Building an Authentication Infrastructure
Posted: 2 Aug 2022
Date Written: July 31, 2022
Abstract
The death of the password has been projected for decades, by a range of highly qualified experts. Yet passwords remain the dominant authentication technology. The dominance of passwords results in chronic vulnerability to social engineering. In this work we explore the reason for the lack of adoption of hardware security tokens that are considered best in class for authentication speed and security.
In this three step evaluation we provided hardware tokens to students at Indiana University and then surveyed their reasons for use or non-use. These results aligned with previous work, indicating that the previously hypothesized solutions with similar results would be applicable.
Following this we applied the Research Through Design(RtD) method(Zimmerman and Forlizzi, 2014 [32], Zimmerman et al., 2007 [33], Zimmerman et al.,2010 [34]) to design, prototype, and test a hardware security token based on previous work. We evaluated the prototype using the wizard of oz (Dahlbäck et al., 1993 [8]) technique during a pilot study of 7 participants. We found that the larger form factor and being able to attach the device to the smart phone did not result in a lower perceived cost of motivation of use. We also found that the biometric sensor is generally perceived to be more secure. Based on these interviews we conclude that drivers of lack of adoption goes beyond form factor, specifically lack of adoption is grounded in participant perception of low risk of account takeover. In addition, the ability to share authentication for mutual support and caregiving is identified as a strength of passwords.
We close with a discussion, based on the survey of the literature and the design changes recommended in previous works, that design alone is inadequate for universal adoption of secure hardware authentication. We argue for integrating risk communication; beyond this, recognition that sharing of passwords can be a social good. The ability to enroll multiple keys for one account enables shared account practices with family and household settings: sharing Netflix accounts, assisting less technical parents, and managing shared household resources. We predict that strictly technical solutions may be inadequate, but rather that awareness, risk communication, and communication about the relationship between one-time password (OTP) hardware and account management are critical. We suggest that zero trust architectures that undermine or conflict with social practices may face similar friction in consumer applications.
Keywords: 2fa,authentication,risk communication,usability
JEL Classification: D81,O33
Suggested Citation: Suggested Citation