, but may be repeated if all authenticators are lost May be done in-person (preferred) or remotely Less sensitive to convenience, but more sensitive to accessibility (disabled, homeless, etc.)
  29. 29. Questions?