Building an Authentication Infrastructure

Posted: 2 Aug 2022

See all articles by Zitao Zhang

Zitao Zhang

Indiana University Bloomington, School of Informatics and Computing, Students; Indiana University, School of of Informatics, Computing & Engineering

Jacob Abbott

Indiana University Bloomington - School of Informatics, Computing, and Engineering

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing

Date Written: July 31, 2022

Abstract

The death of the password has been projected for decades, by a range of highly qualified experts. Yet passwords remain the dominant authentication technology. The dominance of passwords results in chronic vulnerability to social engineering. In this work we explore the reason for the lack of adoption of hardware security tokens that are considered best in class for authentication speed and security.

In this three step evaluation we provided hardware tokens to students at Indiana University and then surveyed their reasons for use or non-use. These results aligned with previous work, indicating that the previously hypothesized solutions with similar results would be applicable.
Following this we applied the Research Through Design(RtD) method(Zimmerman and Forlizzi, 2014 [32], Zimmerman et al., 2007 [33], Zimmerman et al.,2010 [34]) to design, prototype, and test a hardware security token based on previous work. We evaluated the prototype using the wizard of oz (Dahlbäck et al., 1993 [8]) technique during a pilot study of 7 participants. We found that the larger form factor and being able to attach the device to the smart phone did not result in a lower perceived cost of motivation of use. We also found that the biometric sensor is generally perceived to be more secure. Based on these interviews we conclude that drivers of lack of adoption goes beyond form factor, specifically lack of adoption is grounded in participant perception of low risk of account takeover. In addition, the ability to share authentication for mutual support and caregiving is identified as a strength of passwords.

We close with a discussion, based on the survey of the literature and the design changes recommended in previous works, that design alone is inadequate for universal adoption of secure hardware authentication. We argue for integrating risk communication; beyond this, recognition that sharing of passwords can be a social good. The ability to enroll multiple keys for one account enables shared account practices with family and household settings: sharing Netflix accounts, assisting less technical parents, and managing shared household resources. We predict that strictly technical solutions may be inadequate, but rather that awareness, risk communication, and communication about the relationship between one-time password (OTP) hardware and account management are critical. We suggest that zero trust architectures that undermine or conflict with social practices may face similar friction in consumer applications.

Keywords: 2fa,authentication,risk communication,usability

JEL Classification: D81,O33

Suggested Citation

Zhang, Zitao and Abbott, Jacob and Camp, L. Jean, Building an Authentication Infrastructure (July 31, 2022). Available at SSRN: https://ssrn.com/abstract=4177412

Zitao Zhang (Contact Author)

Indiana University Bloomington, School of Informatics and Computing, Students ( email )

Bloomington, IN
United States

Indiana University, School of of Informatics, Computing & Engineering ( email )

United States

Jacob Abbott

Indiana University Bloomington - School of Informatics, Computing, and Engineering ( email )

Dept of Biology
100 South Indiana Ave.
Bloomington, IN 47405
United States

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing ( email )

901 E 10th St
Bloomington, IN 47401
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
128
PlumX Metrics