Article

User perceptions of security, convenience and usability for ebanking authentication tokens

February 2009
Computers & Security 28(1-2):47-62

DOI:10.1016/j.cose.2008.09.008

Source
DBLP

Authors:

This research compared three different two-factor methods of eBanking authentication. Three devices employing incremental security layers in the generation of one time passcodes (OTPs) were compared in a repeated-measures, controlled experiment with 50 eBanking customers. Attitudes towards usability and usage logs were taken for each experience. Comparisons of the devices in terms of overall quality, security and convenience as perceived by participants were also recorded. There were significant differences between all three methods in terms of usability measures, perceived quality, convenience and security ratings – with the perceived security ratings following a reverse order to the other measures. Almost two thirds of the participant sample chose the device they perceived the least secure as their preference. Participants were asked to use their preferred method again and tended to find their chosen device more usable. This research illustrates the usability-security trade off, where convenience, quality and usability are sacrificed when increasing layers of security are required. In their preferences, customers were driven by their attitudes towards usability and convenience rather than their perceptions of security.

Diverging influences of usability in online authentication system: the role of culture (US vs Korea)

Article

Jan 2022
Int J Bank Market

Purpose Although the use of online authentication systems in banking services is expanding globally, little is known about cultural differences in forming consumers' responses to these services. This paper examines how the usability of an online security service and culture impact consumers' behaviour. Design/methodology/approach The authors conduct a 2 (usability: high vs low) × 2 (culture: US vs Korea) between-subjects, full factorial design. Findings The results indicate a differential influence of the usability of a security system by culture. In particular, US consumers exhibit greater behavioural intention in a high (vs low) usability condition, whereas Korean consumers showed more favourable responses in a low-usability condition. Moreover, perceived effort is confirmed as a crucial mediator that explains the psychological mechanism of the proposed effect. Practical implications This research contributes to the literature on online banking where security is an important determinant of success. Especially for managers involved in international banking services, the findings of cultural differences offer insights about the importance of local understanding and differentiation of bank services for specific target markets which can enhance consumers' response towards an online security service. Originality/value The current study is one of a very few attempts to examine the role of usability of an online security system in forming consumers' behavioural intention. More importantly, this study integrates the concept of culture to explain how usability influences positive or negative behavioural intention in an international market.

Usable and secure? User perception of four authentication methods for mobile banking

Article

Jan 2022
COMPUT SECUR

Smartphone authentication is becoming a cornerstone security component, so it is necessary to have methods that are usable and secure to ensure adequate protection, especially for mobile banking. Though biometric authentication seems to be perceived as very usable by users, there is a lack of research to compare smartphone-based fingerprint verification to other authentication methods for mobile banking in terms of usability and perceived security. Using two independent samples, we conducted a study for a younger group aged 26-54 (N = 229) and an older group aged 55+ (N = 239) about their perceptions of the usability and security of four authentication methods: fingerprint, PIN, token, and card reader. All four methods were evaluated positively for both usability and security, with fingerprint verification evaluated as the most usable and the most secure method for mobile banking. Interestingly, none of our hypothesized predictors (i.e., age, gender, education, smartphone self-efficacy, smartphone security behaviour, knowledge of secure smartphone behaviour) was consistently related to how users perceive the usability and security of the examined methods. This suggests that smartphone users would be able to successfully adopt, and be quite satisfied with, any of the tested methods, regardless of demography or smartphone skills.

Improving Password Memorability, While Not Inconveniencing the User

Article

Feb 2019

Passwords are the most frequently used authentication mechanism. However, due to increased password numbers, there has been an increase in insecure password behaviors (e.g., password reuse). Therefore, new and innovative ways are needed to increase password memorability and security. Typically, users are asked to input their passwords once in order to access the system, and twice to verify the password, when they create a new account. But what if users were asked to input their passwords three or four times when they create new accounts? In this study, three groups of participants were asked to verify their passwords once (control group), twice, and three times (two experimental groups). Psychological literature suggests that applying repetition in learning to the password process has significant effects on password memorability. However, previous password research has found a trade-off between password security and memorability, and more recently, user convenience. Our results suggest that verifying passwords three times can increase password memorability from 42% (verifying passwords just once as with current practices) to 70%. Even by increasing the verification to just two times can increase password memorability by 17%. However, we found that through increasing the number of verifications did not equate to a decrease in user convenience. What this means is that small changes to the password verification stage can have significant results on password memorability while not necessarily inconveniencing the user. The implications of these results could ultimately have a positive effect on password security, and the consequences of forgetting passwords.

A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites

Conference Paper

Jan 2023

A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites (Extended Version)

Preprint

Oct 2022

Heuristics for user experience state that users will transfer their expectations from one product to another. A lack of consistency between products can increase users' cognitive friction, leading to frustration and rejection. This paper presents the first systematic study of the external, functional consistency of two-factor authentication user journeys on top-ranked websites. We find that these websites implement only a minimal number of design aspects consistently (e.g., naming and location of settings) but exhibit mixed design patterns for setup and usage of a second factor. Moreover, we find that some of the more consistently realized aspects, such as descriptions of two-factor authentication, have been described in the literature as problematic and adverse to user experience. Our results advocate for more general UX guidelines for 2FA implementers and raise new research questions about the 2FA user journeys.

Enhancing the user authentication process with colour memory cues

Article

Full-text available

Jul 2022

The authentication process is the first line of defence against potential impostors, and therefore is an important concern when protecting personal and organisational data. Although there are many options to authenticate digital users, passwords remain the most common authentication mechanism. However, with password numbers increasing, many users struggle with remembering multiple passwords, which affects their security behaviour. Previous researchers and practitioners have attempted to suggest ways to improve password memorability and security simultaneously. We introduce novel approach that utilises colour as a memory cue to increase password memorability and security. A longitudinal study examined in total over 3000 passwords that were created, learnt and recalled (password process) over a period of five-weeks. By adding colour to the password process, our results suggest that password memorability and security can be increased simultaneously. Through giving the user the option of choosing the colours (compared with colours being preselected), encourages users to create more personal and meaningful memory cues when creating their passwords. Additionally, colour also provided another security parameter by increasing password entropy. These unique results have practical implications for researchers and practitioners that could positively impact password security, and the financial losses suffered due to password security breaches.

3D-Auth: Two-Factor Authentication with Personalized 3D-Printed Items

Conference Paper

Full-text available

Apr 2020

Fishbone model and universal authentication framework for evaluation of multifactor authentication in mobile environment

Article

Aug 2019
COMPUT SECUR

The trend of rapid evolutionary development of mobile technologies and the existence of different user's priorities are creating new challenges with regard to selection of multifactor authentication (MFA) solutions. This becomes even more challenging by creating a universal authentication framework (UAF). In order to cope with these challenges, this paper has proposed a Fishbone model and developed in form of the UAF which is based on a larger number of linguistic variables and a wider set of user's priorities such as security, usability, accessibility, pricing, complexity, privacy and convenience (SUAPCPC). In comparison to all other papers available in the literature, the Fishbone model provides numerical evaluation of MFA with the possibility of changing weighted criteria for the selected user priorities. In addition, the contributions of this model are twofold. For user's, to enable easier choice of MFA solution, for developers, to identify spots where a method or solution could be improved. For development of the Fishbone model, fuzzy methodology is used in form of a Fuzzy Expert System (FES) tool. Also, the block diagram and the basic modules of the Fishbone model architecture are given. The results of implementation of the Fishbone model in form of the UAF have showed that this model is applicable and very efficient in practice. Finally, the Fishbone model gives an ideal template in UAF at which user's priorities satisfy the best individual users’ solutions. The realization of this template presents challenge for all future developers of MFA solutions.

A Survey on Multi-Factor Authentication for Online Banking in the Wild

Article

Full-text available

Feb 2020
COMPUT SECUR

In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.

Usability Testing of Memorable Word in Security Enhancing in e-Government and e-Financial Systems

Article

Full-text available

Jan 2023

Authentication of IT Professionals in The Wild -A Survey

Preprint

Full-text available

Jul 2023

The role of user authentication in software repositories can significantly impact those using open-source projects as a basis for their products. In addition to highlighting the importance of authentication in software supply chain security, we surveyed open-source developers to identify if these IT professionals take advantage of more secure authen-tication methods in open-source projects to mitigate common risks. We present results from a survey of 83 employees of an open-source software company. We found that these users mostly use two-factor authentica-tion and perceive username and password as the most usable method. Regarding security, hardware and software tokens were perceived as the most secure methods. Using a third-party service for fallback authenti-cation emerged as a non-preferred solution.

Reputation, familiarity and use intention for e-payment services: a comparison of pure-play and click-and-mortar e-payment services

Article

Jan 2021

Customer Satisfaction with Digital Wallet Services: An Analysis of Security Factors

Article

Full-text available

Feb 2022

This study aimed to determine an efficient framework that caters to the security and consumer satisfaction for digital wallet systems. A quantitative online survey was carried out to test whether the six factors (i.e., transaction speed, authentication, encryption mechanisms, software performance, privacy details, and information provided) positively or negatively impact customer satisfaction. This questionnaire was divided into two sections: the respondents’ demographic data and a survey on security factors that influence customer satisfaction. The questionnaires were distributed to the National University of Malaysia’s professors and students. A sample of 300 respondents undertook the survey. The survey results suggested that many respondents agreed that the stated security factors influenced their satisfaction when using digital wallets. Previous studies indicated that financial security, privacy, system security, cybercrime, and trust impact online purchase intention. The proposed framework in this research explicitly covers the security factors of the digital wallet. This study may help digital wallet providers understand the customer's perspective on digital wallet security aspects, therefore motivating providers to implement appropriately designed regulations that will attract customers to utilize digital wallet services. Formulating appropriate security regulations will generate long-term value, leading to greater digital wallet adoption rates.

Towards a Cashless Society: The Effects of Perceived Convenience and Security on Gamified Mobile Payment Platform Adoption

Article

Full-text available

Dec 2021

Integrating gamification into mobile payment platform incentivizes people to use digital alternatives for payment and could spur user-centric, platform-mediated interactions. This study examines the relationship between perceived convenience and perceived security on individual users’ intention to use a gamified mobile payment platform in Malaysia; a developing country envisioned to build a cashless society. The partial least square structural equation modeling (PLS-SEM) technique is employed on a final sample of 388 online users. The results show that perceived convenience has a strong but indirect effect on the intention to use. Perceived security has a strong and direct effect on intention to use and mediates the relationship between perceived convenience and intention to use. Furthermore, the reliability aspect of security is a top priority concern for users interested in using mobile payment. The multi-functional aspect of convenience is a top priority concern to attract users who are not interested in using mobile payment at first. The study discusses theoretical and practical implications for developing a dual strategy of ‘ensuring convenience’ and ‘assuring security’ to encourage the gamified mobile payment platform adoption in developing countries.

Protecting Against Threats to Information Security: An Attitudinal Ambivalence Perspective

Article

Full-text available

Jul 2021

A popular information security-related motivation theory is the Protection Motivation Theory (PMT) that has been studied extensively in many information security contexts with promising results. However, prior studies have found inconsistent findings regarding the relationships within PMT. To shed light on these inconsistent findings, we introduce the attitudinal ambivalence theory to open the black box within PMT. We tested our model on data collect ed from 1,383 individuals facing potential cyberattacks of their emails in a field experiment. The results of polynomial regression with response surface analysis showed that attitudinal ambivalence is generated from the opposition between an individual’s evaluations of maladaptive rewards and social norms (i.e., descriptive norm and subjective norm). This attitudinal ambivalence, in turn, affects individuals’ evaluations of their coping appraisal process and protection motivation, and ultimately protection behavior. We discuss the theoretical and managerial implications of identifying the determinants and outcomes of attitudinal ambivalence in the information security context. From a theoretical standpoint, our work contributes to the information security literature by incorporating attitudinal ambivalence, which arises from the intrapersonal and interpersonal appraisal processes, into PMT. From a practical standpoint, our work provides insights into designing effective fear appeals to avoid triggering attitudinal ambivalence and thus encouraging adoption of security protection behavior.

Accountants' training framework and use of technologies among Nigerian professional accountants

Article

Full-text available

Sep 2021

The study was conducted to identify social media, mobile and cloud (SoMoClo) technologies used by Nigerian professional accountants. It also performed predictive analysis of Accountants' Training Framework (ATF) and Perception (PCT) on professional accountants' use of SoMoClo technologies. Using survey design, the study administered an online questionnaire among professional accountants in Nigeria. Some items in the survey were taken from already validated items in literature especially from popular theories of technology use. Data were analysed using both descriptive statistics (frequency, mean, mode, and standard deviation) and inferential statistics – binary logistic regression. Findings showed that Nigerian professional accountants claim to proficiently use SoMoClo technologies in their professional capacities. ATF and PCT contributed (in)significantly to the prediction of self-reported use of and intention to use SoMoClo technologies among Nigerian professional accountants. The overarching disruptive and transformative tendencies and evidences of technology is an incentive for professional accountants to constantly unlearn, relearn, initiate, adopt and adjust to emerging trends in the practice of their profession. This study brings to bare the significance of the ATF as a predictor variable for use of technology. A new model for the measurement of “use” – willingness, readiness and ableness (WRA) framework – was tested.

AI-enabled digital identity – inputs for stakeholders and policymakers

Article

Full-text available

Jul 2021
JSTPM

Purpose–This conceptual article’s primary aim is to identify the significant stakeholders of the digital identity system (DIS) and then highlight the impact of artificial intelligence (AI) on each of the identified stakeholders. It also recommends vital points that could be considered by policymakers while developing technology-related policies for effective DIS. Design/methodology/approach–This article uses stakeholder methodology and design theory (DT) as a primary theoretical lens along with the innovation diffusion theory (IDT) as a sub-theory. This article is based on the analysis of existing literature that mainly comprises academic literature, official reports, whitepapers and publicly available domain experts’ interviews. Findings–The study identified six significant stakeholders, i.e. government, citizens, infrastructure providers, identity providers (IdP), judiciary and relying parties (RPs) of the DIS from the secondary data.Also, the role of IdP becomes insignificant in the context of AI-enabled digital identity systems (AIeDIS). The findings depict that AIeDIS can positively impact the DIS stakeholders by solving a range of problems such as identity theft, unauthorised access and credential misuse, and will also open a possibility of new ways to empower all the stakeholders. Research limitations/implications–The study is based on secondary data and has considered DIS stakeholders from a generic perspective. Incorporating expert opinion and empirical validation of the hypothesis could derive more specific and context-aware insights. Practical implications–The study could facilitate stakeholders to enrich further their understanding and significance of developing sustainable and future-ready DIS by highlighting the impact of AI on the digital identity ecosystem. Originality/value–To the best of the authors’ knowledge, this article is the first of its kind that has used stakeholder theory, DT and IDT to explain the design and developmental phenomenon of AIeDIS. A list of six significant stakeholders of DIS, i.e. government, citizens, infrastructure providers, IdP, judiciary and RP, is identified through comprehensive literature analysis.

Perceived security: An experimental study of security doors

Article

Jul 2021
SAFETY SCI

Michele Sinico

The feeling of security of your own home is given both by the minimization of the real risk of infringement and by the conditions for minimizing the psychological threats experienced by the user. This study investigates the impact of visual design factors on perceived security of security doors. Experiment 1 verified the effect of different security door models on perceived security. For each model, participants indicated the perceived security on a 7-point rating scale. In the second experiment, 308 naïve participants estimated the perceived security of the security doors with ten morphological modifications (asymmetry; curved edges; reduced colorfulness; rhomboid panels; relief mullions; nails; engraved texture; electronic lock; double lock; bronze door handle). The influence of visual design factors on perceived security was confirmed in experiment 1. The results also show that asymmetry, nails doors and electronic lock increase perceived security significantly. Finally, the findings in relation to the design of security door are discussed.

Reputation, familiarity and use intention for e-payment services: a comparison of pure-play and click-and-mortar e-payment services

Article

Jan 2021

A New Card-Linked Loyalty Program: Estimated and Anticipated Benefits for Payment Transaction Parties

Article

Full-text available

Nov 2020

Electronic card payments are getting more and more popular, mainly because of their simplicity, convenience, processing time and high level of security. The fact that a single payment card is issued for a particular cardholder makes it possible to link a card to various services. In this paper, we investigated a usage of a payment card in the loyalty program that incorporates our Contextual Risk Management System (CRMS) to assure a novel intangible reward: Shorter transaction processing time. In the beginning, we emphasize the importance of soft benefits in modern loyalty programs and recall the risk management algorithms and the reputation system that has been used in the CRMS. Then, using an extensive dataset of 2.5 million payment transaction traces (collected within a year from 68 terminals) we estimate potential benefits for merchants and cardholders and try to predict an effect of this system for the future. We also discuss the impact of this system on the real and user-perceived security level.

Multiple Fusions Approach for Keystroke Dynamics Verification System with Soft Biometrics

Article

Full-text available

Sep 2020

Computer security is a process that controls the entire information system, including network, system and hardware. Important information that must be controlled in a system is the data or information contained in a system. Various methods have been used to ensure that only users with legitimate access to data can use a system. Usernames and passwords have been a common practice by many systems as the first requirement to be fulfilled to access the system, but some systems use the secondary verification for additional confirmation. In this article, Keystroke Dynamics has been used as the user’s second level authentication for the systems that use the keyboard to login into a system. A common problem of system intrusions is that the system fails to identify the user who signs in using the keyboard when the login is correct. There is a possibility that someone else tries to break into the system. To ensure and improve users’ recognition who use the keyboard to enter their logins into the system, Keystroke Dynamics is used as a next-level verification if the login is correct. Soft biometrics is used in the user authentication process using KD method in this study. The soft biometric elements used in this study are culture, gender, educational level (CGPA - Cumulative Grade Point Average) and region of birth (ROB). All of these four soft biometric elements are expected to enhance capabilities in the user authentication process.

Expanding TAM and Investigating the Factors that Effect Consumer Intention to Adopt Mobile Banking in Palestine

Article

Full-text available

Sep 2020

Haitham Jouda

Purpose The main objective of this study is to expand the technology acceptance model (TAM) by examining the factors affecting the adoption of mobile banking services by the customers of Palestinian banks and to design a comprehensive model based on TAM and TPB and additional constructs. Design/methodology/approach This study used the quantitative approach with cross sectional research design and a questionnaire as a data tool. From the six big cities in Palestine, we surveyed 1000 banking consumers. The samples include different characteristics. For construct relationship analysis this study applied partial least squares (PLS). Findings The study framework provides a complete view of mobile banking services. This framework takes into consideration more determinants for prediction than other studies on the adoption of innovations. The results of using this model managed to clarify nearly 77.4 percent of the dependent variable (intention to adopt mobile banking service) variation. This is a much greater value than those of the previous studies. Moreover, this study found that the perceived risk has a negative effect on consumers’ intention to use mobile banking services. Attitude, facilitating conditions, perceived ease of use, website usability, and perceived trust were identified as the important variables that have a significant positive effect on the consumers’ intention to use mobile banking services in Palestine. Originality/value – the findings can be used by financial institutions and banks to enhance the usage rate of consumers’ adoption and to develop their strategies.

Short-Range Audio Channels Security: Survey of Mechanisms, Applications, and Research Challenges

Article

Full-text available

Jan 2020

Short-range audio channels have appealing distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic channels are also increasingly used to launch attacks against systems and devices, leading to security concerns that could thwart their adoption. To provide a rigorous, scientific, security-oriented review of the field, in this paper we survey and classify methods, applications, and use-cases rooted on short-range audio channels for the provisioning of security services—including Two-Factor Authentication techniques, pairing solutions, device authorization strategies, defense methodologies, and attack schemes. Moreover, we also point out the strengths and weaknesses deriving from the use of short-range audio channels. Finally, we provide open research issues in the context of short-range audio channels security, calling for contributions from both academia and industry.

Short-Range Audio Channels Security: Survey of Mechanisms, Applications, and Research Challenges

Preprint

Full-text available

Jan 2020

Short-range audio channels have a few distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic channels are increasingly used also to launch attacks against systems and devices, leading to security concerns that could thwart their adoption. To provide a rigorous, scientific, security-oriented review of the field, in this paper we survey and classify methods, applications, and use-cases rooted on short-range audio channels for the provisioning of security services---including Two-Factor Authentication techniques, pairing solutions, device authorization strategies, defense methodologies, and attack schemes. Moreover, we also point out the strengths and weaknesses deriving from the use of short-range audio channels. Finally, we provide open research issues in the context of short-range audio channels security, calling for contributions from both academia and industry.

Bioelectrical User Authentication

Thesis

Full-text available

Apr 2019

Timibloudi S Enamamu

There has been tremendous growth of mobile devices, which includes mobile phones, tablets etc. in recent years. The use of mobile phone is more prevalent due to their increasing functionality and capacity. Most of the mobile phones available now are smart phones and better processing capability hence their deployment for processing large volume of information. The information contained in these smart phones need to be protected against unauthorised persons from getting hold of personal data. To verify a legitimate user before accessing the phone information, the user authentication mechanism should be robust enough to meet present security challenge. The present approach for user authentication is cumbersome and fails to consider the human factor. The point of entry mechanism is intrusive which forces users to authenticate always irrespectively of the time interval. The use of biometric is identified as a more reliable method for implementing a transparent and non-intrusive user authentication. Transparent authentication using biometrics provides the opportunity for more convenient and secure authentication over secret-knowledge or token-based approaches. The ability to apply biometrics in a transparent manner improves the authentication security by providing a reliable way for smart phone user authentication. As such, research is required to investigate new modalities that would easily operate within the constraints of a continuous and transparent authentication system. This thesis explores the use of bioelectrical signals and contextual information for non-intrusive approach for authenticating a user of a mobile device. From fusion of bioelectrical signals and context awareness information, three algorithms where created to discriminate subjects with overall Equal Error Rate (EER of 3.4%, 2.04% and 0.27% respectively. Based vii | P a g e on the analysis from the multi-algorithm implementation, a novel architecture is proposed using a multi-algorithm biometric authentication system for authentication a user of a smart phone. The framework is designed to be continuous, transparent with the application of advanced intelligence to further improve the authentication result. With the proposed framework, it removes the inconvenience of password/passphrase etc. memorability, carrying of token or capturing a biometric sample in an intrusive manner. The framework is evaluated through simulation with the application of a voting scheme. The simulation of the voting scheme using majority voting improved to the performance of the combine algorithm (security level 2) to FRR of 22% and FAR of 0%, the Active algorithm (security level 2) to FRR of 14.33% and FAR of 0% while the Non-active algorithm (security level 3) to FRR of 10.33% and FAR of 0%.

TRUST: TRust Unguarded Service Terminals

Chapter

Nov 2019

Nowadays, plenty of digital services are provided to citizens by means of terminals located in public unguarded places. In order to access the desired service, users, authenticate themselves by providing their credentials through such terminals. This approach opens up to the problem of fraudulent devices that could be installed in place of regular terminals to capture users’ confidential information. Indeed, despite the development of increasingly secure systems aiming at guaranteeing an acceptable security level, users are frequently unable to distinguish between terminals on which security measures are enforced (trusted terminals) and malicious terminals that pretend to be trusted.

SAFEST: Secure Actions for FTP Environment with Smart Token EPiC Series in Computing

Conference Paper

Full-text available

Sep 2019

Nowadays, with the wide applications of distributed systems, web-based applications, and communications systems over the Internet for carrying data between users such as terminal client and computer/server or communications between different devices using a computer network, network security has become crucial requirement to ensure authentic received data during transmission. Authentication and encryption are basic procedures to ensure secure communications over a public network due to tamper-resistance and convenience in dealing with a password file. Most of the used protocols; HTTP, FTP, and SMTP of Internet applications use text stream that is more and more vulnerable to attacks. Encryption represents the main security for most computer applications. This work proposes enhanced secure actions for transferring data using FTP protocol by using a smart token. A smart token has the capabilities of the smart card, but more secured beside some interesting operations. A practical and secure user scheme, based on a smart token device, is proposed. A Secure Platform has been developed using implemented APIs and PKCS#11 as RSA standard interface. The proposed API is called SAFEST (Secure Actions for FTP Environment with Smart Token). SAFEST API wraps a standard protocol for implementing the communication between a token and the application using it. This API is a platform-independent, scalable to support more functionality, optimizing token usage and adding more security for accessing token objects. The smart token can process the cryptographic key operations on its own rather than on the host computer, which supports high-level platform independence. In addition, through the proposed SAFEST API, standard interfacing to such token devices from any vendor can be implemented through using PKCS#11 interfaces, developed by RSA labs.

Managing Security Issues

Article

Full-text available

Jun 2019

Security is coming more and more in the spotlight of today's news. Several reasons have lead to this, like the maturity of computer technology, which gave access to more people to computer systems, and the evolution of the internet and computer networking in general. Security, as most technology issues, doesn't evolve in general directions, but follows the direction of technology innovation. This focused direction of security research creates a number of different trends that evolve during time. This study will focus on the trends that have been emerging lately and the implications they have in security management. Suggestions will be proposed in order to accommodate the forthcoming changes.

Coauthentication

Conference Paper

Apr 2019

This paper introduces and evaluates collaborative authentication, or coauthentication, a single-factor technique in which multiple registered devices work together to authenticate a user. Coauthentication provides security benefits similar to those of multi-factor techniques, such as mitigating theft of any one authentication secret, without some of the inconveniences of multi-factor techniques, such as having to enter passwords or biometrics. Coauthentication provides additional security benefits, including: preventing phishing, replay, and man-in-the-middle attacks; basing authentications on high-entropy secrets that can be generated and updated automatically; and availability protections against, for example, device misplacement and denial-of-service attacks. Coauthentication is amenable to many applications, including m-out-of-n, continuous, group, shared-device, and anonymous authentications. The principal security properties of coauthentication have been formally verified in ProVerif, and implementations have performed efficiently compared to password-based authentication.

How Memory Anxiety Can Influence Password Security Behavior

Article

Nov 2023
COMPUT SECUR

Authentication of IT Professionals in the Wild – A Survey

Conference Paper

Jan 2023

The role of user authentication in software repositories can significantly impact those using open-source projects as a basis for their products. In addition to highlighting the importance of authentication in software supply chain security, we surveyed open-source developers to identify if these IT professionals take advantage of more secure authentication methods in open-source projects to mitigate common risks. We present results from a survey of 83 employees of an open-source software company. We found that these users mostly use two-factor authentication and perceive username and password as the most usable method. Regarding security, hardware and software tokens were perceived as the most secure methods. Using a third-party service for fallback authentication emerged as a non-preferred solution.

EFFECTIVENESS OF FAST IDENTITY ONLINE 2 (FIDO2) PASSWORDLESS AUTHENTICATION FOR ONLINE USERS

Thesis

Sep 2023

Aaron Musa

ABSTRACT The continuous rates of account hacking and data leaks have put online users at risk of losing valuable data. The traditional password-based authentication has failed to suffice, as hackers have found it very easy to breach these protocols and get hold of users’ data. This has led to the development of more secured protocols like the FIDO2 passwordless authentication. Thus, this research was undertaken to investigate the Effectiveness of FIDO2 Passwordless Authentication for Online Users. One of the objectives of this research is to investigate how passwordless authentication can help solve the security issues that arise for users in an online environment.The study made use of both primary data and secondary data. The study found that FIDO2 passwordless authentication is a very secured method of protecting online users, however, the risk of losing the security key and the hassle involved in retrieving access have limited the adoption of the authentication protocol. The research however recommends that FIDO Alliance should develop easier methods of recovery. This would help improve user experience and lead to a higher adoption rate.

SoK: A Comprehensive Evaluation of 2FA-based Schemes in the Face of Active Concurrent Attacks from User Terminal

Conference Paper

Jun 2023

“It’s Just a Lot of Prerequisites”: A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator

Conference Paper

Sep 2022

SMS OTP Security (SOS): Hardening SMS-Based Two Factor Authentication

Conference Paper

May 2022

”Nah, it’s just annoying!” A Deep Dive into User Perceptions of Two-Factor Authentication

Article

Full-text available

Feb 2022

Two-factor authentication (2FA) is a recommended or imposed authentication mechanism for valuable online assets. However, 2FA mechanisms usually exhibit user experience issues that create user friction and even lead to poor acceptance, hampering the wider spread of 2FA. In this paper, we investigate user perceptions of 2FA through in-depth interviews with 42 participants, revealing key requirements that are not well met today despite recently emerged 2FA solutions. First, we investigate past experiences with authentication mechanisms emphasizing problems and aspects that hamper good user experience. Second, we investigate the different authentication factors more closely. Our results reveal particularly interesting preferences regarding the authentication factor ”ownership” in terms of properties, physical realizations, and interaction. These findings suggest a path towards 2FA mechanisms with considerably better user experience, promising to improve the acceptance and hence, the proliferation of 2FA for the benefit of security in the digital world.

Hackers versus Normal Users

Chapter

Sep 2021

L. Reznik

The chapter starts with discussing how hacker's demography and their culture have been changing over the years. Then it proceeds with presenting hacking attacks, techniques, and tools as well as anti‐hacking protection mechanisms. In the second part, it moves to the ordinary user's profiles and authentication. Here we show how to employ data science and statistical approaches to find out and analyze user's characteristics and their influence on the security level of their computer practice. The chapter presents the computer device security evaluation procedures. It discusses how to conduct analysis, observations, results, and recommendations for users to improve their overall security practices and the security of their devices. Also, it examines the hacking web fingerprinting attacks against the privacy protection TOR technology that utilizes machine learning as well as possible protection mechanisms. Examples and use cases are included.

Analyzing the Security of OTP 2FA in the Face of Malicious Terminals

Chapter

Sep 2021

One Time Password (OTP) is the most prevalent 2FA method among users and service providers worldwide. It is imperative to assess this 2FA scheme’s security from multiple perspectives, considering its ubiquitous presence in the user’s day-to-day activities. In this work, we assess the security of seven commercially deployed OTP-2FA schemes against malware in the terminal attack model without compromising any 2FA device or authentication services. To implement this attack scenario, we develop a combination of attack modules that will capture password and OTP in different ways during the user’s login attempt. At the same time, it would originate a fresh concurrent hidden session from within the terminal or remotely to get possession to the user account without compromising the service or network or any external device. We examine implemented attack against seven different popular public services, which mostly use two variants of OTP-2FA and observed that almost all of them are vulnerable to this attack. Here, the threat model is practical as the attack components can be installed in the user’s terminal without any root/administrator privilege. Moreover, the attack modules require a small number of resources to run. The whole procedure would run from the background that makes the attack very hidden in nature and attain low detectability after examining against prominent anti-malware programs that indicate a real-world threat. Our findings after the analysis of the OTP-2FA schemes indicate that an adversary who can install malware on the user’s terminal can defeat almost all popular and widely used OTP-2FA schemes, which are vital security components of online accounts and secure financial transactions. The result also points out that the OTP-2FA scheme does not add extra security on top of the password in the presence of the malicious program in the terminal.

Interaction Design for Security Based on Social Context

Article

Jun 2021
INT J HUM-COMPUT ST

Social context is a vital component of Human-Computer Interaction (HCI) design for security; however, there is little discussion about how to provide security functions based on the social context. This study examines the fit between security design and social contexts in mobile payment applications by investigating preferences and perceptions of security design based on the task-technology fit model and the technology acceptance model. To approach fit of security design in different social contexts, this study followed the approach proposed by design science research and employed a full factorial design experiment. We developed two interfaces—a customizable interface without feedback information and a customizable interface with feedback information—and asked participants to modify security settings in the interfaces according to social contexts, conduct payment transactions, and report their perceptions of security and usability in four payment scenarios. The observed behaviors in relation to security settings and perceptions revealed the fit for security settings and feedback design in different social contexts. Implications were provided to allow insights for security design in mobile payment transactions according to social contexts.

What Drives Social Media Marketing in B2B Organizations? An Examination of Antecedents

Article

Full-text available

May 2021

Purpose: Social media marketing has expanded drastically over the years; despite that, B2B organizations have been unable to use, adapt, and utilize social media marketing, in comparison to B2C (Business to Consumer) organizations. The study intends to examine the antecedents of social media marketing in Business to Business organizations. Methodology: The hypotheses were tested through a survey conducted with 375 employees, belonging to 16 different B2B industries in Pakistan. Reliability analysis, convergent validity, discriminate validity, regression analysis, and mediation tests were carried out to measure the reliability of the measures and examine the proposed hypotheses. Findings: Findings supported the research model and proposed hypotheses. Results suggested a significant influence of learnability, memorability, perceived barriers, perceived usability, and perceived usefulness on actual use in B2B organizations. Findings also confirm the mediating roles of perceived usability and usefulness in the framework. Practical Implications: Usage and adoption of social media marketing in B2B organizations can be improved if they invest in training programs that facilitate learning and memorability of social media tools. Perceived barriers can be eliminated if companies can reassure employees of the relevance and efficiency of social media marketing in their business environment. Keywords: B2B, Business to Business, Industrial Marketing, Social media, TAM

Two-factor Password-authenticated Key Exchange with End-to-end Security

Article

Apr 2021

We present a secure two-factor authentication (TFA) scheme based on the user’s possession of a password and a crypto-capable device. Security is “end-to-end” in the sense that the attacker can attack all parts of the system, including all communication links and any subset of parties (servers, devices, client terminals), can learn users’ passwords, and perform active and passive attacks, online and offline. In all cases the scheme provides the highest attainable security bounds given the set of compromised components. Our solution builds a TFA scheme using any Device-enhanced Password-authenticated Key Exchange (PAKE), defined by Jarecki et al., and any Short Authenticated String (SAS) Message Authentication, defined by Vaudenay. We show an efficient instantiation of this modular construction, which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. The security of the proposed scheme is proven in a formal model that we formulate as an extension of the traditional PAKE model. We also report on a prototype implementation of our schemes, including TLS-based and PKI-free variants, as well as several instantiations of the SAS mechanism, all demonstrating the practicality of our approach. Finally, we present a usability study evaluating the viability of our protocol contrasted with the traditional PIN-based TFA approach in terms of efficiency, potential for errors, user experience, and security perception of the underlying manual process.

When enough is enough: Investigating the antecedents and consequences of information security fatigue

Article

Full-text available

Dec 2020
INFORM SYST J

Despite concerns raised by practitioners, the potential downside of the information security demands imposed by organizations on their employees has received limited scholarly attention. Our research focuses on information security fatigue (hereafter security fatigue), which is defined as a socio‐emotional state experienced by an individual who is tired of and disillusioned with security policies and their associated guidelines and procedures. This research delves into the security fatigue concept, investigates its antecedents and reports how fatigue affects employee security policy compliance (and non‐compliance). Since security fatigue is not well articulated in the literature and there is limited understanding of its antecedents and consequences, we take a research approach that affords novel insight into this phenomenon. Specifically, we conduct 38 in‐depth interviews with business and IT professionals, and then use a qualitative approach to construct a model, including seven research propositions, to highlight the key aspects of security fatigue. Our results indicate that four distinct antecedents contribute to security fatigue, which result in three unique consequences. We discuss security fatigue in relation to past theoretical views and related concepts within the security policy compliance literature and identify directions for future research.

A Usability Comparison of SMS and IVR as Digital Banking Channels

Chapter

Jan 2013

In this paper, the authors compare the usability of SMS mobile banking and automated IVR telephone banking. Participants (N = 116) used SMS banking and IVR banking to find their account balance in a repeated-measures experiment. IVR banking scored higher for usability metrics: effectiveness, attitude, and quality. There was no clear difference in rank order of preference between the two channels. Participants gave positive comments regarding speed and efficiency with SMS banking, but had serious doubts over the security of the SMS channel, impacting consumer trust in SMS banking. The authors argue that usability problems and security concerns are a major factor in the low adoption of SMS mobile banking. Older users were less positive in general to SMS banking compared with the more established IVR banking. Older users had lower first time completion rates for SMS banking and gave IVR banking higher attitude and quality scores.

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Conference Paper

Full-text available

May 2020

A Study on the Use of Checksums for Integrity Verification of Web Downloads

Article

Nov 2020

App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file’s integrity verification code—the checksum—matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such a process is effective. Even worse, very few usability studies about it exist. In this article, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month-long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution—a Chrome extension that verifies checksums automatically—significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers, and content creators to increase the use of file integrity verification on their properties.

A quantitative diary study of perceptions of security in mobile payment transactions

Article

May 2020

While mobile payment services have been flourishing in China, users have continually questioned the security of these transactions. Although customization has been proposed as a vital factor for mobile commerce, minimal knowledge exists regarding how it affects users’ perceived security in mobile payment transactions. A quantitative diary study was therefore conducted to provide insight into the personality traits that motivate customization behaviors in security, and how such behaviors influence perceived security under different use contexts in relation to mobile payments. First, an instrument for the diary study was developed through an interview. Then, 134 responses from mobile payment users were used to examine the relationships between personality traits and customization behaviors. Among them, the diary was completed by 67 mobile payment users who reported their perceived security for 1094 recoded payment events across various use contexts for periods ranging between 5 and 15 days. The results showed that the personality traits of extraversion and intellect influence users’ customization behaviors and these behaviors have a positive effect on perceived security. Additionally, the relationship between customization behaviors and perceived security was moderated by the task and technical contexts. Based on these findings, design implications and opportunities for mobile payment services are described.

A Study on Consumer’s Preference Behavior for Biometrics Technology Using Conjoint Analysis

Article

Nov 2018

The Password is Dead, Long Live the Password – A Laboratory Study on User Perceptions of Authentication Schemes

Article

Aug 2019

Password authentication is still ubiquitous although alternatives have been developed to overcome its shortcomings such as high cognitive load for users. Using an objective rating scheme Bonneau et al. (2012) demonstrated that replacing the password poses a quest that yet remains unsolved. To shine light on this intractable issue we turn towards subjective user perceptions that influence acceptance and actual use of authentication schemes. We first conducted an extensive rating of objective features of authentication schemes to inform our selection of schemes for this research. Building on the findings thereof, 41 users interacted with twelve different authentication schemes in a laboratory study. The participants’ ratings revealed that the password followed by fingerprint authentication scored highest in terms of preference, usability, intention to use and lowest in terms of expected problems and effort. Usability and effort seem to be important factors for users’ preference rating whereas security and privacy ratings were not correlated with preference. One reason for these factors to fall behind might be their opacity and the resulting difficulty to evaluate them from a user perspective. Further, security and usability perceptions deviated from objective factors and should therefore be carefully considered before making decisions in terms of authentication. Suggestions for making security and privacy features more tangible and to allow for an easier integration in the users’ decision process are discussed.

Sicherheit mobiler Bankgeschäfte zwischen Innovation und Regulierung

Thesis

Full-text available

Jan 2019

Vincent Haupert

Seit seiner Einführung besticht das deutsche Onlinebanking mit der Sicherheit einer Zwei-Faktor-Authentifizierung. Obwohl für den Zugang zum Onlinebanking Benutzerkennung und Passwort genügen, müssen Transaktionen durch einen zusätzlichen Faktor bestätigt werden. Zu diesem Zweck fordert die Bank traditionell die Eingabe einer Transaktionsnummer, die der Kunde mithilfe seines Sicherungsverfahrens erhält. Das kontinuierliche Festhalten an dieser Trennung von Transaktionsauslösung und -bestätigung war dabei von einer anhaltenden Verbesserung der Sicherheitseigenschaften der Legitimierungsverfahren begleitet. Dieser Trend droht sich mit der Verfügbarkeit von Smartphones und Tablets jedoch umzukehren und führt im Privatkundengeschäft der Banken zu deutlichen Nutzungs- und Marktverschiebungen. Denn alte wie neue Finanzdienstleister adaptieren eine Strategie, die möglichst alle Prozesse auf innovative Art und Weise durch das Mobilgerät des Kunden abbilden soll. Diese als Mobilebanking bezeichnete Entwicklung begründet nicht nur die Einführung von Banking-Apps und App-basierten Legitimierungsverfahren, sondern auch ein völlig neues Authentifizierungsparadigma, das es im Kontrast zum klassischen Onlinebanking erstmalig ermöglicht, alle Bankgeschäfte von ein und demselben mobilen Endgerät auszulösen und zu bestätigen. Die Dissertation beschäftigt sich mit den Sicherheitsimplikationen, die sich durch das Aufkommen des Mobilebankings ergeben. Hierbei wird in der Arbeit zunächst festgestellt, dass sich mehr Angriffsmöglichkeiten durch Schadprogramme ergeben, als dies bisher der Fall war. Im Zentrum stehen zwei Angriffe: Erstens erlaubt die Softwareimplementierung dem Angreifer, einen Replikationsangriff durchzuführen, bei dem das App-basierte Legitimierungsverfahren in vollem Umfang auf ein unautorisiertes Gerät kopiert wird. Zweitens wird durch die fehlende Medientrennung zwischen Auslösung und Bestätigung die Echtzeitmanipulation einer nutzerinitiierten Transaktion möglich. Beide Angriffe fußen auf konzeptionellen Defiziten, die darauf zurückzuführen sind, dass die Mobilebanking-Verfahren ohne adäquate Hardwaremöglichkeiten zur Absicherung eingeführt wurden. Aus diesem Grund versuchen die Banken ihre Apps durch kommerzielle Härtungsprodukte auf Softwareebene zu schützen. Weiterführende Untersuchungen zeigen solchen Lösungen jedoch klare Grenzen auf und machen deutlich, dass auch sie die konzeptionellen Defizite nicht ausgleichen können. Während den etablierten Banken damit zumindest attestiert werden kann, das strukturelle Sicherheitsrisiko zu kennen und adressieren zu wollen, reichen die Probleme bei neuen Marktteilnehmern weiter. Forschungen im Rahmen dieser Dissertation haben bei dem derzeit führenden deutschen Finanz-Start-up gravierende Sicherheitsmängel identifiziert, die ihre Ursache in einer mangelnden Priorität der IT-Sicherheit finden. Die ermittelten Defizite sind auch in Bezug auf regulatorische Vorgaben zur Sicherheit mobiler Finanzlösungen relevant. Im Rahmen der Zahlungsdiensterichtlinie II hat die Europäische Union Vorgaben auf den Weg gebracht, die ab dem 14. September 2019 in Geltung treten. Die Dissertation beschäftigt sich in diesem Zusammenhang damit, welche Anforderungen an die Sicherheit digitaler Transaktionen allgemein zu stellen sind und konstatiert im Vergleich mit den rechtlichen Vorgaben weitgehende Kompatibilität. Weiterer Untersuchungsgegenstand ist die Richtlinienkonformität gängiger Sicherungsverfahren im Online- und Mobilebanking. Neben der Nichtkonformität listenbasierter Verfahren legt die Arbeit auch eine Unzulänglichkeit von Verfahren auf Basis des SMS-Telekommunikationsdienstes sowie unter der Verwendung von App-basierten Methoden nahe. Obwohl die Richtlinie für eine Erhöhung des Sicherheitsniveaus bei Bankgeschäften sorgt, identifiziert die Abhandlung weitere Schwachstellen im Transaktionsprozess, die von der Regulierung nicht erfasst werden und ihre Ursache auch in menschlichen Faktoren finden. Die Arbeit setzt sich deshalb in einer Nutzerstudie mit der praktischen Sicherheit von Transaktionen beim Onlinebanking auseinander. Die Studie kommt zum Schluss, dass die Teilnehmer sich oft nicht im Klaren sind, welche Schritte für die Sicherheit essentiell sind, weshalb sie Transaktionsdaten gar nicht oder nur fehlerhaft prüfen. Die Banken sind dabei Teil des Problems, da sie dem Kunden mitunter irreführende Informationen zur Verfügung stellen. Die Ergebnisse dieser Arbeit haben aufgrund ihrer angewandten Natur neben der Forschung auch Relevanz für die Öffentlichkeit sowie die Aufsichtsbehörden. Viele Beiträge der Dissertation wurden durch die Presse rezipiert, wodurch ein Sicherheitsbewusstsein für Bankgeschäfte in der Gesamtbevölkerung gefördert wird. Darüber hinaus stellt auch das Bundesamt für Sicherheit in der Informationstechnik die Bedeutung der Arbeit heraus, indem Teile davon Erwähnung im Bericht zur Lage der IT-Sicherheit in Deutschland für das Jahr 2018 fanden.

Implementation of an Additional Factor for Secure Authentication in Online Transactions

Article

Jul 2019

To eradicate financial fraud, governments encourage the digitization of financial transactions, which is also reinforced by the digital economy paradigm. Recently, there has been an exponential increase in the number of e-transactions, and the incidence of cyber crimes related to online transaction fraud has also been increasing. To prevent online transaction fraud, the stakeholders of financial-transaction-related companies have implemented various secured authentication and authorization practices at all levels. In this paper, an additional factor for secure authentication for online transactions has been proposed. A third authentication factor, in addition to Personal Identification Number (PIN) and one time password (OTP), has been proposed, which is based on the global positioning system (GPS) location of the user who initiates the transaction. The strategy is to approve / decline the transaction based on a specified distance constraint between the transaction device and the user’s mobile device; this distance is used as an additional authentication factor (third factor) to verify the online transaction. The main objective of this study is to prevent fraudsters from performing online transactions from devices that do not belong to the user and are not currently in the possession of the user. The simulation results show that a high detection rate, i.e., 98.55%, is obtained using the proposed method.

Usable Security: Why Do We Need It? How Do We Get It?

Chapter

Full-text available

Jan 2005

Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice.

Authentication Mechanisms for E-Voting

Article

Full-text available

Jan 2013

The e-government paradigm became an essential path for governments to reach citizens and businesses and to improve service and public performance. One of the important tools used in political and administrative venues is e-voting, where ICT tools are used to facilitate the process of voting for electing representatives and making decisions. The integrity and image of such applications won't be maintained unless strict measures on security and authenticity are applied. This chapter explores the e-voting process, reviews the authentication techniques and methods that are used in this process and proposed in the literature, and demonstrates few cases of applying e-voting systems from different countries in the world. Conclusions and proposed future work are stated at the end of the chapter.

Moving from the design of usable security technologies to the design of useful secure applications

Article

Full-text available

Sep 2002

Recent results from usability studies of security systems have shown that end-users find them difficult to adopt and use. In this paper we argue that improving the usability of security technology is only one part of the problem, and that what is missed is the need to design usable and useful systems that provide security to end-users in terms of the applications that they use and the tasks they want to achieve. We propose alternate ways of building and integrating security technologies into applications and usability methods for evaluating how successful our prototypes are. We believe that the end results of designing usable and useful (from the end-user perspective) systems will be secure applications which will reflect the needs of users who are increasingly using computers away from the office and in a wider variety of networked configurations.

E-banking and customer preferences in Malaysia: An empirical investigation

Article

Full-text available

Apr 2003
INFORM SCIENCES

This paper examines the current trends in the e-commerce revolution that has set in motion in the Malaysian banking sector and reports on an empirical research that was carried out in Malaysia to study the customers’ preference for electronic banking and the factors, which they considered influenced the adoption of electronic banking. Results based on the analysis of data relating to 300 respondents indicate that while there is no significant differences between the age and educational qualifications of the electronic and conventional banking users, some differences exists on other demographic variables. Analysis further reveals that accessibility of Internet, a wareness of e-banking, and customers’ reluctance to change are the factors that significantly affected the usage of e-banking in Malaysia. The paper discusses on the implications of these. Limitations of the study are highlighted and further research directions are suggested.

Meta-analysis of correlations among usability measures

Conference Paper

Full-text available

Apr 2007

Understanding the relation between usability measures seems crucial to deepen our conception of usability and to select the right measures for usability studies. We present a meta-analysis of correlations among usability measures calculated from the raw data of 73 studies. Correlations are generally low: effectiveness measures (e.g., errors) and efficiency measures (e.g., time) have a correlation of .247 ± .059 (Pearson's product-moment correlation with 95% confidence interval), efficiency and satisfaction (e.g., preference) one of .196 ± .064, and effectiveness and satisfaction one of .164 ± .062. Changes in task complexity do not influence these correlations, but use of more complex measures attenuates them. Standard questionnaires for measuring satisfaction appear more reliable than homegrown ones. Measures of users' perceptions of phenomena are generally not correlated with objective measures of the phenomena. Implications for how to measure usability are drawn and common models of usability are criticized. Author Keywords

Secure Internet banking authentication

Article

Full-text available

Apr 2006

This article classifies common Internet banking authentication methods regarding potential threats and their level of security against common credential stealing and channel breaking attacks, respectively. The authors present two challenge/response Internet banking authentication solutions, one based on short-time passwords and one certificate-based, and relate them to the taxonomy above. There further outline how these solutions can be easily extended for nonrepudiation (that is, transaction signing), should more sophisticated content manipulation attacks become a real problem. Finally, they summarize their view on future requirements for secure Internet banking authentication and conclude by referencing real-live implementations.

Factors Influencing the Adoption of Internet Banking

Article

Jul 2000
J ASSOC INF SYST

Design for usability

Article

Jan 2005

B. Tognazzini

The usability of security devices

Article

Jan 2005

Investigated factors that influenced Internet banking acceptance among retail users of banking services in Malaysia

Article

Jan 2003
INFORM SCIENCES

The memorability and security of passwords

Article

Jan 2005

Psychological acceptability revisited

Article

Jan 2005

M. Bishop

Factors influencing the adoption of internet banking

Article

Jan 2000
J ASSOC INF SYST

Users and trust: A microsoft case study

Article

Jan 2005

C. Nodder

Two-factor authentication

Article

Apr 2005

Bruce Schneier

The Domino Effect of Password Reuse

Article

Apr 2004

The importance of password security which is considered as an essential form of user authentication both on the Internet and for internal organizational computing systems is discussed. Password protection schemes are used to protect relatively low-sensitivity systems such as access to online archives as well as highly sensitive corporate intranets or personal bank accounts. The growth of e-commerce has led to a huge increase in the numbers of passwords required by individual users, very often duplicated over and over throughout the Web. In such an environment, a password, and all the accounts it provides access to, can no more be secure than the weakest system using that password.

Technology: The right tools for the job

Article

Nov 2008

William Knight

Usability and context are often more important than the absolute effectiveness of authentication. It's why the simple password refuses to die, reports William Knight

Human-Computer Interaction

Article

Jan 1994

Current practice in measuring usability: Challenges to usability studies and research

Article

Feb 2006
INT J HUM-COMPUT ST

Kasper Hornbæk

How to measure usability is an important question in HCI research and user interface evaluation. We review current practice in measuring usability by categorizing and discussing usability measures from 180 studies published in core HCI journals and proceedings. The discussion distinguish several problems with the measures, including whether they actually measure usability, if they cover usability broadly, how they are reasoned about, and if they meet recommendations on how to measure usability. In many studies, the choice of and reasoning about usability measures fall short of a valid and reliable account of usability as quality-in-use of the user interface being studied. Based on the review, we discuss challenges for studies of usability and for research into how to measure usability. The challenges are to distinguish and empirically compare subjective and objective measures of usability; to focus on developing and employing measures of learning and retention; to study long-term use and usability; to extend measures of satisfaction beyond post-use questionnaires; to validate and standardize the host of subjective satisfaction questionnaires used; to study correlations between usability measures as a means for validation; and to use both micro and macro tasks and corresponding measures of usability. In conclusion, we argue that increased attention to the problems identified and challenges discussed may strengthen studies of usability and usability research.

Two-factor authentication – a look behind the headlines

Article

Apr 2006

Paul A. Henry

Statements which have appeared in recent months about two-factor authentication are not just incorrect – they are irresponsible. Oversimplification of the October 2005 Federal Financial Institutions Examination Council (FFIEC) recommendations has recently lead to sensational headlines. Another view needs to be voiced.

Securing online banking

Article

Oct 2005

Nigel Reavley

The need for securing online banking services by the banks using cheap, portable EMV-compliant smart card readers, in a bid to protect lucrative banking channel, is discussed. The token-based random number generator systems, such as those available form RSA and Activcard, generate one-time registration passwords and are popular in Sweden. The long-term solution for online authentication, is the use of portable EMV-compliant smart card readers that incorporate a challenge response capability. Some service providers, such as Sweden's Post Girot, plan to develop this solution by expanding their public key infrastructure to include EMV based web authentication.

Password Security: A Case Study

Article

Jan 1979

Chapter 9. Behavioral Research Methods in Human-Computer Interaction

Article

Dec 1997

Thomas K. Landauer

This chapter discusses the conduct of research to guide the development of more useful and usable computer systems. Experimental research in human-computer interaction involves varying the design or deployment of systems, observing the consequences, and inferring from observations what to do differently. For such research to be effective, it must be owned—instituted, trusted and heeded—by those who control the development of new systems. Thus, managers, marketers, systems engineers, project leaders, and designers as well as human factors specialists are important participants in behavioral human-computer interaction research. This chapter is intended as much for those with backgrounds in computer science, engineering, or management as for human factors researchers and cognitive systems designers. It is argued in this chapter that the special goals and difficulties of human-computer interaction research make it different from most psychological research as well as from traditional computer engineering research. The main goal, the improvement of complex, interacting human-computer systems, requires behavioral research but is not sufficiently served by the standard tools of experimental psychology such as factorial controlled experiments on pre-planned variables. The chapter contains about equal quantities of criticism of inappropriate general research methods, description of valuable methods, and prescription of specific useful techniques.

Questionnaires as a software evaluation tool

Article

Jan 1983

This paper reports on a study investigating the strengths and weaknesses of questionnaires as software evaluation tools. Two major influences on the usefulness of questionnaire-based evaluation responses are examined: the administration of the questionnaire, and the background and experience of the respondent. Two questionnaires were administered to a large number of students in an introductory programming class. The questionnaires were also given to a group of more experienced users (including course proctors). Respondents were asked to evaluate the text editor used in the class along a number of dimensions; evaluation responses were solicited using a number of different question types. Another group of students received the questionnaire individually, with part of it presented on the computer; a third group also evaluated an enhanced version of the editor in followup sessions.

On the role of metaphor and language in design of third party payments in eBanking: Usability and quality

Article

Aug 2006

This paper describes results of a usability study of contrasting user-interface designs for Internet Banking (eBanking). Two specific interface metaphors were compared in the first experiment, linear form filling and array editing interaction modes. Terminology in the interaction dialogue was compared in the second experiment, using typical banking language and a generic, plain language interface. This research aimed to perform usability evaluation and comparison of the alternative interface designs to illuminate the development of new eBanking services. This research involved sixty-one participants (Internet users and customers of the involved Bank) exploring the designs in controlled experiments involving hands-on experience. Banks are interested in ensuring their eBanking services are highly customer-centric and that the interface matches customer expectations in order to drive customers towards this lower cost channel. The results of the first experiment (N=32, where N indicates the number of participants in the cohort) concluded that the simple form-filling metaphor, taken from the traditional paper-based procedure, was generally more usable than a Spreadsheet metaphor. In the second experiment (N=29), it was found that although banking terminology was not completely understood across the cohort, the instructional language changes did not impact significantly on usability.

Functionality and usability in design for eStatements in eBanking services

Article

Mar 2007

The current Internet Banking (eBanking) marketplace is highly functionally convergent. Electronic statement (eStatement) functionality is an area of potential competitive advantage. This paper describes an experiment in which a group of bank customers (N = 182) undertook information retrieval tasks using three variants of eStatements functionality incorporated into a working eBanking prototype. The experiment examined how the eStatements service design could influence a customer’s desire to switch from paper statements to online delivery. Three different levels of functionality were assessed for usability and for their impact on the customer’s willingness to switch from paper to eStatements. The methodology of the experimental approach utilised in this research is described. The results provide detailed data to inform the interface design and business case for eStatements. Usability and propensity to switch away from paper were significantly correlated. The data confirm that provision of a functionally sophisticated search engine offers high usability perceptions and scope for significant levels of switching from paper to online statements with associated costs savings.

Security and human computer interfaces

Article

Dec 2003
COMPUT SECUR

Computer users are exposed to technology mainly through user interfaces. Most users' perceptions are based on their experience with these interfaces. HCI (human computer interaction) is concerned with these interfaces and how they can be improved. Considerable research has been conducted and major advances have been made in the area of HCI. Information security is becoming increasingly important and more complex as business is conducted electronically. However, state-of-the-art security-related product development has ignored general aspects of HCI. The objective of this paper is to promote and enable security awareness of end-users in their interaction with computer systems. It thus aims to consolidate and integrate the two fields of information security and HCI. HCI as a research discipline is a well developed field of study, and the authors are of the opinion that the use of security technologies can be significantly enhanced by employing proven HCI concepts in the design of these technologies. In order to achieve this, various criteria for a successful HCI in a security-specific environment will be examined. Part of the Windows XP Internet Connection Firewall will be used as a case study and analysed according to these criteria, and recommendations will be made.

Why users cannot use security

Article

Jun 2005
COMPUT SECUR

Steven Furnell

With an increasing range of potential threats, the use of security within end-user systems and applications is becoming ever more important. However, a significant obstacle to achieving this can be the usability of the security features that are offered, and although related functionality is now provided in a wide range of end-user applications, the users themselves will fail to benefit if they cannot make it work for them. This paper highlights the importance of enabling users to protect themselves, and identifies that they may currently encounter problems in terms of finding, understanding, and ultimately using the security features that are meant to be at their disposal. The security options within Microsoft Word are used to provide illustrative examples of typical problems, with consequent suggestions to improve both the presentation and guidance available to users within such applications.

Diffusion of e-commerce: An analysis of the adoption of four e-commerce activities

Article

Aug 2002

Matthew S Eastin

The Internet has the ability to function as a business medium. Over one-third of US residents use the Internet, and nearly 40% use it as a medium of business (electronic-commerce). As this percentage continues to grow, so does the need to understand why and how users choose to adopt. This information will afford researchers and e-commerce providers a better understanding of how to facilitate future adoption. Through the diffusion of innovations model, this study revisits traditional and current concepts of adoption by investigating the adoption of four e-commerce activities currently available to Internet users: (1) online shopping, (2) online banking, (3) online investing, and (4) electronic payment for an Internet service (i.e., access to exclusive sites). Results indicate that six attributes common to the diffusion model (i.e., perceived convenience and financial benefits, risk, previous use of the telephone for a similar purpose, self-efficacy, and Internet use) all play a significant role in the adoption processes. Results also indicate that when users decide to adopt one of these activities they tend to adopt another. Finally, a discussion explores how to extend the model identified in this study by assessing possible negative outcomes of diffusion.

Computer security impaired by legitimate users

Article

May 2004
COMPUT SECUR

Computer security has traditionally been assessed from a technical point of view. Another way to assess it is by investigating the role played by legitimate users of systems in impairing the level of protection. In order to address this issue, we wish to adopt a multidisciplinary standpoint and investigate some of the human aspects involved in computer security. From research in psychology, it is known that people make biased decisions. They sometimes overlook rules in order to gain maximum benefits for the cost of a given action. This situation leads to insidious security lapses whereby the level of protection is traded-off against usability. In this paper, we highlight the cognitive processes underlying such security impairments. At the end of the paper, we propose a short usability-centred set of recommendations.

Usability and Security An Appraisal of Usability Issues in Information Security Methods

Article

Oct 2001
COMPUT SECUR

In the modern multi-user computer environment, Internet-capable network servers provide connectivi- ty that allows a large portion of the user population to access information at the desktop from sources around the world. Because of the ease with which information can be accessed, computer security breaches may occur unless systems and restricted information stored therein are kept secure. Breaches of security can have serious consequences, including theft of confidential corporate documents, compro- mise of intellectual property, unauthorized modifica- tion of systems and data, denial of service, and others. Considerable research has been conducted on threats to security.

Password Security: An Empirical Study

Article

Mar 1999

Organizations are more dependent than ever on the reliable operation of their information systems, which have become a key to their success and effectiveness. While the growing dependence on information systems creates an urgent need to collect information and make it accessible, the proliferation of computer technology has also spawned opportunities for ill-intentioned individuals to violate the information systems' integrity and validity.One of the most common control mechanisms for authenticating users of computerized information systems is the use of passwords. However, despite the widespread use of passwords, little attention has been given to the characteristics of their actual use. This paper addresses the gap in evaluating the characteristics of real-life passwords and presents the results of an empirical study on password usage. It investigates the core characteristics of user-generated passwords and associations among those characteristics.

Factors Influencing the Adoption of Internet Banking.

Article

Jan 2000

The Internet has been given tremendous publicity in recent years. However, most research focuses on Europe or America rather on than Asian countries. This study hopes to contribute to a better understanding of the Internet phenomenon in Asia by examining the factors influencing the adoption and nonadoption of the Internet among organizations in Singapore. A survey was carried out among business firms to examine the benefits of adopting the Internet, reasons for not adopting the Internet, and the criteria for selecting Internet access service providers. The results showed that key benefits are derived from the global nature of the Internet, which enables access to worldwide information and the creation of a worldwide electronic presence. Nonadopters of the Internet are concerned about whether staff will waste time surfing the Internet. Both access speed and technical support are viewed as important criteria in selecting an Internet access service provider (IASP). Implications of the results are discussed.

Two-factor authentication: too little, too late.

Article

Jan 2005

Bruce Schneier

Legislative mandates potentially replace CIO's primary concerns of technology risk management with the possibility of serving jail time.

The Effects of Information System User Expectations on Their Performance and Perceptions

Article

Dec 1993

The consequences of information system failure become more acute as organizations continue to invest in information technology and application development. Being able to better predict IS failure before implementation of a system could facilitate changes in the information system that can lead to implementation success. The realism of user expectations has been suggested as one possible means of assessing the eventual success or failure of an IS. Cognitive dissonance theory was used to hypothesize the behavior and attitudes of end users having certain expectations of a system. This experiment investigates the association between unrealistic expectations with both users' perceptions (i.e., user satisfaction) and their performance with the IS (i.e., decision performance). A longitudinal experiment was performed in which the expectations of the subjects were manipulated to be unrealistically high, realistically moderate, or unrealistically low. The results suggest an association between realism of users' expectations and their perceptions but not their actual performance. Future research should be directed toward the development of an instrument to measure user expectations, as well as toward understanding the causes of unrealistic user expectations.

Changes in banking sector—The case of Internet banking in UK

Article

Mar 2000
INTERNET RES

The Internet is gaining popularity as a delivery channel in the banking sector. At the same time, customer needs are changing. A total of 12 Internet banking operations in the UK are analysed under customer empowerment functions and Internet banking Web attributes. Internet banking renders location and time irrelevant, and empowers customers with greater control of their accounts. Banks achieve cost and efficiency gains in a large number of operational areas.

Building security and trust in online banking

Article

Apr 2005

Growing threats to online banking security (e.g. phishing, personal identify fraud) and the personal nature of the data make the balance between security, trust and usability vital. However, there is little published research about what influences users' perceptions of online banking security and trust. This study identifies that the type of authentication system used can affect users' subsequent perceived control, situational awareness and trust. The results from a questionnaire and in-depth interviews with 86 participants were triangulated to compare two different authentication processes, namely, a 'security box' (i.e. random system generated passwords at the users' location) and 'fixed passwords' (i.e. user owned and constant). The security box and login procedures were perceived significantly more trustworthy and secure at any location than 'fixed passwords'. Four main concepts were identified: "trust" "the authentication system", "location" and "control". The implications of these findings for HCI are discussed.

The TIPPI point: Toward trustworthy interfaces

Article

Aug 2005

The Trustworthy Interfaces for Passwords and Personal Information workshop brought security and user interface professionals together to determine ways to improve authentication methods so that users won't be tricked by phishers into giving away personal information. The authors consider some of the themes discussed at TIPPI, including the nature of the authentication problem, systems that might help solve it, and other observations on necessary components of secure systems designed for human users.

Comparing passwords, tokens, and biometrics for user authentication

Article

Jan 2004

Lawrence O'Gorman

For decades, the password has been the standard means for user authentication on computers. However, as users are required to remember more, longer, and changing passwords, it is evident that a more convenient and secure solution to user authentication is necessary. This paper examines passwords, security tokens, and biometrics-which we collectively call authenticators-and compares these authenticators and their combinations. We examine their effectiveness against several attacks and suitability for particular security specifications such as compromise detection and nonrepudiation. Examples of authenticator combinations and protocols are described to show tradeoffs and solutions that meet chosen, practical requirements. The paper endeavors to offer a comprehensive picture of user authentication solutions for the purposes of evaluating options for use and identifying deficiencies requiring further research.

Password Security: A Case History

Article

May 2002

This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.

FFIEC releases guidance on authentication in internet banking environment, press release Available from

Jan 2005

Ffiec

FFIEC. FFIEC releases guidance on authentication in internet banking environment, press release. Available from: http:// www.ffiec.gov/press/pr101205.htm; 2005 (accessed 22.07.08).

Design for usability Security and usability. O'Reilly

Jan 2005
31-46

B Tognazzini

Tognazzini B. Design for usability. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 31–46 [chapter 3].

Human-computer interaction. Wokingham, UK: Addison-Wesley; 1994. Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks

Jan 2005
221-42

Reilly J Preece
Rogers Y H Sharp
D Benyon
S Holland
Carey

O'Reilly; 2005. p. 221–42 [chapter 12]. Preece J, Rogers Y, Sharp H, Benyon D, Holland S, Carey T. Human-computer interaction. Wokingham, UK: Addison-Wesley; 1994. Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from: http://www.silicon.com/financialservices/0,3800010322, 39152706,00.htm; 2005 (accessed 31.01.07).

Building security and trust in online banking In: Extended abstracts on human factors in computing systems (CHI '05)

Jan 2005
1701-04

Adams M A Nilsson
Herd

Nilsson M, Adams A, Herd S. Building security and trust in online banking. In: Extended abstracts on human factors in computing systems (CHI '05). New York, NY: ACM Press; 2005. pp. 1701–04.

Usability design and evaluation for privacy and security solutions Security and usability. O'Reilly Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love

Jan 2005
47-7430

Karat
Cm
C Brodie
Karat

Karat CM, Brodie C, Karat J. Usability design and evaluation for privacy and security solutions. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 47–74 [chapter 4]. Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love. Infosecurity 2008;5(1):30–3.

Remote card authentication Available from: http://www. apacs.org.uk/payments_industry/new_technology2.html

Jan 2008

APACS. Remote card authentication. Available from: http://www. apacs.org.uk/payments_industry/new_technology2.html; 2008 (accessed 22.07.08).

Usability design and evaluation for privacy and security solutions

Jan 2005
47-74

Cm Karat
C Brodie
J Karat

Karat CM, Brodie C, Karat J. Usability design and evaluation for privacy and security solutions. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 47–74 [chapter 4].

The handbook of psychological testing. Routledge; 2000. Knight W. The price of love

Jan 2008
30-33

P Kline

Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love. Infosecurity 2008;5(1):30–3.

Research methods in human computer interaction Handbook of human computer interaction. Amsterdam: NorthHolland

Jan 1988
905-933

Tk Landauer

Landauer TK. Research methods in human computer interaction. In: Helander M, editor. Handbook of human computer interaction. Amsterdam: NorthHolland; 1988. p. 905–28.

Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from

Jan 2005

S Ranger

Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from: http://www.silicon.com/financialservices/0,3800010322, 39152706,00.htm; 2005 (accessed 31.01.07).

User perceptions of security, convenience and usability for ebanking authentication tokens

Abstract

No full-text available

Recommended publications

Perceived Parental Attitudes, the Self, and Security

An analysis of supervisor perceptions in Company XYZ

The dimensions of the quality of service and The private security sector in Spain

Evaluation of Sports Trainers Perceptions on Computer Aided Education Related to the Attitudes towar...