Article

User perceptions of security, convenience and usability for ebanking authentication tokens

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

This research compared three different two-factor methods of eBanking authentication. Three devices employing incremental security layers in the generation of one time passcodes (OTPs) were compared in a repeated-measures, controlled experiment with 50 eBanking customers. Attitudes towards usability and usage logs were taken for each experience. Comparisons of the devices in terms of overall quality, security and convenience as perceived by participants were also recorded. There were significant differences between all three methods in terms of usability measures, perceived quality, convenience and security ratings – with the perceived security ratings following a reverse order to the other measures. Almost two thirds of the participant sample chose the device they perceived the least secure as their preference. Participants were asked to use their preferred method again and tended to find their chosen device more usable. This research illustrates the usability-security trade off, where convenience, quality and usability are sacrificed when increasing layers of security are required. In their preferences, customers were driven by their attitudes towards usability and convenience rather than their perceptions of security.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Infrastructure, e-wallet complexity, cyber security, risk to personal information and fintech laws are just a few of them. Therefore, numerous studies have explored the factors influencing e-wallet adoption, including convenience [25], trust [19], perceived usefulness, and social influence [6]. However, the specific security factors that influence e-wallet adoption in Malaysia have not been comprehensively investigated. ...
... It functions as a deterrent, reducing the chances of identity theft. Authentication has a tremendous impact on the consumer's experience, which influences their decision to use a digital wallet [25,48]. In the meanwhile, authentication plays a critical role in safeguarding e-wallets, requiring installation on dedicated devices and utilizing multifactor operations in today's digital era [3]. ...
... In the meanwhile, authentication plays a critical role in safeguarding e-wallets, requiring installation on dedicated devices and utilizing multifactor operations in today's digital era [3]. According to the findings of the [25] study, the priority of importance among factors is led by authentication methods, with usability and convenience concerns following closely behind. Because client confidence is so important, digital wallet providers must ensure that important components like authentication are properly controlled to establish user trust [49]. ...
... This can also be employed for user security perception of authentication methods, i.e., subjective evaluation of the security of an authentication method. In the authentication context, perceived security was already investigated as one of the factors related to preference to use (e.g., Weir et al. 2009). Importantly, the perceived security of the authentication methods can differ from objective security (Huang et al., 2011). ...
... Efficiency can affect not only satisfaction, but also the perceived security of the authentication method. In the Weir et al. (2009) study, the methods were perceived in the opposite order with regards to perceived security than in the usability casehigher efficiency was related to better usability but also to worse perceived security. Users could be willing to spend more time on authentication, e.g., by adding a second factor for improved security to achieve better protection for some important accounts, for instance for online banking that is one of the critical services/accounts (Reese et al., 2019). ...
... Efficiency with a given method could also improve (i.e., the time necessary to use the method might decrease) after users gain some skills or experience with the respective authentication methods. Weir et al. (2009) showed that the second usage of methods took less time than the initial usage. Nevertheless, this could differ based on the elapsed time between the consecutive uses of the methods. ...
... In the current research, we have a particular interest in understanding the interrelationship of usability and security and their influences on users' perception and behavioural intention towards online authentication systems, specifically an online security Usability in online authentication system card system. Usability and security, two focal attributes that determine people's attitude towards online security systems, are closely involved with each other (Elahi and Yu, 2007;Friedman et al., 2002;Mihajlov et al., 2016;Park et al., 2016;Weir et al., 2009;Zviran and Haga, 1993). Traditionally, the security community has believed usability and security to be competing goals (Elahi and Yu, 2007), such that enhancing usability would reduce the level of security. ...
... Positive roles of usability are well documented in security-related product categories as well. For example, users of e-banking services have been found to prefer the authentication system with the least IJBM number of steps among commonly used security methods (Weir et al., 2009). Similarly, highly complex password requirements prevent users from accessing security systems (Zviran and Haga, 1993). ...
... However, we believe that a moderate level of disadvantage in usability may be overcome by repeated usage, especially among those who focus on security over usability in evaluating security services. While there is only limited evidence to support our prediction, one study on user perceptions of e-banking authentication systems (Weir et al., 2009) separately measured users' evaluations after their initial use of three types of tokens and their reuse of the preferred option. The majority of participants in that study preferred the easiest-to-use option, which is consistent with our findings. ...
Article
Purpose Although the use of online authentication systems in banking services is expanding globally, little is known about cultural differences in forming consumers' responses to these services. This paper examines how the usability of an online security service and culture impact consumers' behaviour. Design/methodology/approach The authors conduct a 2 (usability: high vs low) × 2 (culture: US vs Korea) between-subjects, full factorial design. Findings The results indicate a differential influence of the usability of a security system by culture. In particular, US consumers exhibit greater behavioural intention in a high (vs low) usability condition, whereas Korean consumers showed more favourable responses in a low-usability condition. Moreover, perceived effort is confirmed as a crucial mediator that explains the psychological mechanism of the proposed effect. Practical implications This research contributes to the literature on online banking where security is an important determinant of success. Especially for managers involved in international banking services, the findings of cultural differences offer insights about the importance of local understanding and differentiation of bank services for specific target markets which can enhance consumers' response towards an online security service. Originality/value The current study is one of a very few attempts to examine the role of usability of an online security system in forming consumers' behavioural intention. More importantly, this study integrates the concept of culture to explain how usability influences positive or negative behavioural intention in an international market.
... Therefore, it is important to know the factors that impact the perceived usability and the perceived security of the authentication methods in online mobile banking before the deployment of a method for broader practice. However, there are few studies that focus on these underlying factors, and they were often conducted on small or student samples that limit the generalization to the wider population (e.g., Weir et al., 2009 ;Krol et al., 2015 ;Reese et al., 2019 ). To overcome this limitation, we collected data from two independent samples of smartphone users that together cover users aged 26 to 82. ...
... Most of them analysed token-based authentication that compared OTP 2 tokens with a display and a button to standard passwordbased authentication or a card-reader method. Weir et al. (2009) conducted a user study of online banking customers where participants evaluated three two-factor authentication methods (for login and transactions) in terms of usability, security, convenience, and preference. They found the push-button token to be the most usable method, but, at the same time, the participants perceived it to be the least secure. ...
... However, the authors did not provide details about this difference or the specific scores. On the other hand, Weir et al. (2009) , who evaluated three two-factor authentication methods for online banking, did not find any statistically significant difference in the security evaluation between men and women. ...
Article
Smartphone authentication is becoming a cornerstone security component, so it is necessary to have methods that are usable and secure to ensure adequate protection, especially for mobile banking. Though biometric authentication seems to be perceived as very usable by users, there is a lack of research to compare smartphone-based fingerprint verification to other authentication methods for mobile banking in terms of usability and perceived security. Using two independent samples, we conducted a study for a younger group aged 26-54 (N = 229) and an older group aged 55+ (N = 239) about their perceptions of the usability and security of four authentication methods: fingerprint, PIN, token, and card reader. All four methods were evaluated positively for both usability and security, with fingerprint verification evaluated as the most usable and the most secure method for mobile banking. Interestingly, none of our hypothesized predictors (i.e., age, gender, education, smartphone self-efficacy, smartphone security behaviour, knowledge of secure smartphone behaviour) was consistently related to how users perceive the usability and security of the examined methods. This suggests that smartphone users would be able to successfully adopt, and be quite satisfied with, any of the tested methods, regardless of demography or smartphone skills.
... However, not all memory strategies are considered risky when being employed to remember passwords; internal memory aids or techniques, such as mnemonics, are considered a secure memory technique to apply in creating, learning, and recalling strong passwords (Nelson and Vu, 2010;Woods, 2019). Nevertheless, it is the user's personal responsibility to invest greater time and effort in using the technique which can be a daunting task, and many are unwilling to do so (Duggan et al., 2012;Nelson and Vu, 2010;Notoatmodjo and Thomborson, 2009;Tam et al., 2010;Weir et al., 2009). Therefore, many users will prioritize convenience over security in their password management (Bang et al., 2012;Tam et al., 2010;Vu et al., 2007;Weir et al., 2009;). ...
... Nevertheless, it is the user's personal responsibility to invest greater time and effort in using the technique which can be a daunting task, and many are unwilling to do so (Duggan et al., 2012;Nelson and Vu, 2010;Notoatmodjo and Thomborson, 2009;Tam et al., 2010;Weir et al., 2009). Therefore, many users will prioritize convenience over security in their password management (Bang et al., 2012;Tam et al., 2010;Vu et al., 2007;Weir et al., 2009;). ...
... A focal point of these user studies was the setup and usage of different two-factor authentication solutions to understand users' attitudes toward 2FA, obstacles for its adoption, and how to improve the usability and user experience. Early works studied two-factor authentication in settings such as online banking [35], [38], [70], [71] or military [63] services. Like other studies of 2FA [10], [20], [21], [25] they found that users consider 2FA to be often burdensome and slow, that convenience trumps perceived security, and that users do not always understand the risks that 2FA tries to remedy. ...
... Several studies [38], [56], [70], [71] compared different options for the second factor to identify option-specific differences in user attitudes and usability, while other works specifically studied security keys [13], [16], [58] or authenticator apps [19]. An interesting aspect of these works [13], [56], [58] for our study is that they differentiated between 2FA setup and login, where users often struggled in the setup due to unclear instructions/workflows. ...
... A focal point of prior user studies was the setup and usage of different two-factor authentication solutions to understand users' attitudes toward 2FA, obstacles for its adoption, and how to improve the usability and user experience. Previous works studied two-factor authentication in settings such as online banking [38], [42], [78], [79] or military [71] services. Like other studies of 2FA [11], [21], [22], [27] they found that users consider 2FA often burdensome and slow, that convenience trumps perceived security, and that users do not always understand the risks that 2FA tries to remedy. ...
... Several studies [42], [63], [78], [79] compared different options for the second factor to identify option-specific differences in user attitudes and usability, while other works specifically studied security keys [14], [17], [65] or authenticator apps [20]. An interesting aspect of those works [14], [63], [65] for our study is that they differentiated between 2FA setup and login, where users often struggled in the setup due to unclear instructions/workflows. ...
Preprint
Heuristics for user experience state that users will transfer their expectations from one product to another. A lack of consistency between products can increase users' cognitive friction, leading to frustration and rejection. This paper presents the first systematic study of the external, functional consistency of two-factor authentication user journeys on top-ranked websites. We find that these websites implement only a minimal number of design aspects consistently (e.g., naming and location of settings) but exhibit mixed design patterns for setup and usage of a second factor. Moreover, we find that some of the more consistently realized aspects, such as descriptions of two-factor authentication, have been described in the literature as problematic and adverse to user experience. Our results advocate for more general UX guidelines for 2FA implementers and raise new research questions about the 2FA user journeys.
... Additionally, several other two-factor authentication alternatives have been studied, for example, by Strouble et al. [59], Weir et al. [64,65], Gunson et al. [33], Krol et al. [44], or De Christofaro et al. [22]. Summarized, they all revealed that users are not in favor of using specialized hardware for authentication and tend to lose said hardware. ...
... While was shown how to configure the smartphone as a card reading device within the AusweisApp2 client, the video for only demonstrated how to connect the card reader to the laptop via USB. We chose to educate the participants before the study because previous work has shown that a lack of clarity about the process and functionality of an authentication method leads to lower acceptance, lower security ratings, and hesitation to switch to a new authentication method [21,64,65]. ...
... With widespread technology usage being an integral part of most people's life (Legner et al. 2017), the number of accounts and systems has exponentially increased. This is resulting in users struggling to remember all their passwords, and adopting insecure password behaviours, choosing memorability and/or convenience over password security (Grawemeyer and Johnson 2011;Tam, Glassman, and Vandenwauver 2010;Weir et al. 2009;Zhang et al. 2009). Users will adopt insecure password behaviours such as choosing weak passwords, reusing passwords, writing passwords down and storing them in an unsecured way (Adams and Sasse 1999;Campbell, Kleeman, and Ma 2006;Inglesant and Sasse 2010;Merdenyan and Petrie 2022;Seo and Park 2019;Zhang et al. 2009). ...
... The security of password authentication is a pertinent issue as users often chose memorability over security (Grawemeyer and Johnson 2011;Tam, Glassman, and Vandenwauver 2010;Weir et al., 2009;Zhang et al. 2009). The trade-off between password security and memorability leads to many security breaches that result in financial losses and privacy threats to organisations and home-users (Brostoff and Sasse 2000;Brown et al. 2004;Hayashi et al. 2012;Saastamoinen 2014;Vu et al. 2007). ...
Article
Full-text available
The authentication process is the first line of defence against potential impostors, and therefore is an important concern when protecting personal and organisational data. Although there are many options to authenticate digital users, passwords remain the most common authentication mechanism. However, with password numbers increasing, many users struggle with remembering multiple passwords, which affects their security behaviour. Previous researchers and practitioners have attempted to suggest ways to improve password memorability and security simultaneously. We introduce novel approach that utilises colour as a memory cue to increase password memorability and security. A longitudinal study examined in total over 3000 passwords that were created, learnt and recalled (password process) over a period of five-weeks. By adding colour to the password process, our results suggest that password memorability and security can be increased simultaneously. Through giving the user the option of choosing the colours (compared with colours being preselected), encourages users to create more personal and meaningful memory cues when creating their passwords. Additionally, colour also provided another security parameter by increasing password entropy. These unique results have practical implications for researchers and practitioners that could positively impact password security, and the financial losses suffered due to password security breaches.
... Thus, usability issues lead to a low adoption rate [5,32]. More specific, users perceive the duration of the current two-factor authentication procedures as too long [49] and they criticize the usage of non-personalized devices [48]. ...
... It has been shown that users prefer or choose devices that they already own over additional physical tokens [48]. Users also tend to choose devices for two-factor authentication based on their usability [49]. Ease-of-use, trustworthiness and the required cognitive effort were found as key aspects for defining the usability of two-factor authentication [13]. ...
... The high level of usability has several benefits for users, such as reduced error rate, minimized training requirements, improved acceptance and increased efficiency and productivity ( Bevan et al., 2005 ) and has a strong impact on user's with specific needs ( Kartakis and Stephanidis, 2010 ). Also, on the basis of two different research studies of eBanking conducted by Weir et al. (2009Weir et al. ( , 2010, it can be concluded that increased usability leads to poorer security and vice versa. Furthermore, the high level of usability is related with complexity. ...
... Convenience is also important factor in all commercial systems. Its importance is especially emphasized in eBanking services where convenience has higher priorities than security ( Centeno, 2004;Lichtenstein and Williamson, 2006;Weir et al., 2009 ). This factor is one of the principal motivations underlying user inclinations to use certain mobile authentication method. ...
Article
The trend of rapid evolutionary development of mobile technologies and the existence of different user's priorities are creating new challenges with regard to selection of multifactor authentication (MFA) solutions. This becomes even more challenging by creating a universal authentication framework (UAF). In order to cope with these challenges, this paper has proposed a Fishbone model and developed in form of the UAF which is based on a larger number of linguistic variables and a wider set of user's priorities such as security, usability, accessibility, pricing, complexity, privacy and convenience (SUAPCPC). In comparison to all other papers available in the literature, the Fishbone model provides numerical evaluation of MFA with the possibility of changing weighted criteria for the selected user priorities. In addition, the contributions of this model are twofold. For user's, to enable easier choice of MFA solution, for developers, to identify spots where a method or solution could be improved. For development of the Fishbone model, fuzzy methodology is used in form of a Fuzzy Expert System (FES) tool. Also, the block diagram and the basic modules of the Fishbone model architecture are given. The results of implementation of the Fishbone model in form of the UAF have showed that this model is applicable and very efficient in practice. Finally, the Fishbone model gives an ideal template in UAF at which user's priorities satisfy the best individual users’ solutions. The realization of this template presents challenge for all future developers of MFA solutions.
... A number of studies [6,21,41] have applied those measures to analyze MFA protocols and, in general, solutions for digital authentication. For instance, Weir et al. [41] applied them for the analysis of two-factor authentication protocols where effectiveness was assessed by checking task completion records and usage of help, efficiency by counting the time needed to complete the authentication process and satisfaction by questioning users immediately after they authenticated. ...
... A number of studies [6,21,41] have applied those measures to analyze MFA protocols and, in general, solutions for digital authentication. For instance, Weir et al. [41] applied them for the analysis of two-factor authentication protocols where effectiveness was assessed by checking task completion records and usage of help, efficiency by counting the time needed to complete the authentication process and satisfaction by questioning users immediately after they authenticated. The same usability metrics were used in [21], where a broader scope of MFA protocols was investigated. ...
Article
Full-text available
In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.
... Security When using Chat GPT, my information cannot be viewed by other users. Gorla, Somers, and Wong (2010); Koufaris and Hampton-Sosa (2004); Weir et al. (2009) My personal information is secured when using Chat GPT. When using Chat GPT, the collected information and data are not altered or deleted. ...
... In the study with 50 e-banking users, Weir et al. [33] found a push-button token as the most usable, a card-activated token as moderate, and a PIN-secured token to be perceived as the least usable. For the perceived security, the order was precisely the opposite. ...
Conference Paper
The role of user authentication in software repositories can significantly impact those using open-source projects as a basis for their products. In addition to highlighting the importance of authentication in software supply chain security, we surveyed open-source developers to identify if these IT professionals take advantage of more secure authentication methods in open-source projects to mitigate common risks. We present results from a survey of 83 employees of an open-source software company. We found that these users mostly use two-factor authentication and perceive username and password as the most usable method. Regarding security, hardware and software tokens were perceived as the most secure methods. Using a third-party service for fallback authentication emerged as a non-preferred solution.
... Weir et al. [27] compared the usability of three two-factor authentications: push-button tokens, card-activated tokens, and PIN-activated tokens. The study aimed to measure the time required for authentication and user satisfaction. ...
... In the study with 50 e-banking users, Weir et al. [33] found a push-button token as the most usable, a card-activated token as moderate, and a PIN-secured token to be perceived as the least usable. For the perceived security, the order was precisely the opposite. ...
Preprint
Full-text available
The role of user authentication in software repositories can significantly impact those using open-source projects as a basis for their products. In addition to highlighting the importance of authentication in software supply chain security, we surveyed open-source developers to identify if these IT professionals take advantage of more secure authen-tication methods in open-source projects to mitigate common risks. We present results from a survey of 83 employees of an open-source software company. We found that these users mostly use two-factor authentica-tion and perceive username and password as the most usable method. Regarding security, hardware and software tokens were perceived as the most secure methods. Using a third-party service for fallback authenti-cation emerged as a non-preferred solution.
... As for the direct drivers of use intent, perceived benefits and trust significantly affect use intention, but perceived risk is not significant. This finding is consistent with those of Wan et al. (2016) in the P2P lending context and Weir et al. (2009) in the e-banking context. This implies that risk is a less important consideration when it comes to the formation of use intention for financial services, probably because users have already established trust in e-payment service vendors' security assurance efforts after some years of development, or because users are willing to bear some risks in exchange for such benefits as the convenience of making payments online. ...
... An exemplary situation of this would be the OTP code verification that consumers are required to do in order to complete their payment transactions. Authentication significantly impacts on consumer experience, which impacts their digital wallet adoption decision [52]- [54]. Because confidence is a significant influencing factor, digital wallet companies must guarantee that relevant aspects such as authentication are adequately regulated to build customer confidence [55]. ...
Article
Full-text available
This study aimed to determine an efficient framework that caters to the security and consumer satisfaction for digital wallet systems. A quantitative online survey was carried out to test whether the six factors (i.e., transaction speed, authentication, encryption mechanisms, software performance, privacy details, and information provided) positively or negatively impact customer satisfaction. This questionnaire was divided into two sections: the respondents’ demographic data and a survey on security factors that influence customer satisfaction. The questionnaires were distributed to the National University of Malaysia’s professors and students. A sample of 300 respondents undertook the survey. The survey results suggested that many respondents agreed that the stated security factors influenced their satisfaction when using digital wallets. Previous studies indicated that financial security, privacy, system security, cybercrime, and trust impact online purchase intention. The proposed framework in this research explicitly covers the security factors of the digital wallet. This study may help digital wallet providers understand the customer's perspective on digital wallet security aspects, therefore motivating providers to implement appropriately designed regulations that will attract customers to utilize digital wallet services. Formulating appropriate security regulations will generate long-term value, leading to greater digital wallet adoption rates.
... In contrast, its monetary tokenization serves as a security measure to safeguard from unauthorized breaches. While studies seem to suggest that perceived convenience contributes to mobile payment adoption and perceived security requires further investigation (Lai et al., 2019;Weir, Douglas, Carruthers, & Jack, 2009), Burmeister (2015) stressed the importance of security over convenience. Still, little is known whether perceived convenience and perceived security should co-exist for mobile payment adoption or would be a trade-off with an inverse relationship. ...
Article
Full-text available
Integrating gamification into mobile payment platform incentivizes people to use digital alternatives for payment and could spur user-centric, platform-mediated interactions. This study examines the relationship between perceived convenience and perceived security on individual users’ intention to use a gamified mobile payment platform in Malaysia; a developing country envisioned to build a cashless society. The partial least square structural equation modeling (PLS-SEM) technique is employed on a final sample of 388 online users. The results show that perceived convenience has a strong but indirect effect on the intention to use. Perceived security has a strong and direct effect on intention to use and mediates the relationship between perceived convenience and intention to use. Furthermore, the reliability aspect of security is a top priority concern for users interested in using mobile payment. The multi-functional aspect of convenience is a top priority concern to attract users who are not interested in using mobile payment at first. The study discusses theoretical and practical implications for developing a dual strategy of ‘ensuring convenience’ and ‘assuring security’ to encourage the gamified mobile payment platform adoption in developing countries.
... To better understand the formation of attitudinal ambivalence in the context of information security, we will investigate which facets of the protection behavior are evaluated simultaneously that can give rise to the experience of attitudinal ambivalence. Prior research has shown that security is a tradeoff with convenience [37,95]. For instance, the most common way for user authentication is to use a password, even though it is vulnerable to cyberattacks. ...
Article
Full-text available
A popular information security-related motivation theory is the Protection Motivation Theory (PMT) that has been studied extensively in many information security contexts with promising results. However, prior studies have found inconsistent findings regarding the relationships within PMT. To shed light on these inconsistent findings, we introduce the attitudinal ambivalence theory to open the black box within PMT. We tested our model on data collect ed from 1,383 individuals facing potential cyberattacks of their emails in a field experiment. The results of polynomial regression with response surface analysis showed that attitudinal ambivalence is generated from the opposition between an individual’s evaluations of maladaptive rewards and social norms (i.e., descriptive norm and subjective norm). This attitudinal ambivalence, in turn, affects individuals’ evaluations of their coping appraisal process and protection motivation, and ultimately protection behavior. We discuss the theoretical and managerial implications of identifying the determinants and outcomes of attitudinal ambivalence in the information security context. From a theoretical standpoint, our work contributes to the information security literature by incorporating attitudinal ambivalence, which arises from the intrapersonal and interpersonal appraisal processes, into PMT. From a practical standpoint, our work provides insights into designing effective fear appeals to avoid triggering attitudinal ambivalence and thus encouraging adoption of security protection behavior.
... Finally, only few of the respondents (27.1%) worked in organisations such that allowed staff to store official document in their personal cloud. It is necessary to posit that evidence suggests a trade-off between security and convenience and technology users are initially inclined to choose a convenient option as against a secure option - (Kim & Park, 2012;Weir, Douglas, Carruthers, & Jack, 2009). It appears from the data that some of the organisations were more concerned about security than the convenience of technology use of their staff. ...
Article
Full-text available
The study was conducted to identify social media, mobile and cloud (SoMoClo) technologies used by Nigerian professional accountants. It also performed predictive analysis of Accountants' Training Framework (ATF) and Perception (PCT) on professional accountants' use of SoMoClo technologies. Using survey design, the study administered an online questionnaire among professional accountants in Nigeria. Some items in the survey were taken from already validated items in literature especially from popular theories of technology use. Data were analysed using both descriptive statistics (frequency, mean, mode, and standard deviation) and inferential statistics – binary logistic regression. Findings showed that Nigerian professional accountants claim to proficiently use SoMoClo technologies in their professional capacities. ATF and PCT contributed (in)significantly to the prediction of self-reported use of and intention to use SoMoClo technologies among Nigerian professional accountants. The overarching disruptive and transformative tendencies and evidences of technology is an incentive for professional accountants to constantly unlearn, relearn, initiate, adopt and adjust to emerging trends in the practice of their profession. This study brings to bare the significance of the ATF as a predictor variable for use of technology. A new model for the measurement of “use” – willingness, readiness and ableness (WRA) framework – was tested.
... MFA does solve this problem to a greater extent, but it also has a downside in terms of user inconvenience and time taken to log in. In MFA, users are asked to provide additional details in terms of one-time-password, security question, etc. during login which takes extra time to login and that in turn causes inconvenience to the end-user (Weir et al., 2009). With AI-enabled authentication, such problems could be avoided, thereby improving users' overall experience and bringing efficiency in service delivery of RPs. ...
Article
Full-text available
Purpose–This conceptual article’s primary aim is to identify the significant stakeholders of the digital identity system (DIS) and then highlight the impact of artificial intelligence (AI) on each of the identified stakeholders. It also recommends vital points that could be considered by policymakers while developing technology-related policies for effective DIS. Design/methodology/approach–This article uses stakeholder methodology and design theory (DT) as a primary theoretical lens along with the innovation diffusion theory (IDT) as a sub-theory. This article is based on the analysis of existing literature that mainly comprises academic literature, official reports, whitepapers and publicly available domain experts’ interviews. Findings–The study identified six significant stakeholders, i.e. government, citizens, infrastructure providers, identity providers (IdP), judiciary and relying parties (RPs) of the DIS from the secondary data.Also, the role of IdP becomes insignificant in the context of AI-enabled digital identity systems (AIeDIS). The findings depict that AIeDIS can positively impact the DIS stakeholders by solving a range of problems such as identity theft, unauthorised access and credential misuse, and will also open a possibility of new ways to empower all the stakeholders. Research limitations/implications–The study is based on secondary data and has considered DIS stakeholders from a generic perspective. Incorporating expert opinion and empirical validation of the hypothesis could derive more specific and context-aware insights. Practical implications–The study could facilitate stakeholders to enrich further their understanding and significance of developing sustainable and future-ready DIS by highlighting the impact of AI on the digital identity ecosystem. Originality/value–To the best of the authors’ knowledge, this article is the first of its kind that has used stakeholder theory, DT and IDT to explain the design and developmental phenomenon of AIeDIS. A list of six significant stakeholders of DIS, i.e. government, citizens, infrastructure providers, IdP, judiciary and RP, is identified through comprehensive literature analysis.
... Some of these studies deal with the effect of perceptual design features on perceived security. For instance, using different tokens for eBanking authentication, Weir et al. (2009) have found that the perceived security levels were rated as the highest for the PIN-secured token and lowest for push-button token. In the same way, visual features (e.g., color, layout of computer interfaces, and type of materials) affect the perception of trustworthiness in e-commerce (Kim & Moon, 1998). ...
Article
The feeling of security of your own home is given both by the minimization of the real risk of infringement and by the conditions for minimizing the psychological threats experienced by the user. This study investigates the impact of visual design factors on perceived security of security doors. Experiment 1 verified the effect of different security door models on perceived security. For each model, participants indicated the perceived security on a 7-point rating scale. In the second experiment, 308 naïve participants estimated the perceived security of the security doors with ten morphological modifications (asymmetry; curved edges; reduced colorfulness; rhomboid panels; relief mullions; nails; engraved texture; electronic lock; double lock; bronze door handle). The influence of visual design factors on perceived security was confirmed in experiment 1. The results also show that asymmetry, nails doors and electronic lock increase perceived security significantly. Finally, the findings in relation to the design of security door are discussed.
... As for the direct drivers of use intent, perceived benefits and trust significantly affect use intention, but perceived risk is not significant. This finding is consistent with those of Wan et al. (2016) in the P2P lending context and Weir et al. (2009) in the e-banking context. This implies that risk is a less important consideration when it comes to the formation of use intention for financial services, probably because users have already established trust in e-payment service vendors' security assurance efforts after some years of development, or because users are willing to bear some risks in exchange for such benefits as the convenience of making payments online. ...
... Not each payment transaction is related to the same level of risk. There is also a common perception that usability and security are competing goals ( [38,39]), so it would be valuable to create the solution that will allow improving the usability of card-present payment transactions and will not destroy the security. ...
Article
Full-text available
Electronic card payments are getting more and more popular, mainly because of their simplicity, convenience, processing time and high level of security. The fact that a single payment card is issued for a particular cardholder makes it possible to link a card to various services. In this paper, we investigated a usage of a payment card in the loyalty program that incorporates our Contextual Risk Management System (CRMS) to assure a novel intangible reward: Shorter transaction processing time. In the beginning, we emphasize the importance of soft benefits in modern loyalty programs and recall the risk management algorithms and the reputation system that has been used in the CRMS. Then, using an extensive dataset of 2.5 million payment transaction traces (collected within a year from 68 terminals) we estimate potential benefits for merchants and cardholders and try to predict an effect of this system for the future. We also discuss the impact of this system on the real and user-perceived security level.
... It should cover several important aspects such as data privacy [1], data access and data integrity [2]. Various methods of data security such as Smart Card usage, Token, Key and biometric have been implemented to ensure the safety of the data in a system [3,4]. This article will explain the data security management using biometric methods. ...
Article
Full-text available
Computer security is a process that controls the entire information system, including network, system and hardware. Important information that must be controlled in a system is the data or information contained in a system. Various methods have been used to ensure that only users with legitimate access to data can use a system. Usernames and passwords have been a common practice by many systems as the first requirement to be fulfilled to access the system, but some systems use the secondary verification for additional confirmation. In this article, Keystroke Dynamics has been used as the user’s second level authentication for the systems that use the keyboard to login into a system. A common problem of system intrusions is that the system fails to identify the user who signs in using the keyboard when the login is correct. There is a possibility that someone else tries to break into the system. To ensure and improve users’ recognition who use the keyboard to enter their logins into the system, Keystroke Dynamics is used as a next-level verification if the login is correct. Soft biometrics is used in the user authentication process using KD method in this study. The soft biometric elements used in this study are culture, gender, educational level (CGPA - Cumulative Grade Point Average) and region of birth (ROB). All of these four soft biometric elements are expected to enhance capabilities in the user authentication process.
... TAM is found to have sufficient explanatory power and the researcher can add more factors or moderators to improve it (Sun & Zhang, 2006). The current study model expands the TAM model and scope of the MBS adoption decision by combining five external latent variables such as perceived risk from perceived risk theory, Binioris, & Polychronopoulos, 2012;Law, 2007;Weir, Douglas, Carruthers, & Jack, 2009), privacy (Chen, 2013;Law, 2007;Mukhtar, 2015), and website usability (Aboobucker & Bao, 2018;Casaló, Flavián, & Guinaliu, 2008;Hasbullah et al., 2016). However, the researchers in all these studies have concentrated on the factors which hinder the MBS usage, no past studies have searched subjective norms, trust, risk, privacy, and website usability in one model together with an average impact that inhibits greatly the usage of MBS. ...
Article
Full-text available
Purpose The main objective of this study is to expand the technology acceptance model (TAM) by examining the factors affecting the adoption of mobile banking services by the customers of Palestinian banks and to design a comprehensive model based on TAM and TPB and additional constructs. Design/methodology/approach This study used the quantitative approach with cross sectional research design and a questionnaire as a data tool. From the six big cities in Palestine, we surveyed 1000 banking consumers. The samples include different characteristics. For construct relationship analysis this study applied partial least squares (PLS). Findings The study framework provides a complete view of mobile banking services. This framework takes into consideration more determinants for prediction than other studies on the adoption of innovations. The results of using this model managed to clarify nearly 77.4 percent of the dependent variable (intention to adopt mobile banking service) variation. This is a much greater value than those of the previous studies. Moreover, this study found that the perceived risk has a negative effect on consumers’ intention to use mobile banking services. Attitude, facilitating conditions, perceived ease of use, website usability, and perceived trust were identified as the important variables that have a significant positive effect on the consumers’ intention to use mobile banking services in Palestine. Originality/value – the findings can be used by financial institutions and banks to enhance the usage rate of consumers’ adoption and to develop their strategies.
... Thus, it is authenticated. 1 https://en.wikipedia.org/wiki/List of data breaches While the security offered by TFA techniques is undoubtedly higher than traditional mechanisms based on credentials only, its adoption, optional in most of the cases, is still not diffused. Indeed, most users still prefer the single authentication shot, mainly because of the extra effort required by legacy TFA techniques, always requiring explicit user interactions and not suitable for blind or visually impaired users [52], [53]. These drawbacks have motivated significant efforts in the last years, both by industries and academia, to develop more usable TFA schemes, eventually requiring zero interactions from the user. ...
Article
Full-text available
Short-range audio channels have appealing distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic channels are also increasingly used to launch attacks against systems and devices, leading to security concerns that could thwart their adoption. To provide a rigorous, scientific, security-oriented review of the field, in this paper we survey and classify methods, applications, and use-cases rooted on short-range audio channels for the provisioning of security services—including Two-Factor Authentication techniques, pairing solutions, device authorization strategies, defense methodologies, and attack schemes. Moreover, we also point out the strengths and weaknesses deriving from the use of short-range audio channels. Finally, we provide open research issues in the context of short-range audio channels security, calling for contributions from both academia and industry.
... While the security offered by TFA techniques is undoubtedly higher than traditional mechanisms based on credentials only, its adoption, optional in most of the cases, is still not diffused. Indeed, most users still prefer the single authentication shot, mainly because of the extra effort required by legacy TFA techniques, always requiring explicit user interactions and not suitable for blind or visually impaired users [51], [52]. These drawbacks have motivated significant efforts in the last years, both by industries and academia, to develop more usable TFA schemes, eventually requiring zero interactions from the user. ...
Preprint
Full-text available
Short-range audio channels have a few distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic channels are increasingly used also to launch attacks against systems and devices, leading to security concerns that could thwart their adoption. To provide a rigorous, scientific, security-oriented review of the field, in this paper we survey and classify methods, applications, and use-cases rooted on short-range audio channels for the provisioning of security services---including Two-Factor Authentication techniques, pairing solutions, device authorization strategies, defense methodologies, and attack schemes. Moreover, we also point out the strengths and weaknesses deriving from the use of short-range audio channels. Finally, we provide open research issues in the context of short-range audio channels security, calling for contributions from both academia and industry.
... One of the issues includes usability while trying to achieve a higher level of security. Many user authentication system designs are tilted more toward the security aspect of it but users are driven more toward convenience and usability of the mobile device security mechanism (Weir et al., 2009). There should be a convenient level of trade-off between usability and security in the design of a convenient user authentication system (Schultz et al., 2001, Dourish and Redmiles, 2002, Braz et al., 2007. ...
Thesis
Full-text available
There has been tremendous growth of mobile devices, which includes mobile phones, tablets etc. in recent years. The use of mobile phone is more prevalent due to their increasing functionality and capacity. Most of the mobile phones available now are smart phones and better processing capability hence their deployment for processing large volume of information. The information contained in these smart phones need to be protected against unauthorised persons from getting hold of personal data. To verify a legitimate user before accessing the phone information, the user authentication mechanism should be robust enough to meet present security challenge. The present approach for user authentication is cumbersome and fails to consider the human factor. The point of entry mechanism is intrusive which forces users to authenticate always irrespectively of the time interval. The use of biometric is identified as a more reliable method for implementing a transparent and non-intrusive user authentication. Transparent authentication using biometrics provides the opportunity for more convenient and secure authentication over secret-knowledge or token-based approaches. The ability to apply biometrics in a transparent manner improves the authentication security by providing a reliable way for smart phone user authentication. As such, research is required to investigate new modalities that would easily operate within the constraints of a continuous and transparent authentication system. This thesis explores the use of bioelectrical signals and contextual information for non-intrusive approach for authenticating a user of a mobile device. From fusion of bioelectrical signals and context awareness information, three algorithms where created to discriminate subjects with overall Equal Error Rate (EER of 3.4%, 2.04% and 0.27% respectively. Based vii | P a g e on the analysis from the multi-algorithm implementation, a novel architecture is proposed using a multi-algorithm biometric authentication system for authentication a user of a smart phone. The framework is designed to be continuous, transparent with the application of advanced intelligence to further improve the authentication result. With the proposed framework, it removes the inconvenience of password/passphrase etc. memorability, carrying of token or capturing a biometric sample in an intrusive manner. The framework is evaluated through simulation with the application of a voting scheme. The simulation of the voting scheme using majority voting improved to the performance of the combine algorithm (security level 2) to FRR of 22% and FAR of 0%, the Active algorithm (security level 2) to FRR of 14.33% and FAR of 0% while the Non-active algorithm (security level 3) to FRR of 10.33% and FAR of 0%.
... Guaranteeing secure and reliable transaction over untrusted channels is a classical branch of research in security. Traditional approaches to establish trust between front-end terminals and remote servers leverage (i) challenge-based proof-of-identity schemes (such as Bank of America's SiteKey [9,10]); (ii) additional personal devices (including mobile phones) [11,12,13]possibly enriched with (iii) biometric measurements [14] Again, the tradeoff between usability and security is still a matter of major concerns [16,17,18]. Unskilled people may not be able to deal with such devices, while in certain application scenarios (e.g., rural areas), personal devices might be not available. ...
Chapter
Nowadays, plenty of digital services are provided to citizens by means of terminals located in public unguarded places. In order to access the desired service, users, authenticate themselves by providing their credentials through such terminals. This approach opens up to the problem of fraudulent devices that could be installed in place of regular terminals to capture users’ confidential information. Indeed, despite the development of increasingly secure systems aiming at guaranteeing an acceptable security level, users are frequently unable to distinguish between terminals on which security measures are enforced (trusted terminals) and malicious terminals that pretend to be trusted.
Chapter
Online payment transaction system is playing a crucial role in the economic development of countries. It indicates the growth in revenue generation and reduction of black money. This chapter aims to know the genesis of online payment transaction system using plastic money card. The development and enhancement in security for online payment transaction system due to the rise in plastic money card fraud with change in innovative and sophisticated fraudulent patterns of cybercriminals, fraudsters, or hackers is the reason behind the study. This chapter presents the growth of the online payment transaction system from start to present and the drivers behind its development, including digital technological development, COVID-19, and the requirements of customers. This chapter elaborates on the worldwide adoption of online payment transactions along with its consequences in terms of online payment transaction fraud. This chapter illustrates the online payment transaction system using plastic money cards and various options to perform transactions. This chapter also presents the various security measures of online payment transaction system and plastic money card. Lastly, this chapter demonstrates the reason behind adopting online payment transactions, including significance, requirements, and benefits.
Article
Full-text available
The widespread adoption of digital payment systems has significantly improved transaction convenience and efficiency but also introduced significant risks related to the security of Personally Identifiable Information (PII). This document examines the complexities of protecting PII in an era where financial interactions are increasingly digital. It identifies critical vulnerabilities that arise from sophisticated cyber-attacks, phishing schemes, and the broader implications of system and network weaknesses. Through a thorough evaluation of existing and innovative security measures-such as encryption, tokenization, and advanced authentication processes-the document outlines effective strategies to mitigate these risks. It emphasizes the importance of ongoing adaptation to security practices, integrating cutting-edge technologies, and cultivating a comprehensive security culture within organizations. The overarching goal is to enhance the integrity and confidentiality of sensitive data in digital financial environments, ensuring that privacy and security evolve in tandem with technological advancements.
Thesis
ABSTRACT The continuous rates of account hacking and data leaks have put online users at risk of losing valuable data. The traditional password-based authentication has failed to suffice, as hackers have found it very easy to breach these protocols and get hold of users’ data. This has led to the development of more secured protocols like the FIDO2 passwordless authentication. Thus, this research was undertaken to investigate the Effectiveness of FIDO2 Passwordless Authentication for Online Users. One of the objectives of this research is to investigate how passwordless authentication can help solve the security issues that arise for users in an online environment.The study made use of both primary data and secondary data. The study found that FIDO2 passwordless authentication is a very secured method of protecting online users, however, the risk of losing the security key and the hassle involved in retrieving access have limited the adoption of the authentication protocol. The research however recommends that FIDO Alliance should develop easier methods of recovery. This would help improve user experience and lead to a higher adoption rate.
Article
Full-text available
Two-factor authentication (2FA) is a recommended or imposed authentication mechanism for valuable online assets. However, 2FA mechanisms usually exhibit user experience issues that create user friction and even lead to poor acceptance, hampering the wider spread of 2FA. In this paper, we investigate user perceptions of 2FA through in-depth interviews with 42 participants, revealing key requirements that are not well met today despite recently emerged 2FA solutions. First, we investigate past experiences with authentication mechanisms emphasizing problems and aspects that hamper good user experience. Second, we investigate the different authentication factors more closely. Our results reveal particularly interesting preferences regarding the authentication factor ”ownership” in terms of properties, physical realizations, and interaction. These findings suggest a path towards 2FA mechanisms with considerably better user experience, promising to improve the acceptance and hence, the proliferation of 2FA for the benefit of security in the digital world.
Chapter
The chapter starts with discussing how hacker's demography and their culture have been changing over the years. Then it proceeds with presenting hacking attacks, techniques, and tools as well as anti‐hacking protection mechanisms. In the second part, it moves to the ordinary user's profiles and authentication. Here we show how to employ data science and statistical approaches to find out and analyze user's characteristics and their influence on the security level of their computer practice. The chapter presents the computer device security evaluation procedures. It discusses how to conduct analysis, observations, results, and recommendations for users to improve their overall security practices and the security of their devices. Also, it examines the hacking web fingerprinting attacks against the privacy protection TOR technology that utilizes machine learning as well as possible protection mechanisms. Examples and use cases are included.
Chapter
One Time Password (OTP) is the most prevalent 2FA method among users and service providers worldwide. It is imperative to assess this 2FA scheme’s security from multiple perspectives, considering its ubiquitous presence in the user’s day-to-day activities. In this work, we assess the security of seven commercially deployed OTP-2FA schemes against malware in the terminal attack model without compromising any 2FA device or authentication services. To implement this attack scenario, we develop a combination of attack modules that will capture password and OTP in different ways during the user’s login attempt. At the same time, it would originate a fresh concurrent hidden session from within the terminal or remotely to get possession to the user account without compromising the service or network or any external device. We examine implemented attack against seven different popular public services, which mostly use two variants of OTP-2FA and observed that almost all of them are vulnerable to this attack. Here, the threat model is practical as the attack components can be installed in the user’s terminal without any root/administrator privilege. Moreover, the attack modules require a small number of resources to run. The whole procedure would run from the background that makes the attack very hidden in nature and attain low detectability after examining against prominent anti-malware programs that indicate a real-world threat. Our findings after the analysis of the OTP-2FA schemes indicate that an adversary who can install malware on the user’s terminal can defeat almost all popular and widely used OTP-2FA schemes, which are vital security components of online accounts and secure financial transactions. The result also points out that the OTP-2FA scheme does not add extra security on top of the password in the presence of the malicious program in the terminal.
Article
Social context is a vital component of Human-Computer Interaction (HCI) design for security; however, there is little discussion about how to provide security functions based on the social context. This study examines the fit between security design and social contexts in mobile payment applications by investigating preferences and perceptions of security design based on the task-technology fit model and the technology acceptance model. To approach fit of security design in different social contexts, this study followed the approach proposed by design science research and employed a full factorial design experiment. We developed two interfaces—a customizable interface without feedback information and a customizable interface with feedback information—and asked participants to modify security settings in the interfaces according to social contexts, conduct payment transactions, and report their perceptions of security and usability in four payment scenarios. The observed behaviors in relation to security settings and perceptions revealed the fit for security settings and feedback design in different social contexts. Implications were provided to allow insights for security design in mobile payment transactions according to social contexts.
Article
Full-text available
Purpose: Social media marketing has expanded drastically over the years; despite that, B2B organizations have been unable to use, adapt, and utilize social media marketing, in comparison to B2C (Business to Consumer) organizations. The study intends to examine the antecedents of social media marketing in Business to Business organizations. Methodology: The hypotheses were tested through a survey conducted with 375 employees, belonging to 16 different B2B industries in Pakistan. Reliability analysis, convergent validity, discriminate validity, regression analysis, and mediation tests were carried out to measure the reliability of the measures and examine the proposed hypotheses. Findings: Findings supported the research model and proposed hypotheses. Results suggested a significant influence of learnability, memorability, perceived barriers, perceived usability, and perceived usefulness on actual use in B2B organizations. Findings also confirm the mediating roles of perceived usability and usefulness in the framework. Practical Implications: Usage and adoption of social media marketing in B2B organizations can be improved if they invest in training programs that facilitate learning and memorability of social media tools. Perceived barriers can be eliminated if companies can reassure employees of the relevance and efficiency of social media marketing in their business environment. Keywords: B2B, Business to Business, Industrial Marketing, Social media, TAM
Article
We present a secure two-factor authentication (TFA) scheme based on the user’s possession of a password and a crypto-capable device. Security is “end-to-end” in the sense that the attacker can attack all parts of the system, including all communication links and any subset of parties (servers, devices, client terminals), can learn users’ passwords, and perform active and passive attacks, online and offline. In all cases the scheme provides the highest attainable security bounds given the set of compromised components. Our solution builds a TFA scheme using any Device-enhanced Password-authenticated Key Exchange (PAKE), defined by Jarecki et al., and any Short Authenticated String (SAS) Message Authentication, defined by Vaudenay. We show an efficient instantiation of this modular construction, which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. The security of the proposed scheme is proven in a formal model that we formulate as an extension of the traditional PAKE model. We also report on a prototype implementation of our schemes, including TLS-based and PKI-free variants, as well as several instantiations of the SAS mechanism, all demonstrating the practicality of our approach. Finally, we present a usability study evaluating the viability of our protocol contrasted with the traditional PIN-based TFA approach in terms of efficiency, potential for errors, user experience, and security perception of the underlying manual process.
Article
Full-text available
Despite concerns raised by practitioners, the potential downside of the information security demands imposed by organizations on their employees has received limited scholarly attention. Our research focuses on information security fatigue (hereafter security fatigue), which is defined as a socio‐emotional state experienced by an individual who is tired of and disillusioned with security policies and their associated guidelines and procedures. This research delves into the security fatigue concept, investigates its antecedents and reports how fatigue affects employee security policy compliance (and non‐compliance). Since security fatigue is not well articulated in the literature and there is limited understanding of its antecedents and consequences, we take a research approach that affords novel insight into this phenomenon. Specifically, we conduct 38 in‐depth interviews with business and IT professionals, and then use a qualitative approach to construct a model, including seven research propositions, to highlight the key aspects of security fatigue. Our results indicate that four distinct antecedents contribute to security fatigue, which result in three unique consequences. We discuss security fatigue in relation to past theoretical views and related concepts within the security policy compliance literature and identify directions for future research.
Chapter
In this paper, the authors compare the usability of SMS mobile banking and automated IVR telephone banking. Participants (N = 116) used SMS banking and IVR banking to find their account balance in a repeated-measures experiment. IVR banking scored higher for usability metrics: effectiveness, attitude, and quality. There was no clear difference in rank order of preference between the two channels. Participants gave positive comments regarding speed and efficiency with SMS banking, but had serious doubts over the security of the SMS channel, impacting consumer trust in SMS banking. The authors argue that usability problems and security concerns are a major factor in the low adoption of SMS mobile banking. Older users were less positive in general to SMS banking compared with the more established IVR banking. Older users had lower first time completion rates for SMS banking and gave IVR banking higher attitude and quality scores.
Article
App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file’s integrity verification code—the checksum—matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such a process is effective. Even worse, very few usability studies about it exist. In this article, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month-long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution—a Chrome extension that verifies checksums automatically—significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers, and content creators to increase the use of file integrity verification on their properties.
Article
While mobile payment services have been flourishing in China, users have continually questioned the security of these transactions. Although customization has been proposed as a vital factor for mobile commerce, minimal knowledge exists regarding how it affects users’ perceived security in mobile payment transactions. A quantitative diary study was therefore conducted to provide insight into the personality traits that motivate customization behaviors in security, and how such behaviors influence perceived security under different use contexts in relation to mobile payments. First, an instrument for the diary study was developed through an interview. Then, 134 responses from mobile payment users were used to examine the relationships between personality traits and customization behaviors. Among them, the diary was completed by 67 mobile payment users who reported their perceived security for 1094 recoded payment events across various use contexts for periods ranging between 5 and 15 days. The results showed that the personality traits of extraversion and intellect influence users’ customization behaviors and these behaviors have a positive effect on perceived security. Additionally, the relationship between customization behaviors and perceived security was moderated by the task and technical contexts. Based on these findings, design implications and opportunities for mobile payment services are described.
Chapter
Full-text available
Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice.
Article
Full-text available
The e-government paradigm became an essential path for governments to reach citizens and businesses and to improve service and public performance. One of the important tools used in political and administrative venues is e-voting, where ICT tools are used to facilitate the process of voting for electing representatives and making decisions. The integrity and image of such applications won't be maintained unless strict measures on security and authenticity are applied. This chapter explores the e-voting process, reviews the authentication techniques and methods that are used in this process and proposed in the literature, and demonstrates few cases of applying e-voting systems from different countries in the world. Conclusions and proposed future work are stated at the end of the chapter.
Article
Full-text available
Recent results from usability studies of security systems have shown that end-users find them difficult to adopt and use. In this paper we argue that improving the usability of security technology is only one part of the problem, and that what is missed is the need to design usable and useful systems that provide security to end-users in terms of the applications that they use and the tasks they want to achieve. We propose alternate ways of building and integrating security technologies into applications and usability methods for evaluating how successful our prototypes are. We believe that the end results of designing usable and useful (from the end-user perspective) systems will be secure applications which will reflect the needs of users who are increasingly using computers away from the office and in a wider variety of networked configurations.
Article
Full-text available
This paper examines the current trends in the e-commerce revolution that has set in motion in the Malaysian banking sector and reports on an empirical research that was carried out in Malaysia to study the customers’ preference for electronic banking and the factors, which they considered influenced the adoption of electronic banking. Results based on the analysis of data relating to 300 respondents indicate that while there is no significant differences between the age and educational qualifications of the electronic and conventional banking users, some differences exists on other demographic variables. Analysis further reveals that accessibility of Internet, a wareness of e-banking, and customers’ reluctance to change are the factors that significantly affected the usage of e-banking in Malaysia. The paper discusses on the implications of these. Limitations of the study are highlighted and further research directions are suggested.
Conference Paper
Full-text available
Understanding the relation between usability measures seems crucial to deepen our conception of usability and to select the right measures for usability studies. We present a meta-analysis of correlations among usability measures calculated from the raw data of 73 studies. Correlations are generally low: effectiveness measures (e.g., errors) and efficiency measures (e.g., time) have a correlation of .247 ± .059 (Pearson's product-moment correlation with 95% confidence interval), efficiency and satisfaction (e.g., preference) one of .196 ± .064, and effectiveness and satisfaction one of .164 ± .062. Changes in task complexity do not influence these correlations, but use of more complex measures attenuates them. Standard questionnaires for measuring satisfaction appear more reliable than homegrown ones. Measures of users' perceptions of phenomena are generally not correlated with objective measures of the phenomena. Implications for how to measure usability are drawn and common models of usability are criticized. Author Keywords
Article
Full-text available
This article classifies common Internet banking authentication methods regarding potential threats and their level of security against common credential stealing and channel breaking attacks, respectively. The authors present two challenge/response Internet banking authentication solutions, one based on short-time passwords and one certificate-based, and relate them to the taxonomy above. There further outline how these solutions can be easily extended for nonrepudiation (that is, transaction signing), should more sophisticated content manipulation attacks become a real problem. Finally, they summarize their view on future requirements for secure Internet banking authentication and conclude by referencing real-live implementations.
Article
Full-text available
For decades, the password has been the standard means for user authentication on computers. However, as users are required to remember more, longer, and changing passwords, it is evident that a more convenient and secure solution to user authentication is necessary. This paper examines passwords, security tokens, and biometrics-which we collectively call authenticators-and compares these authenticators and their combinations. We examine their effectiveness against several attacks and suitability for particular security specifications such as compromise detection and nonrepudiation. Examples of authenticator combinations and protocols are described to show tradeoffs and solutions that meet chosen, practical requirements. The paper endeavors to offer a comprehensive picture of user authentication solutions for the purposes of evaluating options for use and identifying deficiencies requiring further research.
Article
The importance of password security which is considered as an essential form of user authentication both on the Internet and for internal organizational computing systems is discussed. Password protection schemes are used to protect relatively low-sensitivity systems such as access to online archives as well as highly sensitive corporate intranets or personal bank accounts. The growth of e-commerce has led to a huge increase in the numbers of passwords required by individual users, very often duplicated over and over throughout the Web. In such an environment, a password, and all the accounts it provides access to, can no more be secure than the weakest system using that password.
Article
Usability and context are often more important than the absolute effectiveness of authentication. It's why the simple password refuses to die, reports William Knight
Article
How to measure usability is an important question in HCI research and user interface evaluation. We review current practice in measuring usability by categorizing and discussing usability measures from 180 studies published in core HCI journals and proceedings. The discussion distinguish several problems with the measures, including whether they actually measure usability, if they cover usability broadly, how they are reasoned about, and if they meet recommendations on how to measure usability. In many studies, the choice of and reasoning about usability measures fall short of a valid and reliable account of usability as quality-in-use of the user interface being studied. Based on the review, we discuss challenges for studies of usability and for research into how to measure usability. The challenges are to distinguish and empirically compare subjective and objective measures of usability; to focus on developing and employing measures of learning and retention; to study long-term use and usability; to extend measures of satisfaction beyond post-use questionnaires; to validate and standardize the host of subjective satisfaction questionnaires used; to study correlations between usability measures as a means for validation; and to use both micro and macro tasks and corresponding measures of usability. In conclusion, we argue that increased attention to the problems identified and challenges discussed may strengthen studies of usability and usability research.
Article
Statements which have appeared in recent months about two-factor authentication are not just incorrect – they are irresponsible. Oversimplification of the October 2005 Federal Financial Institutions Examination Council (FFIEC) recommendations has recently lead to sensational headlines. Another view needs to be voiced.
Article
The need for securing online banking services by the banks using cheap, portable EMV-compliant smart card readers, in a bid to protect lucrative banking channel, is discussed. The token-based random number generator systems, such as those available form RSA and Activcard, generate one-time registration passwords and are popular in Sweden. The long-term solution for online authentication, is the use of portable EMV-compliant smart card readers that incorporate a challenge response capability. Some service providers, such as Sweden's Post Girot, plan to develop this solution by expanding their public key infrastructure to include EMV based web authentication.
Article
This chapter discusses the conduct of research to guide the development of more useful and usable computer systems. Experimental research in human-computer interaction involves varying the design or deployment of systems, observing the consequences, and inferring from observations what to do differently. For such research to be effective, it must be owned—instituted, trusted and heeded—by those who control the development of new systems. Thus, managers, marketers, systems engineers, project leaders, and designers as well as human factors specialists are important participants in behavioral human-computer interaction research. This chapter is intended as much for those with backgrounds in computer science, engineering, or management as for human factors researchers and cognitive systems designers. It is argued in this chapter that the special goals and difficulties of human-computer interaction research make it different from most psychological research as well as from traditional computer engineering research. The main goal, the improvement of complex, interacting human-computer systems, requires behavioral research but is not sufficiently served by the standard tools of experimental psychology such as factorial controlled experiments on pre-planned variables. The chapter contains about equal quantities of criticism of inappropriate general research methods, description of valuable methods, and prescription of specific useful techniques.
Article
This paper reports on a study investigating the strengths and weaknesses of questionnaires as software evaluation tools. Two major influences on the usefulness of questionnaire-based evaluation responses are examined: the administration of the questionnaire, and the background and experience of the respondent. Two questionnaires were administered to a large number of students in an introductory programming class. The questionnaires were also given to a group of more experienced users (including course proctors). Respondents were asked to evaluate the text editor used in the class along a number of dimensions; evaluation responses were solicited using a number of different question types. Another group of students received the questionnaire individually, with part of it presented on the computer; a third group also evaluated an enhanced version of the editor in followup sessions.
Article
This paper describes results of a usability study of contrasting user-interface designs for Internet Banking (eBanking). Two specific interface metaphors were compared in the first experiment, linear form filling and array editing interaction modes. Terminology in the interaction dialogue was compared in the second experiment, using typical banking language and a generic, plain language interface. This research aimed to perform usability evaluation and comparison of the alternative interface designs to illuminate the development of new eBanking services. This research involved sixty-one participants (Internet users and customers of the involved Bank) exploring the designs in controlled experiments involving hands-on experience. Banks are interested in ensuring their eBanking services are highly customer-centric and that the interface matches customer expectations in order to drive customers towards this lower cost channel. The results of the first experiment (N=32, where N indicates the number of participants in the cohort) concluded that the simple form-filling metaphor, taken from the traditional paper-based procedure, was generally more usable than a Spreadsheet metaphor. In the second experiment (N=29), it was found that although banking terminology was not completely understood across the cohort, the instructional language changes did not impact significantly on usability.
Article
The current Internet Banking (eBanking) marketplace is highly functionally convergent. Electronic statement (eStatement) functionality is an area of potential competitive advantage. This paper describes an experiment in which a group of bank customers (N = 182) undertook information retrieval tasks using three variants of eStatements functionality incorporated into a working eBanking prototype. The experiment examined how the eStatements service design could influence a customer’s desire to switch from paper statements to online delivery. Three different levels of functionality were assessed for usability and for their impact on the customer’s willingness to switch from paper to eStatements. The methodology of the experimental approach utilised in this research is described. The results provide detailed data to inform the interface design and business case for eStatements. Usability and propensity to switch away from paper were significantly correlated. The data confirm that provision of a functionally sophisticated search engine offers high usability perceptions and scope for significant levels of switching from paper to online statements with associated costs savings.
Article
Computer users are exposed to technology mainly through user interfaces. Most users' perceptions are based on their experience with these interfaces. HCI (human computer interaction) is concerned with these interfaces and how they can be improved. Considerable research has been conducted and major advances have been made in the area of HCI. Information security is becoming increasingly important and more complex as business is conducted electronically. However, state-of-the-art security-related product development has ignored general aspects of HCI. The objective of this paper is to promote and enable security awareness of end-users in their interaction with computer systems. It thus aims to consolidate and integrate the two fields of information security and HCI. HCI as a research discipline is a well developed field of study, and the authors are of the opinion that the use of security technologies can be significantly enhanced by employing proven HCI concepts in the design of these technologies. In order to achieve this, various criteria for a successful HCI in a security-specific environment will be examined. Part of the Windows XP Internet Connection Firewall will be used as a case study and analysed according to these criteria, and recommendations will be made.
Article
With an increasing range of potential threats, the use of security within end-user systems and applications is becoming ever more important. However, a significant obstacle to achieving this can be the usability of the security features that are offered, and although related functionality is now provided in a wide range of end-user applications, the users themselves will fail to benefit if they cannot make it work for them. This paper highlights the importance of enabling users to protect themselves, and identifies that they may currently encounter problems in terms of finding, understanding, and ultimately using the security features that are meant to be at their disposal. The security options within Microsoft Word are used to provide illustrative examples of typical problems, with consequent suggestions to improve both the presentation and guidance available to users within such applications.
Article
The Internet has the ability to function as a business medium. Over one-third of US residents use the Internet, and nearly 40% use it as a medium of business (electronic-commerce). As this percentage continues to grow, so does the need to understand why and how users choose to adopt. This information will afford researchers and e-commerce providers a better understanding of how to facilitate future adoption. Through the diffusion of innovations model, this study revisits traditional and current concepts of adoption by investigating the adoption of four e-commerce activities currently available to Internet users: (1) online shopping, (2) online banking, (3) online investing, and (4) electronic payment for an Internet service (i.e., access to exclusive sites). Results indicate that six attributes common to the diffusion model (i.e., perceived convenience and financial benefits, risk, previous use of the telephone for a similar purpose, self-efficacy, and Internet use) all play a significant role in the adoption processes. Results also indicate that when users decide to adopt one of these activities they tend to adopt another. Finally, a discussion explores how to extend the model identified in this study by assessing possible negative outcomes of diffusion.
Article
Computer security has traditionally been assessed from a technical point of view. Another way to assess it is by investigating the role played by legitimate users of systems in impairing the level of protection. In order to address this issue, we wish to adopt a multidisciplinary standpoint and investigate some of the human aspects involved in computer security. From research in psychology, it is known that people make biased decisions. They sometimes overlook rules in order to gain maximum benefits for the cost of a given action. This situation leads to insidious security lapses whereby the level of protection is traded-off against usability. In this paper, we highlight the cognitive processes underlying such security impairments. At the end of the paper, we propose a short usability-centred set of recommendations.
Article
In the modern multi-user computer environment, Internet-capable network servers provide connectivi- ty that allows a large portion of the user population to access information at the desktop from sources around the world. Because of the ease with which information can be accessed, computer security breaches may occur unless systems and restricted information stored therein are kept secure. Breaches of security can have serious consequences, including theft of confidential corporate documents, compro- mise of intellectual property, unauthorized modifica- tion of systems and data, denial of service, and others. Considerable research has been conducted on threats to security.
Article
Organizations are more dependent than ever on the reliable operation of their information systems, which have become a key to their success and effectiveness. While the growing dependence on information systems creates an urgent need to collect information and make it accessible, the proliferation of computer technology has also spawned opportunities for ill-intentioned individuals to violate the information systems' integrity and validity.One of the most common control mechanisms for authenticating users of computerized information systems is the use of passwords. However, despite the widespread use of passwords, little attention has been given to the characteristics of their actual use. This paper addresses the gap in evaluating the characteristics of real-life passwords and presents the results of an empirical study on password usage. It investigates the core characteristics of user-generated passwords and associations among those characteristics.
Article
The Internet has been given tremendous publicity in recent years. However, most research focuses on Europe or America rather on than Asian countries. This study hopes to contribute to a better understanding of the Internet phenomenon in Asia by examining the factors influencing the adoption and nonadoption of the Internet among organizations in Singapore. A survey was carried out among business firms to examine the benefits of adopting the Internet, reasons for not adopting the Internet, and the criteria for selecting Internet access service providers. The results showed that key benefits are derived from the global nature of the Internet, which enables access to worldwide information and the creation of a worldwide electronic presence. Nonadopters of the Internet are concerned about whether staff will waste time surfing the Internet. Both access speed and technical support are viewed as important criteria in selecting an Internet access service provider (IASP). Implications of the results are discussed.
Article
Legislative mandates potentially replace CIO's primary concerns of technology risk management with the possibility of serving jail time.
Article
The consequences of information system failure become more acute as organizations continue to invest in information technology and application development. Being able to better predict IS failure before implementation of a system could facilitate changes in the information system that can lead to implementation success. The realism of user expectations has been suggested as one possible means of assessing the eventual success or failure of an IS. Cognitive dissonance theory was used to hypothesize the behavior and attitudes of end users having certain expectations of a system. This experiment investigates the association between unrealistic expectations with both users' perceptions (i.e., user satisfaction) and their performance with the IS (i.e., decision performance). A longitudinal experiment was performed in which the expectations of the subjects were manipulated to be unrealistically high, realistically moderate, or unrealistically low. The results suggest an association between realism of users' expectations and their perceptions but not their actual performance. Future research should be directed toward the development of an instrument to measure user expectations, as well as toward understanding the causes of unrealistic user expectations.
Article
The Internet is gaining popularity as a delivery channel in the banking sector. At the same time, customer needs are changing. A total of 12 Internet banking operations in the UK are analysed under customer empowerment functions and Internet banking Web attributes. Internet banking renders location and time irrelevant, and empowers customers with greater control of their accounts. Banks achieve cost and efficiency gains in a large number of operational areas.
Article
Growing threats to online banking security (e.g. phishing, personal identify fraud) and the personal nature of the data make the balance between security, trust and usability vital. However, there is little published research about what influences users' perceptions of online banking security and trust. This study identifies that the type of authentication system used can affect users' subsequent perceived control, situational awareness and trust. The results from a questionnaire and in-depth interviews with 86 participants were triangulated to compare two different authentication processes, namely, a 'security box' (i.e. random system generated passwords at the users' location) and 'fixed passwords' (i.e. user owned and constant). The security box and login procedures were perceived significantly more trustworthy and secure at any location than 'fixed passwords'. Four main concepts were identified: "trust" "the authentication system", "location" and "control". The implications of these findings for HCI are discussed.
Article
The Trustworthy Interfaces for Passwords and Personal Information workshop brought security and user interface professionals together to determine ways to improve authentication methods so that users won't be tricked by phishers into giving away personal information. The authors consider some of the themes discussed at TIPPI, including the nature of the authentication problem, systems that might help solve it, and other observations on necessary components of secure systems designed for human users.
Article
This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.
FFIEC releases guidance on authentication in internet banking environment, press release Available from
  • Ffiec
FFIEC. FFIEC releases guidance on authentication in internet banking environment, press release. Available from: http:// www.ffiec.gov/press/pr101205.htm; 2005 (accessed 22.07.08).
Design for usability Security and usability. O'Reilly
  • B Tognazzini
Tognazzini B. Design for usability. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 31–46 [chapter 3].
Human-computer interaction. Wokingham, UK: Addison-Wesley; 1994. Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks
  • Reilly J Preece
  • Rogers Y H Sharp
  • D Benyon
  • S Holland
  • Carey
O'Reilly; 2005. p. 221–42 [chapter 12]. Preece J, Rogers Y, Sharp H, Benyon D, Holland S, Carey T. Human-computer interaction. Wokingham, UK: Addison-Wesley; 1994. Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from: http://www.silicon.com/financialservices/0,3800010322, 39152706,00.htm; 2005 (accessed 31.01.07).
Building security and trust in online banking In: Extended abstracts on human factors in computing systems (CHI '05)
  • Adams M A Nilsson
  • Herd
Nilsson M, Adams A, Herd S. Building security and trust in online banking. In: Extended abstracts on human factors in computing systems (CHI '05). New York, NY: ACM Press; 2005. pp. 1701–04.
Usability design and evaluation for privacy and security solutions Security and usability. O'Reilly Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love
  • Karat
  • Cm
  • C Brodie
  • Karat
Karat CM, Brodie C, Karat J. Usability design and evaluation for privacy and security solutions. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 47–74 [chapter 4]. Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love. Infosecurity 2008;5(1):30–3.
Remote card authentication Available from: http://www. apacs.org.uk/payments_industry/new_technology2.html
APACS. Remote card authentication. Available from: http://www. apacs.org.uk/payments_industry/new_technology2.html; 2008 (accessed 22.07.08).
Usability design and evaluation for privacy and security solutions
  • Cm Karat
  • C Brodie
  • J Karat
Karat CM, Brodie C, Karat J. Usability design and evaluation for privacy and security solutions. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 47–74 [chapter 4].
The handbook of psychological testing. Routledge; 2000. Knight W. The price of love
  • P Kline
Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love. Infosecurity 2008;5(1):30–3.
Research methods in human computer interaction Handbook of human computer interaction. Amsterdam: NorthHolland
  • Tk Landauer
Landauer TK. Research methods in human computer interaction. In: Helander M, editor. Handbook of human computer interaction. Amsterdam: NorthHolland; 1988. p. 905–28.
Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from
  • S Ranger
Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from: http://www.silicon.com/financialservices/0,3800010322, 39152706,00.htm; 2005 (accessed 31.01.07).