Making User Authentication More Usable

1. Making  User Authentication  More Usable Jim Fenton  @jimfenton

2. Context I’m a consultant to the National Institute of Standards and Technology Focusing on revising US Government digital identity standards Everything here is my own opinion; I don’t speak for NIST! This talk focuses on the usability aspects of authentication, and the security aspects only incidentally

3. About SP 800-63 NIST Special Publication 800-63, Digital Identity Guidelines Intended for federal government use, but also widely used commercially and internationally

4. Four-volume Set Enrollment and  Identity Prooﬁng  SP 800-63A Authentication and  Lifecycle Management  SP 800-63B Federation and Assertions  SP 800-63C

5. Executive Order 13681, “Improving the Security  of Consumer Financial Transactions” “…ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity prooﬁng process, as appropriate.”

6. Who are the Users? Everybody: Non-English speakers Homeless people Disabled veterans Hospital patients Physicians Elderly Students Usability needs to consider all of these Not just Federal employees! Photo by Rob Curran on Unsplash

7. Usability Emphasis in  SP 800-63-3 Engaged NIST human-factors specialists Included a Usability Considerations section in each volume (A, B, and C) Invited review on normative requirements that might affect usability

8. Related Concepts Accessibility: Can users with various disabilities authenticate? Availability: Can users authenticate under all circumstances?

9. Authenticators Nine authenticator types deﬁned Memorized secret (password, PIN, etc.) Look-up secret Out-of-band device Single- and multi-factor OTP device Single- and multi-factor crypto software Single- and multi-factor crypto device

10. Factors There are three authentication factors: Something you know (password) Something you have Something you are (biometric) Authenticators may provide 1 or 2 of these

11. Memorized Secrets Passwords, passphrases, PINs, etc.

12. Memorized Secrets Passwords are: Most used authenticators Most hated authenticators Relatively weak But they’re the only “something you know” Security questions no longer acceptable

13. Making Passwords More Usable Action Rationale Get rid of composition rules (include digits, symbols, etc.) Frustrating for users, less beneﬁt than expected Allow all printing characters plus space Maximum freedom in selection; no technical reason otherwise Allow Unicode characters Memorable passwords in all languages Very long maximum length Encourage long passwords, passphrases

14. Frustration vs. Security Recommend use of a blacklist for common passwords Unfortunately not very transparent Frustrated users make bad choices Weak passwords allowed Frustrated users Blacklist size

15. Password Visibility Passwords are obscured to inhibit “shoulder surfing” Makes correct entry more difficult, and often there is no shoulder-surfing threat Recommend making passwords visible on request Future browser feature??

16. Pasting Some sites disallow pasting: <input type="test" onPaste="return false”> Also disables password managers Done to enhance security, but probably encourages weaker passwords SP 800-63B discourages blocking pasting

17. Other Authenticators

18. Look-up Secrets List of machine-generated one-time secrets Not intended for memorization: typically more complex Less usable/accessible because they require manual transcription, subject to misread/mistyping Cheap and very suitable as a backup authenticator

19. Out-of-Band Requires a separate communication channel, usually separate device Availability: cell phone service is not always available Accessibility: Usually requires transcription of a secret from one device to another, often time-limited

20. Single-factor One Time Password (OTP) Requires transcription from device to login session Time based OTP imposes a time limit on this process Photo credit: Wikimedia Commons

21. Multi-factor OTP Requires transcription of secret from authenticator to login session Typing on small device may be challenging Photo credit: HID

22. Cryptographic Software Authenticators Example: client certiﬁcate (with or without passphrase) Process for installation of authenticator on user device should be considered Authenticators need to be organized for identiﬁcation

23. Single-factor  Cryptographic Device Availability: Requires an interface (e.g., USB) to connect to authenticating device Location of some ports is inconvenient for pushing the button Photo credit: Yubico

24. Multi-factor Cryptographic Device Availability: Requires an interface or adapter to connect to authenticating device

25. About Biometrics… Need to reproduce conditions of enrollment Choice of finger (fingerprint) Lighting conditions (iris) Facial hair, expression, glasses (face) Many modalities (fingerprint, iris, etc.) are not usable by some people Generally considered convenient to use, but familiarity is important

26. Summary There isn’t a perfect authenticator, from either a usability or security standpoint Services should support a variety of ways to authenticate and to enroll multiple authenticators per user

27. Identity Prooﬁng

28. Identity Prooﬁng Enrollment process: establishing that a digital identity corresponds to a speciﬁc individual Generally done only once at enrollment, but may be repeated if all authenticators are lost May be done in-person (preferred) or remotely Less sensitive to convenience, but more sensitive to accessibility (disabled, homeless, etc.)

29. Questions?