Security and Usability:
The Case of the User Authentication Methods
Christina Braz
Université du Québec à Montréal
C.P. 8888, succ. Centre-ville
Montreal, QC H3C 3P8 Canada
braz.christina@courrier.uqam.ca
ABSTRACT
The usability of security systems has become a major is-
sue in research on the efficiency and user acceptance of
security systems. The authentication process is essential
for controlling the access to various resources and facili-
ties. The design of usable yet secure user authentication
methods raises crucial questions concerning how to solve
conflicts between security and usability goals.
KEYWORDS: Security Usability, User Authentication,
Human Factors, Access Control, User Interface design.
RESUME
L'utilisabilité des systèmes de sécurité informatique est
devenue un des problèmes majeurs sur la recherche de
l'efficacité et l'acceptation des utilisateurs/trices des sys-
tèmes de sécurité informatique. Le processus d'authenti-
fication est ainsi crucial pour le contrôle d'accès à dis-
tance aux ressources et à des installations. La conception
des méthodes d'authentification d'utilisateur/trice qui
soient faciles à utiliser soulève alors des questions impor-
tantes telles que: Comment résoudre les conflits existants
entre les objectifs d'utilisabilité et de la sécurité appli-
qués aux systèmes informatiques?
CATEGORIES AND SUBJECT DESCRIPTORS: H.1.2
[User/Machine Systems]: Human factors; K.6.5 [Security
and Protection]: Authentication; D.4.6 [Security and Pro-
tection]: Access controls, Authentication.
GENERAL TERMS: Security in HCI, Usability vs Secu-
rity, Biometric Data.
INTRODUCTION
User authentication is the entry point to different com-
puting networks or facilities in which a set of services are
rendered to users or a set of tasks can be performed.
Once authenticated, the user can gain access for example
Reserve this space for the copyright notice
Jean-Marc Robert
École Polytechnique de Montréal
C.P. 6079, succ. Centre-ville
Montreal, QC H3C 3A7 Canada
jean-marc.robert@polymtl.ca
to a company’s Intranet to consoles, databases, buildings,
vehicles, etc. Usability of the authentication mechanisms
has seldom been investigated and since security mecha-
nisms are conceived, implemented, put into practice and
violated by people, human factors should be taken into
account in their design [1]. Usability becomes a strategic
issue in the establishment of user authentication methods.
Usability can be defined as "the extent to which a prod-
uct can be used by specified users to achieve specified
goals with effectiveness, efficiency and satisfaction in a
specified context of use" [5]. Security usability is con-
cerned with the study of how security information should
be handled in the user interface [6] and how security
mechanisms and authentication systems themselves
should be easy of use. This paper presents the usability
security issues of the user authentication methods in the
computer security and access control domains. It aims at
tackling this growing problem, contributing to the dis-
cussions and helping systems developers to make deci-
sions concerning the usability of security systems.
HUMAN FACTORS ASPECTS OF USER AUTHENTI-
CATION METHODS
Presently there has been very little research on security
usability, as a consequence both suitable specific usabil-
ity design methods and a model of Graphical User Inter-
face (GUI) for authentication methods are needed. The
primary data that were gathered on the security usability
were concerned with the usability evaluation of Pretty
Good Privacy (PGP) [11], a public key encryption pro-
gram primarily intended for authentication and email pri-
vacy, a rule-based authorization engine called MAP [13],
previous work on design of secure user interface for net-
work applications (i.e. authentication of the communica-
tion) [6], and finally a few generic white papers regard-
ing the matter. In a nutshell, research on Human Com-
puter Interaction (HCI) and Security has been sporadic,
even worse on user authentication methods.
Security and usability are both essential in the authenti-
cation process. However the requirements for a high
level of security while maintaining adequate usability are
frequently in conflict with each other and a suitable bal-
ance has to be found. The potential conflicts between
security and usability might be minimized by making use
of some general design heuristics principles such as Golden Rules of User Interface Design Adequate for
minimize the user input, make decisions in the name of Passwords?
the user, notify the user of actions taken upon her/is be- 1. Strive for consistency Yes
half, and provide the user the capability to undo those ac- 2. Frequent users can use shortcuts (A) No
tions when possible, and if not to minimize their impact. 3. Provide informative feedback (B) No
However, as we have stated earlier, there is no set of us-
4. Dialogs should yield closure Yes
ability recognized principles and standards for authenti-
5. Prevent errors and provide simple No
cation methods. We will present in the next section of the
error handling (C)
paper some Human Factors issues of the authentication
6. Easy reversal of any action (D) No
methods.
7. Put the user in charge (E) No
Password Complexity 8. Reduce short-term memory load (F) No
Passwords are the first line of defence against attacks to a Table 1: Do the 8 golden Rules of User Interface Design
computer system. The rules for password choice can be apply to security systems?
certainly a cumbersome problem for a user and a security
problem for a system. For instance, very trivial choices Item Usability Security
that are ease to guess are broken within seconds using (A) Users can't take shortcuts: Prevents dic-
password cracking techniques – the longer the password the system won't match the tionary1 and
the more difficult it is to crack. To prevent hackers from first few letters typed and eavesdropping2
gaining access to our computer or files, experts recom- fulfill in the rest. attacks.
mend using complicated passwords which can in a first (B) Users hardly see the pass- Prevents guess-
instance increases the short-term memory load of users word they type: they can't ing attacks and
causing frequent errors. In fact, the capacity of short- find out repeated let- Social Engi-
term memory is normally limited to 7+ 2 items (e.g. let- ters/accidental misspellings. neering3.
ters, digits, words, etc.) [7]. Traditional password sys- (C) Most systems only mention Prevents guess-
tems include many design features for the purpose of success or failure: they ing, eavesdrop-
making trial-and-error attacks as difficult as possible. don't show how close the ping and social
Actually, they violate most of the recognized usability password guess was, or engineering at-
standards for computer systems. From the eight "Golden even discern between a tacks.
Rules" for interface design recommended by Shneider- mistyped username and
man [9], password interactions break six of them (Table password.
1). Table 2 mostly shows how to minimize the security (D) Most systems keep track of Prevents guess-
usability conflict dealing with these golden rules. In addi- incorrect guesses and take ing, eavesdrop-
tion, users should follow a set of rules (i.e. password se- irreparable action (locking ping, and social
curity policy) especially related to password creation: the user's account) if sev- engineering at-
"All passwords must be at least six characters long; In- eral bad guesses happen. tacks.
clude numbers and letters; Include a mix of upper and (E) The system makes users be Prevents guess-
lower case; Use different passwords for each system; "responders" of actions ing, eavesdrop-
Change once a month; Do not write anything down" [10]. rather than the initiators. ping, and social
engineering at-
In a highly networked world, wherein users must access tacks.
to multiple applications, password protection is consid- (F) Users must follow a set of Prevents guess-
ered as costly, awkward and insecure. The requirement security policies related to ing, eavesdrop-
of authentication to access different applications, ser- password creation recom- ping, and social
vices, or facilitities might generate frustration among us- mended by [10]. Short-term engineering at-
ers on a day-to-day basis, because users might need to memory is normally limited tacks.
frequently access the same secured applications in a short to 7+ 2 items.
period of time. Table 2: How to deal with the golden rules using heuristics.

1
A form of attack in which an attacker uses a large set of likely com-
binations to guess a secret.
2
Electronic eavesdropping is the intentional surveillance of data:
voice, fax, e-mail, mobile telephones, etc. often for nefarious purposes.
3
To infiltrate a physical building or information systems using non-
technical means (e.g. searching user desks for passwords on notes).
Locking Pin Systems
A classic strategy to defend against Personal Identifica-
tion Number (PIN) guessing attacks in authentication to-
kens is to lock the system after three consecutive invalid
PIN attempts. However, this classic strategy could seri-
ously undermine the system usability. After the PIN has
been locked, it can only be unlocked by the token Ad-
ministrator. Actually, that is the worse-case scenario of
usability once the administrator is not available, the user
is blocked and no reversible action is possible.
Cumbersome Data Input of Challenge Response
Calculators
Challenge-response calculators (CRC) require even more
data input in comparison with other authentication meth-
ods such as a user ID, a password, a PIN and a "chal-
lenge" (e.g. an authentication server creates a "chal-
lenge", which is typically a random number sent to the
client machine). Therefore, the difficulty and the prob-
ability of data input errors are higher (i.e., CRC do not
echo the password back on the screen as it is typed, or
they only display asterisks in place of the actual charac-
ters).
No Usability Features of Public Key Infrastruc-
ture (PKI)
In order to illustrate the usability issues in a user authen-
tication method, let’s briefly present the "Usability of
Security: A Case Study" [11] which was performed to
evaluate the usability of Pretty Good Privacy (PGP) 5.0.
The PGP is a standard software, which uses Public Key
Infrastructure to encrypt, decrypt, and digitally sign data,
for the encryption of Electronic Mail developed by Phil
Zimmermann [12]. The authors choose PGP because it
has a good user interface according to established stan-
dards, and they claimed to find out whether that was suf-
ficient to allow non-programmers who know little about
security to use it effectively. The results obtained through
a cognitive walkthrough and user testing show that users
had difficulty to: avoid dangerous errors, encrypt a mes-
sage, understand the public key model, figure out the
correct key to encrypt with and how to encrypt with any
key, decrypt a message, publish the public key, and fi-
nally verify a signature on an email message. These are
just the basics tasks to be performed in order to execute
correctly the program. Therefore, PGP is not sufficiently
usable to provide effective security for most email users,
according to the authors, because of the fact there is a
"mismatch between the design philosophy behind its user
interface, and the usability needs of a security utility".
Redundancy Factor of Biometrics Systems
The best practices in the authentication area state that
multi-factor authentication (i.e. more than one form of
credential to identify a user) is generally stronger than
any single-factor authentication method. Biometrics (i.e.
recognition of one’s hand, iris, voice, etc.) is generally
recognized as a "good candidate" to be used with another
authentication technique – a two-factor authentication; in
a two-factor technique (e.g. coupling biometrics with
smart card technology) the "redundancy" of the authenti-
cation augments the security level, but at the same time
diminishes the user experience. Furthermore, there can
be serious limitations with some biometric measures (e.g.
there is a range of eye diseases that affect the capability
of iris recognition system to capture an appropriate im-
age of the eye [4]) and the level of social acceptability.
In such cases, the authentication process must be built in
redundancy, so that a second method must be provided
in order to confirm the identity's user. However, an au-
thentication process also involves a user being enrolled
and verified. Hence, we should focus on enhancing user
experience and convenience when choosing an authenti-
cation method.
Comparative Analysis of the Authentication
methods
As part of this project, we developed a comparative
analysis of the different features encountered in authenti-
cation methods according to Table 3. To describe the fol-
lowing features we make use of subjective rating scales:
"Security" and "Usability" (ranging from 1=Minimum to
5=Maximum in order to measure the degree of severity
issues related to each authentication method), and
"Automatism versus Human" (ranging from 1=Human is
better; 5=Machine is better). The feature "Accuracy" has
two measure rates of authentication by biometrics:
(i) False Reject Rate (FRR) where a legitimate user is re-
jected by the acquisition device; (ii) False Acceptance
Rate (FAR) where a false user is accepted. The "Average
Attack Space" (AAS) corresponds to the number of
guesses made by an attacker in order to disclose the se-
cret (e.g. passwords, PINs, etc.). Abbreviations used in
the Table 3: PK=Public Key; PRK=Private Key;
SSO= Single-Sign-On; TGS=Ticket Granting Service.
Authentication Methods - Vulnerabilities still
remain
Despite the efforts that were made by organizations to
provide suitable authentication methods, vulnerabilities
still remain. Mechanisms and models that are compli-
cated to the user will be misused. When an authentica-
tion method is too demanding the user might not keep up
with the increasing workload (e.g. a user might refuse to
change her/is password each time s/he logs on). Thus,
organizations tend to blame mostly users for the human
failure of not handling complex and demanding technical
systems. However, Norman argues that what we often
view as human error is the result of design flaws that may
be surmounted [8]. According to Computing Technology
Industry Association CompTIA [3], the human error
turns out to be the principal cause of security breaches in
the computing security sector of organizations; they ac-
count for 84% of security breaches in 900 private and
public American organizations.
Feature/ Pass- PIN Prox- One Chal- Multi Pub- Ker- Finger Voice Sig- Ret- Key- Un-
print stroke
Acquisition words imity Time lenge func- lic beros nature ina/ der-
Device (PW) card Gen- Re- tion Key or Rec- the-
Hand Iris
era- sponse card (PK) ogni- skin
or tion
tors ID
Face
chip
Definition Know Know Au- Au- Au- Au- Cryp- Key Bio- Bio- Bio- Bio- Bio- RFID
ledge ledge then- then- then- then- togra- Distri- met- met- met- met- met- based
based based tica- tica- tica- tica- phy bution rics rics rics rics rics
Center
8 to 4 dig- tion tion tion tion (PK User User Lengt Pat- User's
12 its Token Token Token Token and scan- voice h- tern typ-
digits PRK) ning when /widt of ing
speak h pen blood rhyth
ing pres- vessels m
sure
Advantages Ease Net- Last PW No Built- User Mu- Ease No High Un- No Forger,
of de- work- longer diffi- syn- in dy- credent tual to PWs defi- chang enrol- steal
ploy- less (con- cult to chro- namic ials Au- col- nition eable ment chip is
once pretty
ment tact- guess niza- data per
then- lect graph (life- hard
less) tion proc- login tica- ic time)
essing session tion

Disadvan- Can Can Theft, Brute Users Need PK is Scal- Crimi Chan Can Exces Mas- Mas-
tages be be fraud, force, shares of a single abil- nal ges change sive quer- quer-
for- for- coun- dic- their smart point ity affilia over signa- user ade ade
gotten gotten terfeit tion- ac- card of at- tion time ture at coop- (spoof (spoof
ary cess reader tack any era- ing) ing)
attack per- time tion
mis-
sions
Security 2 2 3 3 3 5 5 5 4 1 3 5 3 4
Usability 21 2 3 3 3 3 3 3 3 5 3 2 3 3
Human 43 53 5 5 5 5 5 5 1 44 4 1 1 3
versus
Automa-
2
tism
Data collec- Com- Com- Site- Com- Com- PK PK Dis- Site- Tele- Com- Com- Com- RFID
tion envi- puter- puter- based puter- puter- infra- infra- trib- based com/ puter- puter- puter- based
ronment based based (Ac- based based struc- struc- uted- (Ac- com- based based based
net- net- cess net- net- ture- ture- based cess puter- net- net- net-
work work Con- work work based based net- Con- based work work work
trol) work trol) net-
work
Input Process 7-20 5-10 2-5 15s- 15s- 7-20 7-20 7-20 <5 <5 5-15 5secs <5 <5
Time 7
secs5 secs5 secs6 5m5 5m5 s5,6 secs5 secs5 secs7 secs7 secs7 -15m secs
8
secs
9

Industrial Unix RSA Xy- RSA, Crypto Ax- Pretty Ker- Digital Apple Cyber Pri- Net Not
Application [10], Secur Loc- Se- Card, alto Good beros Per- Mac Sign vateI Nann yet
10 Ac- sonna imple-
Win- ID Sage- cure Gem- Pri- 5 OSX, D, y’s
dows ID, Com- tivCar plus, vacy , Vi- Voice Ex- Bio mented
Re-
NT00 etc. put- d, etc. etc. (PGP) sion- Secu- clé, Pass- [2]
lease
/keyC ing, 1.3.2 ics rity etc. word
hain etc.
Accuracy AAS AAS Up to AAS AAS No AAS Clock FRR FRR FRR FRR Aver- No
15 10cm 19 syn- age
= 2 13-bit =2 =54 avail- =102 =1 to =10 =2- =2 to data
23 of the 63 bit able 4 bit chro- 20%; to try 10%; 98% avail-
to 2 [10] to 2
reader niza- rate in
(dic- [10] [10] data PK= FAR 20%; 10%; FAR able
(fre- 86 tion12 rec-
tionary
quency 2 = FAR FAR ≥ ogniz-
attack) = 0,001 =2 to =2- 0,001
13.56 [10] ing
[10] 11 5m to %
mhz) 5% try indi-
5% [10] 0,58 [10] vidu-
[10] % als13
[10]
Table 3: Comparative Analysis of the Authentication Methods.
1
Software generated, more robust and break six rules of User Interface 3. Computing Technology Industry Association
2
Design [9] ; Automatism is related to the "acquisition device or data (CompTIA) (2002) Committing to Security: A
generator" presented by the user (e.g., PIN, memory card, fingerprint, CompTIA Analysis of IT Security and the Work-
3
etc.); Machines generate more secure and automatic passwords; force, Oakbrook Terrace, IL (US).
4
Novel Neural Net Recognizes Spoken Words Better Than Human
Listeners (2003) University of Southern California (US). Retrieved 4. Daugman, J. (2005) Results from 200 Billion Iris
January, 2006 <http://www.usc.edu/ext-relations/news_service/real Cross-comparisons, Technical Report, Computer
5 6
_video.html>; User average speed tapping; Average swiping speed Laboratory, University of Cambridge Computer
(i.e. the ideal swiping speed has to do with your self-confidence: timid Laboratory (UK). Retrieved on February 21, 2006
people swipe slower, nervous people swipe too fast, and confident
7 <http://www.cl.cam.ac.uk/TechReports/UCAM-CL-
people swipe at the ideal speed); User data collection is the time pe-
riod a person must spend to have her/is biometric reference template
TR-635.pdf>
successfully created (i.e. enrolment and verification time) but can vary 5. International Organization for Standardization
8
dramatically; Verification is built up on the concept that the rhythm
9 (1998) ISO 9241-11: Ergonomic requirements for
with which the user types is distinguishing; System processing time;
10 office work with visual display terminals (VDTs -
RSA Security SecurID Token. Retrieved February 21, 2006
Part 11: Guidance on Usability).
http://www.rsasecurity.com/node.asp?id=1156; 11 Cards are intended
to operate within up to 10cm of the reader antenna at a frequency of 6. Jøsang, A. & Patton, M. (2001) User Interface Re-
13.56 MHz (ISO/IEC 14443-1:2000); 12 Maximum tolerance for com- quirements for Authentication of Communication,
puter clock synchronization: this is the maximum time skew that can
be tolerated between a ticket's timestamp and the current time at the
Security Usability White Paper, Distributed Systems
Kerberos Distribution Center (KDC); 13 Net Nanny’s BioPassword Re- Technology Centre, QUT, Brisbane, Qld 4001 (Aus-
trieved February 21, 2006 <http://www.netnanny.com/> tralia).
7. Miller, G. A. (1956) The magical number seven plus
User satisfaction can be reached if the system is in ac-
or minus two: Some limits on our capacity for proc-
cordance with the user mental model of the task. For in-
essing information, Psychological Review, 63, 81-
stance, the user might regularly use the password-based
97.
authentication method which must be easy to learn and
remember, requiring a little memory from them whose 8. Norman, Donald A. (2001) The Psychology of the
minds are already concerned with the task itself and Everyday Things, Basic Books, Inc., Publishers New
whose time is valuable. York, NY (US).
9. Shneiderman, B. (1998) Designing the User Inter-
Conclusion
face: Strategies for Effective Human Computer In-
There is more and more research and development on
teraction. Chapter 2, Addison-Wesley, Reading, MA
computer system security, but still very few researches
(US).
on the usability issues of security mechanisms and tech-
niques. To be able to build reliable, effective and usable 10. Smith, R. (2002) Authentication: From Passwords
security systems, we need specific guidelines that take to Public Keys, Addison-Wesley, 1st edition (US).
into account the specific constraints of security mecha-
11. Whitten, A. & Tygar, J. D. (1998) Usability of Secu-
nisms. Systems should be built so as to be easy to learn
rity: A Case Study, School of Computer Science
and use by users with different backgrounds and skills.
EECS Carnegie Mellon University Pittsburgh, PA
Human factors should be incorporated into the develop-
and University of California SIMS, Berkeley, CA
ment of security solutions where usability is central dur-
(US).
ing the whole development process.
12. Zimmermann, P. (2004) Phil Zimmermann's Home
REFERENCES Page. Phil Zimmermann & Associates LCC. Re-
1. Adams, A. & Sasse, M. (1999) Users Are Not the trieved on February 11, 2006
Enemy, Communications of the ACM, vol.42, nº 12. <http://www.philzimmermann.com/EN/background/i
ndex.html>
2. Braz, C. (2003) AuthenLink: A User-Centred Au-
thentication System for a Secure Mobile Commerce, 13. Zurko, M. & Simon, R. (1997) User-Centered Secu-
Master Thesis, Department of Computer Science rity, The Pen Group Research Institute, Cambridge,
and Operations Research, Université de Montréal MA (US).
(Canada).