Abstract
The antinomic proposition of usable system authentication, an easily remembered and usable scheme for the proper user which is simultaneously unknown and unusable to any other entity, historically proves to be an elusive goal. While alternative propositions for authentication protocols are numerous, lacking in literature is foundational work directly relating potential authenticators with the discoverability of personal data online. This work presents a brief but foundational analysis of authentication and the connection between the authentication protocols and the inevitability of the introduction of personal data to the protocol to improve usability, particularly with regard to password based authentication. We investigate the discoverability, particularly whether another human, unacquainted with a specific individual, is able to purposefully find particular personal data commonly used in authentication protocols. In the study, five participants were asked to search for specific personal data regarding a sixth participant. Analysis of the results reveals consistent patterns in the personal data discovered by users. Analysis of discovered data lays a foundation for the improvement of current authentication systems as well as providing a proof of concept for the methodology and application recommendations to guide the creation of password alternatives with a goal towards the creation of usable, secure authentication systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Vu, K.-P.L., et al.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. 65(8), 744–757 (2007)
Adams, A., Sasse, M.: Users are not the enemy. Commun. ACM 49(12), 41–46 (1999)
Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012)
Furnell, S.: Authenticating ourselves: will we ever escape the password? Netw. Secur. 2005(3), 8–13 (2005)
Schechter, S., Brush, A.J.B., Egelman, S.: Its no secret: measuring the reliability of authentication via ‘secret’ questions. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pp. 375–390 (2009)
Duggan, G.B., Johnson, H., Grawemeyer, B.: Rational security: modelling everyday password use. Int. J. Hum. Comput. Stud. 70(6), 415–431 (2012)
Bonneau, J., et al.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567 (2012)
Brown, A.S., et al.: Generating and remembering passwords. Appl. Cogn. Psychol. 18(6), 641–651 (2004)
Sasse, M., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ a human-computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)
Bonneau, J., et al.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)
Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23(3), 256–267 (2011)
Pavlou, P.A.: State of the information privacy literature: where are we now and where should we go? MIS Q. 35(4), 977–988 (2011)
Biddle, R., Chiasson, S., Van Orschot, P.C.: Graphical passwords learning from the first twelve years. ACM Comput. Surv. 44(4), 1–41 (2012)
O’Gorman, L.: Comparing passwords, tokens, and biometrics for user authentication. Proc. IEEE 91(12), 2021–2040 (2003)
Polakis, I., et al.: All your face are belong to us: breaking Facebook’s social authentication. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 399–408. ACM, Orlando (2012)
Besnard, D., Arief, B.: Computer security impaired by legitimate users. Comput. Secur. 23, 253–264 (2004)
Rhee, H., Kim, C., Ryu, Y.U.: Self-efficacy in information security: its influence on end users’ information security practice behavior. Comput. Secur. 28(8), 816–826 (2009)
Furnell, S., Zekri, L.: Replacing passwords: in search of the secret remedy. Netw. Secur. 2006(1), 4–8 (2006)
Reeder, R., Schechter, S.: When the password doesn’t work: secondary authentication for websites. IEEE Secur. Priv. Mag. 9(2), 43 (2011)
Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: CHI Conference, pp. 1983–1992, April 2009
Acquisti, A., Gross, R.: Imagined communities: awareness, information sharing and privacy on the facebook. In: Privacy Enhancing Technologies, pp. 36–58. Springer, Heidelberg (2006)
Benson, V., Saridakis, G., Tennakoon, H.: Information disclosure of social media users: does control over personal information, user awareness and security notices matter? Inf. Technol. People 28(3), 426–441 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Richards, K.E., Norcio, A.F. (2018). Exploring the Discoverability of Personal Data Used for Authentication. In: Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. AHFE 2017. Advances in Intelligent Systems and Computing, vol 593. Springer, Cham. https://doi.org/10.1007/978-3-319-60585-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-60585-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60584-5
Online ISBN: 978-3-319-60585-2
eBook Packages: EngineeringEngineering (R0)