Abstract
Two-factor authentication provides a significant improvement over the security of traditional password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. In this decade, single password authentication (SPA) schemes are introduced to overcome the challenges of traditional password authentication, which is vulnerable to the offline dictionary, phishing, honeypot, and man-in-the-middle attacks. Unlike classical password-based authentication systems, in SPA schemes the user is required to remember only a single password (and a username) for all her accounts, while the password is protected against the aforementioned attacks in a provably secure manner.
In this paper, for the first time, we implement the state-of-the-art mobile-based SPA system of Acar et al. (2013) as a prototype and assess its usability in a lab environment where we compare it against two-factor authentication (where, in both cases, in addition to the password, the user needs access to her mobile device). Our study shows that mobile-based SPA is as easy as, but less intimidating and more secure than two-factor authentication, making it a better alternative for online banking type deployments. Based on our study, we conclude with deployment recommendations and further usability study suggestions.
D. İşler—Work done at Koç University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The only previous work on mobile SPA usability compared SPHINX mobile-based SPA system against password managers [28], and hence their work is complementary and incomparable.
- 2.
Despite the fact that deciding how many participants are needed for the user study remains vague, [15] justifies that even 20 users can be enough to have certainty on finding the usability problems in the testing.
- 3.
A desktop computer running 64-bit Windows 8 on Intel Core i7-3770 3.4 GHz CPU and 16 GB RAM.
- 4.
A Samsung Galaxy J1 with Android version 4.4.4.
- 5.
Google Authenticator Android app. https://goo.gl/Q4LU7k.
- 6.
Note that the list of tasks were not given to the participants; instead, such instructions were clarified on the web pages and mobile applications that we created (see, for example, Fig. 2(d)). The users simply followed those instructions.
- 7.
One with at least eight characters containing at least one of each category: lower case and upper case letters, numerical character, and special character.
- 8.
2FA does not protect the user password against dictionary attacks when the password database is compromised. Therefore, such an attacker may impersonate the user on other websites that do not employ 2FA. Such offline dictionary and impersonation attacks are prevented by SPA systems.
- 9.
- 10.
[25] argues that parametric statistics can be used with Likert data without reaching to the wrong conclusion.
References
European Union General Data Protection Regulation 2016/679 (GDPR) (2016)
Turkish Personal Data Protection Law no. 6698 (KVKK) (2016)
Turkish Personal Data Deletion and Anonymization Regulation no. 30224 (2017)
Acar, T., Belenkiy, M., Küpçü, A.: Single password authentication. Comput. Netw. 57(13), 2597–2614 (2013)
Allen, I.E., Seaman, C.A.: Likert scales and data analyses. Qual. Prog. 40(7), 64–65 (2007)
Behnke, K.C., Andrew, O.: Creating programs to help latino youth thrive at school: the influence of latino parent involvement programs. J. Extension 49(1), 1–11 (2011)
Belenkiy, M., Acar, T., Morales, H., Küpçü, A.: Securing passwords against dictionary attacks. US Patent 9,015,489 (2015)
Bicakci, K., Atalay, N.B., Yuceel, M., van Oorschot, P.C.: Exploration and field study of a browser-based password manager using icon-based passwords. In: RLCPS (2011)
Bicakci, K., Yuceel, M., Erdeniz, B., Gurbaslar, H., Atalay, N.B.: Graphical passwords as browser extension: implementation and usability study. In: Ferrari, E., Li, N., Bertino, E., Karabulut, Y. (eds.) IFIPTM 2009. IAICT, vol. 300, pp. 15–29. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02056-8_2
Bicchierai, L.F.: Another day, another hack: 117 million linkedin emails and passwords (2016). https://bit.ly/2Nq1b9M
Bicchierai, L.F.: Hacker tries to sell 427 milllion stolen myspace passwords for \$2,800 (2016). https://bit.ly/2GBnu9S
Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-factor authentication: somebody you know. In: ACM CCS (2006)
Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: USENIX Security Symposium (2006)
De Cristofaro, E., Du, H., Freudiger, J., Norcie, G.: A comparative usability study of two-factor authentication. In: NDSS USEC (2014)
Faulkner, L.: Beyond the five-user assumption: benefits of increased sample sizes in usability testing. Instrum. Comput. Behav. Res. Meth. 35(3), 379–383 (2003)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: ACM WWW (2007)
Gunson, N., Marshall, D., Morton, H., Jack, M.: User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. Comput. Secur. 30(4), 208–220 (2011)
İşler, D., Küpçü, A.: Threshold single password authentication. In: ESORICS DPM (2017)
İşler, D., Küpçü, A.: Distributed single password protocol framework. Cryptology ePrint Archive, Report 2018/976 (2018). https://eprint.iacr.org/2018/976
Jarecki, S., Krawczyk, H., Shirvanian, M., Saxena, N.: Device-enhanced password protocols with optimal online-offline protection. In: ACM ASIACCS (2016)
Karapanos, N., Marforio, C., Soriente, C., Capkun, S.: Sound-proof: usable two-factor authentication based on ambient sound. In: USENIX (2015)
Karole, A., Saxena, N., Christin, N.: A comparative usability evaluation of traditional password managers. In: ICISC (2010)
Lang, J., Czeskis, A., Balfanz, D., Schilder, M., Srinivas, S.: Security keys: practical cryptographic second factors for the modern web. In: FC (2016)
McCarney, D., Barrera, D., Clark, J., Chiasson, S., van Oorschot, P.C.: Tapas: design, implementation, and usability evaluation of a password manager. In: ACSAC, ACM (2012)
Norman, G.: Likert scales, levels of measurement and the “laws” of statistics. Adv. Health Sci. Educ. : Theor. Pract. 15(5), 625–632 (2010)
Reynolds, J., Smith, T., Reese, K., Dickinson, L., Ruoti, S., Seamons, K.: A tale of two studies: the best and worst of yubikey usability. In: IEEE SP (2018)
Shirvanian, M., Jarecki, S., Saxena, N., Nathan, N.: Two-factor authentication resilient to server compromise using mix-bandwidth devices. In: NDSS (2014)
Shirvanian, M., Jareckiy, S., Krawczykz, H., Saxena, N.: Sphinx: a password store that perfectly hides passwords from itself. In: IEEE ICDCS (2017)
Smith, S.: Digital banking users to reach 2 billion this year, representing nearly 40% of global adult population (2018). https://bit.ly/2GPRhdE
Srinivas, S., Balfanz, D., Tiffany, E., Czeskis, A.: Universal 2nd factor (u2f) overview. FIDO Alliance Proposed Standard (2015)
Stobert, E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: ACM SOUPS (2014)
Stobert, E., Biddle, R.: The password life cycle. In: ACM TOPS (2018)
Sun, H.-M., Chen, Y.-H., Lin, Y.-H.: oPass: a user authentication protocol resistant to password stealing and password reuse attacks. In: IEEE TIFS (2012)
Taheri-Boshrooyeh, S., Küpçü, A.: Inonymous: anonymous invitation-based system. In: ESORICS DPM (2017)
Ur, B., et al.: I added ’!’ at the end to make it secure: Observing password creation in the lab. In: USENIX SOUPS (2015)
Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: toward a unified view. MIS Q. 27, 425–478 (2003)
Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36, 227–237 (1993)
Acknowledgements
We thank İlker Kadir Öztürk and Arjen Kılıç for their efforts on implementation. This work has been supported in part by TÜBİTAK (the Scientific and Technological Research Council of Turkey) under the project number 115E766, by the Royal Society of UK Newton Advanced Fellowship NA140464, by ERC Advanced Grant ERC-2015-AdG-IMPaCT, and by the FWO under an Odysseus project GOH9718N.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Mobile-Based Single Password Authentication Scheme of Acar et al. [4]
A Mobile-Based Single Password Authentication Scheme of Acar et al. [4]
We briefly present Acar et al. [4] mobile-based SPA solution here for completeness. In their mobile-based SPA, there are three parties; a user holding a password pwd, a trusted mobile device of the user, and a server, with which the user wishes to register. The protocol is roughly as follows:
Registration:
-
1.
The user:
-
generates a Message Authentication Code (MAC) key K.
-
sends the key K and her username UID to the server.
-
encrypts the MAC key K where the encryption key is derived using the hash of her password H(pwd) as \(ctext\leftarrow Encrypt(H(pwd),K)\). [Remark: The user also sends an identifier with ciphertext.]
-
-
2.
The trusted mobile device stores the ciphertext ctext.
-
3.
The server stores the username UID and the MAC key K.
Authentication:
-
1.
The user sends her username UID to the server.
-
2.
The server generates a random challenge chal and sends it to the mobile device. [Remark: The server can send the challenge in various ways such as via SMS, or via a QR code where the user scans the code with her mobile device.]
-
3.
The user types her single password on the mobile device.
-
4.
The trusted mobile device:
-
decrypts the ciphertext and retrieves the MAC key K as \(K\leftarrow Decrypt(H(pwd),ctext)\).
-
generates a MAC resp as a response to the challenge chal using the retrieved key K as \(resp \leftarrow MAC(K,chal)\). [Remark: To resist man-in-the-middle attacks, as [19] notes, preferable usage is \(resp \leftarrow MAC(K,chal || domain)\).]
-
applies trimming function Trim on the generated response resp to get a short one-time code/password \(resp'\) as \(resp' \leftarrow Trim(resp)\).
-
-
5.
The user types the short one-time code \(resp'\) on the user machine and sends it to the server.
-
6.
The server checks if the \(resp'\) is generated based on a valid MAC of the challenge chal with the corresponding user MAC key K in his database as \(Trim(MAC(K,chal)){\mathop {=}\limits ^{?}} resp'\).
-
7.
The server informs the user whether the login attempt is successful or not.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
İşler, D., Küpçü, A., Coskun, A. (2019). User Perceptions of Security and Usability of Mobile-Based Single Password Authentication and Two-Factor Authentication. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2019 2019. Lecture Notes in Computer Science(), vol 11737. Springer, Cham. https://doi.org/10.1007/978-3-030-31500-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-31500-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31499-6
Online ISBN: 978-3-030-31500-9
eBook Packages: Computer ScienceComputer Science (R0)