Skip to main content
SpringerLink
Log in

User Perceptions of Security and Usability of Mobile-Based Single Password Authentication and Two-Factor Authentication

  • Conference paper
  • First Online:
Book cover Data Privacy Management, Cryptocurrencies and Blockchain Technology (DPM 2019, CBT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11737))

Abstract

Two-factor authentication provides a significant improvement over the security of traditional password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. In this decade, single password authentication (SPA) schemes are introduced to overcome the challenges of traditional password authentication, which is vulnerable to the offline dictionary, phishing, honeypot, and man-in-the-middle attacks. Unlike classical password-based authentication systems, in SPA schemes the user is required to remember only a single password (and a username) for all her accounts, while the password is protected against the aforementioned attacks in a provably secure manner.

In this paper, for the first time, we implement the state-of-the-art mobile-based SPA system of Acar et al. (2013) as a prototype and assess its usability in a lab environment where we compare it against two-factor authentication (where, in both cases, in addition to the password, the user needs access to her mobile device). Our study shows that mobile-based SPA is as easy as, but less intimidating and more secure than two-factor authentication, making it a better alternative for online banking type deployments. Based on our study, we conclude with deployment recommendations and further usability study suggestions.

D. İşler—Work done at Koç University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The only previous work on mobile SPA usability compared SPHINX mobile-based SPA system against password managers [28], and hence their work is complementary and incomparable.

  2. 2.

    Despite the fact that deciding how many participants are needed for the user study remains vague, [15] justifies that even 20 users can be enough to have certainty on finding the usability problems in the testing.

  3. 3.

    A desktop computer running 64-bit Windows 8 on Intel Core i7-3770 3.4 GHz CPU and 16 GB RAM.

  4. 4.

    A Samsung Galaxy J1 with Android version 4.4.4.

  5. 5.

    Google Authenticator Android app. https://goo.gl/Q4LU7k.

  6. 6.

    Note that the list of tasks were not given to the participants; instead, such instructions were clarified on the web pages and mobile applications that we created (see, for example, Fig. 2(d)). The users simply followed those instructions.

  7. 7.

    One with at least eight characters containing at least one of each category: lower case and upper case letters, numerical character, and special character.

  8. 8.

    2FA does not protect the user password against dictionary attacks when the password database is compromised. Therefore, such an attacker may impersonate the user on other websites that do not employ 2FA. Such offline dictionary and impersonation attacks are prevented by SPA systems.

  9. 9.

    We intentionally used 4-point Likert scale as it allows accounting for exact responses [5, 6].

  10. 10.

    [25] argues that parametric statistics can be used with Likert data without reaching to the wrong conclusion.

References

  1. European Union General Data Protection Regulation 2016/679 (GDPR) (2016)

    Google Scholar 

  2. Turkish Personal Data Protection Law no. 6698 (KVKK) (2016)

    Google Scholar 

  3. Turkish Personal Data Deletion and Anonymization Regulation no. 30224 (2017)

    Google Scholar 

  4. Acar, T., Belenkiy, M., Küpçü, A.: Single password authentication. Comput. Netw. 57(13), 2597–2614 (2013)

    Article  Google Scholar 

  5. Allen, I.E., Seaman, C.A.: Likert scales and data analyses. Qual. Prog. 40(7), 64–65 (2007)

    Google Scholar 

  6. Behnke, K.C., Andrew, O.: Creating programs to help latino youth thrive at school: the influence of latino parent involvement programs. J. Extension 49(1), 1–11 (2011)

    Google Scholar 

  7. Belenkiy, M., Acar, T., Morales, H., Küpçü, A.: Securing passwords against dictionary attacks. US Patent 9,015,489 (2015)

    Google Scholar 

  8. Bicakci, K., Atalay, N.B., Yuceel, M., van Oorschot, P.C.: Exploration and field study of a browser-based password manager using icon-based passwords. In: RLCPS (2011)

    Google Scholar 

  9. Bicakci, K., Yuceel, M., Erdeniz, B., Gurbaslar, H., Atalay, N.B.: Graphical passwords as browser extension: implementation and usability study. In: Ferrari, E., Li, N., Bertino, E., Karabulut, Y. (eds.) IFIPTM 2009. IAICT, vol. 300, pp. 15–29. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02056-8_2

    Chapter  Google Scholar 

  10. Bicchierai, L.F.: Another day, another hack: 117 million linkedin emails and passwords (2016). https://bit.ly/2Nq1b9M

  11. Bicchierai, L.F.: Hacker tries to sell 427 milllion stolen myspace passwords for \$2,800 (2016). https://bit.ly/2GBnu9S

  12. Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-factor authentication: somebody you know. In: ACM CCS (2006)

    Google Scholar 

  13. Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: USENIX Security Symposium (2006)

    Google Scholar 

  14. De Cristofaro, E., Du, H., Freudiger, J., Norcie, G.: A comparative usability study of two-factor authentication. In: NDSS USEC (2014)

    Google Scholar 

  15. Faulkner, L.: Beyond the five-user assumption: benefits of increased sample sizes in usability testing. Instrum. Comput. Behav. Res. Meth. 35(3), 379–383 (2003)

    Article  Google Scholar 

  16. Florencio, D., Herley, C.: A large-scale study of web password habits. In: ACM WWW (2007)

    Google Scholar 

  17. Gunson, N., Marshall, D., Morton, H., Jack, M.: User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. Comput. Secur. 30(4), 208–220 (2011)

    Article  Google Scholar 

  18. İşler, D., Küpçü, A.: Threshold single password authentication. In: ESORICS DPM (2017)

    Google Scholar 

  19. İşler, D., Küpçü, A.: Distributed single password protocol framework. Cryptology ePrint Archive, Report 2018/976 (2018). https://eprint.iacr.org/2018/976

  20. Jarecki, S., Krawczyk, H., Shirvanian, M., Saxena, N.: Device-enhanced password protocols with optimal online-offline protection. In: ACM ASIACCS (2016)

    Google Scholar 

  21. Karapanos, N., Marforio, C., Soriente, C., Capkun, S.: Sound-proof: usable two-factor authentication based on ambient sound. In: USENIX (2015)

    Google Scholar 

  22. Karole, A., Saxena, N., Christin, N.: A comparative usability evaluation of traditional password managers. In: ICISC (2010)

    Google Scholar 

  23. Lang, J., Czeskis, A., Balfanz, D., Schilder, M., Srinivas, S.: Security keys: practical cryptographic second factors for the modern web. In: FC (2016)

    Google Scholar 

  24. McCarney, D., Barrera, D., Clark, J., Chiasson, S., van Oorschot, P.C.: Tapas: design, implementation, and usability evaluation of a password manager. In: ACSAC, ACM (2012)

    Google Scholar 

  25. Norman, G.: Likert scales, levels of measurement and the “laws” of statistics. Adv. Health Sci. Educ. : Theor. Pract. 15(5), 625–632 (2010)

    Article  Google Scholar 

  26. Reynolds, J., Smith, T., Reese, K., Dickinson, L., Ruoti, S., Seamons, K.: A tale of two studies: the best and worst of yubikey usability. In: IEEE SP (2018)

    Google Scholar 

  27. Shirvanian, M., Jarecki, S., Saxena, N., Nathan, N.: Two-factor authentication resilient to server compromise using mix-bandwidth devices. In: NDSS (2014)

    Google Scholar 

  28. Shirvanian, M., Jareckiy, S., Krawczykz, H., Saxena, N.: Sphinx: a password store that perfectly hides passwords from itself. In: IEEE ICDCS (2017)

    Google Scholar 

  29. Smith, S.: Digital banking users to reach 2 billion this year, representing nearly 40% of global adult population (2018). https://bit.ly/2GPRhdE

  30. Srinivas, S., Balfanz, D., Tiffany, E., Czeskis, A.: Universal 2nd factor (u2f) overview. FIDO Alliance Proposed Standard (2015)

    Google Scholar 

  31. Stobert, E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: ACM SOUPS (2014)

    Google Scholar 

  32. Stobert, E., Biddle, R.: The password life cycle. In: ACM TOPS (2018)

    Google Scholar 

  33. Sun, H.-M., Chen, Y.-H., Lin, Y.-H.: oPass: a user authentication protocol resistant to password stealing and password reuse attacks. In: IEEE TIFS (2012)

    Google Scholar 

  34. Taheri-Boshrooyeh, S., Küpçü, A.: Inonymous: anonymous invitation-based system. In: ESORICS DPM (2017)

    Google Scholar 

  35. Ur, B., et al.: I added ’!’ at the end to make it secure: Observing password creation in the lab. In: USENIX SOUPS (2015)

    Google Scholar 

  36. Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: toward a unified view. MIS Q. 27, 425–478 (2003)

    Article  Google Scholar 

  37. Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36, 227–237 (1993)

    Article  Google Scholar 

Download references

Acknowledgements

We thank İlker Kadir Öztürk and Arjen Kılıç for their efforts on implementation. This work has been supported in part by TÜBİTAK (the Scientific and Technological Research Council of Turkey) under the project number 115E766, by the Royal Society of UK Newton Advanced Fellowship NA140464, by ERC Advanced Grant ERC-2015-AdG-IMPaCT, and by the FWO under an Odysseus project GOH9718N.

Author information

Authors and Affiliations

  1. imec-COSIC, KU Leuven, Leuven, Belgium

    Devriş İşler

  2. Koç University, İstanbul, Turkey

    Alptekin Küpçü & Aykut Coskun

Authors
  1. Devriş İşler
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alptekin Küpçü
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aykut Coskun
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Devriş İşler .

Editor information

Editors and Affiliations

  1. Universitat Oberta de Catalunya, Barcelona, Spain

    Cristina Pérez-Solà

  2. Universitat Autonoma de Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Alex Biryukov

  4. Institut Mines-Télécom, Evry, France

    Joaquin Garcia-Alfaro

A Mobile-Based Single Password Authentication Scheme of Acar et al. [4]

A Mobile-Based Single Password Authentication Scheme of Acar et al. [4]

We briefly present Acar et al. [4] mobile-based SPA solution here for completeness. In their mobile-based SPA, there are three parties; a user holding a password pwd, a trusted mobile device of the user, and a server, with which the user wishes to register. The protocol is roughly as follows:

Registration:

  1. 1.

    The user:

    • generates a Message Authentication Code (MAC) key K.

    • sends the key K and her username UID to the server.

    • encrypts the MAC key K where the encryption key is derived using the hash of her password H(pwd) as \(ctext\leftarrow Encrypt(H(pwd),K)\). [Remark: The user also sends an identifier with ciphertext.]

  2. 2.

    The trusted mobile device stores the ciphertext ctext.

  3. 3.

    The server stores the username UID and the MAC key K.

Authentication:

  1. 1.

    The user sends her username UID to the server.

  2. 2.

    The server generates a random challenge chal and sends it to the mobile device. [Remark: The server can send the challenge in various ways such as via SMS, or via a QR code where the user scans the code with her mobile device.]

  3. 3.

    The user types her single password on the mobile device.

  4. 4.

    The trusted mobile device:

    • decrypts the ciphertext and retrieves the MAC key K as \(K\leftarrow Decrypt(H(pwd),ctext)\).

    • generates a MAC resp as a response to the challenge chal using the retrieved key K as \(resp \leftarrow MAC(K,chal)\). [Remark: To resist man-in-the-middle attacks, as [19] notes, preferable usage is \(resp \leftarrow MAC(K,chal || domain)\).]

    • applies trimming function Trim on the generated response resp to get a short one-time code/password \(resp'\) as \(resp' \leftarrow Trim(resp)\).

  5. 5.

    The user types the short one-time code \(resp'\) on the user machine and sends it to the server.

  6. 6.

    The server checks if the \(resp'\) is generated based on a valid MAC of the challenge chal with the corresponding user MAC key K in his database as \(Trim(MAC(K,chal)){\mathop {=}\limits ^{?}} resp'\).

  7. 7.

    The server informs the user whether the login attempt is successful or not.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

İşler, D., Küpçü, A., Coskun, A. (2019). User Perceptions of Security and Usability of Mobile-Based Single Password Authentication and Two-Factor Authentication. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2019 2019. Lecture Notes in Computer Science(), vol 11737. Springer, Cham. https://doi.org/10.1007/978-3-030-31500-9_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-31500-9_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-31499-6

  • Online ISBN: 978-3-030-31500-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation