Authentication and Supervision: A Survey of User Attitudes

doi:10.1016/S0167-4048(00)06027-2

Computers & Security

Volume 19, Issue 6, 1 October 2000, Pages 529-539

https://doi.org/10.1016/S0167-4048(00)06027-2 Get rights and content

Abstract

User authentication is a vital element in ensuring the secure operation of IT systems. In the vast majority of cases, this role is fulfilled by the password, but evidence suggests that this approach is easily compromised. Whilst many alternatives exist, particularly in the form of biometric methods, questions remain over the likely user acceptance. This paper presents the results of a survey that examines user attitudes towards a range of authentication and supervision techniques. It is concluded that whilst there is still an element of reluctance amongst users to depart from the familiar password based mechanisms, many are convinced of the need for improved authentication controls. The acceptability to users of various new techniques is variable, but many seem willing to consider a range of alternative methods.

Introduction

User authentication is widely accepted to represent an essential first line of defence in the security of Information Technology (IT) systems. All but the most trivial systems, therefore, require some form of authentication in order to verify that a claimed user identity is indeed correct. There are three main approaches to user authentication: something the user knows (e.g. password or PIN), something the user has (e.g. a card or other token) and something the user is (e.g. a biometric characteristic) [1]. By far the most commonly used means of authentication in IT systems is the password. Passwords are conceptually simple for both system designers and end users, and can provide effective protection if they are used correctly. However, the protection provided is often compromised by users themselves. Typical problems include forgetting passwords, writing them down, sharing them with other people and selecting easily guessed words.

If the password approach is to be replaced or supplemented, then alternative means of authentication are clearly required. However, when considering such alternatives, a number of factors can be cited that may complicate their adoption:

•
Effectiveness (i.e. the ability to detect impostors, whilst allowing legitimate access).
•
Cost (i.e. financial overheads of deployment).
•
User acceptance (i.e. the friendliness and transparency of the measure).

Of these, the issue of user acceptance is possibly the most difficult to assess, as it represents a highly subjective measure. This paper presents the results from a survey that set out to assess public attitudes to various forms of user authentication and, thereby, determine whether acceptable alternatives to the password could be identified. The discussion begins by summarising the potential problems with existing password approaches and then proceeds to consider the alternatives that are offered by various classes of biometric method. Details of the survey itself are then presented, leading into an analysis of the results obtained.

Section snippets

The Problems With Passwords

The password approach has a number of shortcomings, which can undermine the effectiveness of the approach [2]. Indeed, passwords can often be considered a mere hindrance to a determined hacker and can easily be bypassed by relatively inexperienced individuals using tools freely available on the Internet.

Several studies have been carried out over the last 20 years looking at the ease with which passwords can be determined. In 1979, 86% of the 3829 passwords gathered, could be guessed by a PC in

An Overview of Biometric Authentication Approaches

Whereas the password approach relies upon something the user knows, biometric authentication is based upon something the user is. This has the advantage that it is less straightforward for the user to be impersonated or to compromise protection themselves (e.g. they cannot share, write down or forget a biometric characteristic). Methods of biometric authentication fall into two distinct categories, namely physiological and behavioural characteristics [8].

Physiological biometrics represent those

A Survey of Attitudes Towards Authentication Technologies

In order to determine the acceptability of user authentication and supervision techniques, a survey was conducted to assess the attitudes and awareness of the general public. The survey aimed to assess the following issues:

•
Public attitudes towards different forms of user authentication.
•
The attitudes towards the concept of continuous monitoring.

The survey questionnaire consisted of 53 main questions, the majority of which were multiple choice, with the remainder requiring short written

General

The vast majority (80%) of the survey respondents were male. In terms of age, 74% of the respondents were below 35, indicating that the vast majority of the responses were likely to be from people who had ‘grown up’ with IT to some extent. The overall breakdown of respondents by age group is given in Table 2.

In terms of employment background, a high number of responses were received from the technology fields (with 103 out of the 175 responses claiming to be from the computing, communications

Discussion

The results clearly demonstrate the shortcomings of password-based authentication, as well as the fact that, in spite of these, it remains the dominant form of user authentication. However, the fact that the respondents have shown a willingness to use alternative authentication techniques can be considered to be encouraging. It should be noted, however, that in the majority of cases, it is unlikely that the respondents had actually used the techniques that they were being asked to comment upon.

Conclusions

The survey has shown that, although demonstrably weak, the password remains the most popular form of authentication in the minds of users. However, a number of other methods emerged as possible contenders and it is possible that practical experience of using them, combined with improved awareness of the vulnerabilities of passwords, would increase their perceived acceptability as alternatives.

Another conclusion that can be drawn from the survey results is that the use of continuous supervision

References (17)

Wood, H.M. 1977. “The use of passwords for controlled access to computer resources”, NBS Special Publications, US Dept....
Jobusch, D.L. and Oldehoeft, A.E. 1989. “A Survey of Password Mechanisms: Part 1”, Computers & Security, Vol. 8, No. 7:...
Morris, R. and Thompson, K. 1979. “Password Security: A Case History”, Communications of the ACM, Vol. 22, No. 11:...
Klein, D. 1990. “A survey of, and improvements to, password security”, Proceedings of the USENIX Second Security...
Spafford, E.H., 1992, “Opus: Preventing Weak Password Choices”, Computers and Security, Vol. 11, No. 3:...
Heskett, B. 1998. “A new windows password cracker”, Cnet News.com, 13th February 1998,...
Cherry, A., Henderson, M.W., Nickless, W.K., Olson, R. and Rackow, G. 1992. “Pass or Fail: A New Test for Password...
Sherman, R. 1992. “Biometrics Futures”, Computers & Security, vol. 11, no. 2:...

There are more references available in the full text version of this article.

Cited by (73)

Al-enabled biometrics in recruiting: Insights from marketers for managers
2021, Australasian Marketing Journal
This article has been withdrawn at the request of the Editor-in-Chief and the publisher, as the Australasian Marketing Journal (AMJ) has migrated from Elsevier to SAGE Publishing per January 1, 2021.
We apologize for any inconvenience this may cause. If you have any questions, please directly contact the AMJ Editor-in-Chief, Ass. Prof. Liem Ngo at [email protected]
The full Elsevier Policy on Article Withdrawal can be found at https://www.elsevier.com/about/our-business/policies/article-withdrawal.
Passive- and not active-risk tendencies predict cyber security behavior
2020, Computers and Security
Citation Excerpt :
One of the most commonly used means of authentication is the password. However, to protect one's identity and prevent hacking and the exposure of personal information, a password must be strong and nontrivial (Furnell et al., 2000). Being told that a password is weak and choosing to forego the opportunity to strengthen that vulnerable password is an example of taking or accepting passive risk.
Vulnerabilities to online cyber-related crime are typically the result of poor decisions on the part of users. To date, research on risk-taking behavior applied to cyber-security situations has concentrated mainly on the risks that stem from active behavioral choices (e.g., opening an attachment from an unknown sender). However, risk may result from the failure to implement an action (e.g., not strengthening a password). These two types of risk have been differentiated and termed active- and passive-risk behaviors. We conducted two studies (Study 1 and Study 2) that examine how self-reported active- and passive-risk behaviors predict cyber-security behavioral intentions. In Study 3, we examine how active and passive risk relate to actual cyber-security behavior. The results show that cyber-security behavioral intentions and actual cyber behaviors are significantly correlated with self-reported individual differences in passive-risk behavior but not in active-risk behavior. We discuss the theoretical and practical implications of these findings.
Evaluation of user authentication methods in the gadget-free world
2017, Pervasive and Mobile Computing
Citation Excerpt :
However, previous surveys on authentication methods are many times focused on some single technology such as mouse or keyboard dynamics [19,20], EEG measurements [21] or smart cards [22]. Other surveys tend to focus on user attitudes such as in [23] and [24]. More broader studies still have either completely different focus [25,26] or are not as broad in scope [27] as our survey.
In an ideal gadget-free environment the user is interacting with the environment and the services through only “natural” means. This imposes restrictions on many aspects of the interaction. One key element in this is user authentication, because it assures the environment and related services of the legitimacy of user’s actions and empowers the user to carry out his tasks. We present five high-level categories of features of user authentication in the gadget-free world including security, privacy and usability aspects. These are adapted and extended from earlier research on web authentication methods. We survey existing authentication methods together with some emerging technologies and evaluate these according to the features in our categories. Our results show, that no single authentication method can realise all these requirements for authentication. In conclusion, we give future research directions and open problems that stem from our observations. Especially, finding combinations of authentication factors and methods that achieve all requirements is an interesting problem in the gadget-free scenario.
Authentication in mobile cloud computing: A survey
2016, Journal of Network and Computer Applications
Citation Excerpt :
In this research, the security issues as one of the important concerns in MCC are considered, and some proposed solutions are reviewed. The user authentication is highly important to protect networks from different security threats (Furnell et al., 2000, 2008; Clarke and Furnell, 2007; Simmons, 1988; Weiwei et al., 2011). Successful adoption of MCC highly necessitates robust and effective authentication solutions by which users can utilize the cloud-based services for their mobile devices anytime, anywhere, from any mobile device with low computing cost on the native resources.
Mobile cloud computing (MCC) is the state-of-the-art mobile distributed computing model that incorporates multitude of heterogeneous cloud-based resources to augment computational capabilities of the plethora of resource-constraint mobile devices. In MCC, execution time and energy consumption are significantly improved by transferring execution of resource-intensive tasks such as image processing, 3D rendering, and voice recognition from the hosting mobile to the cloud-based resources. However, accessing and exploiting remote cloud-based resources is associated with numerous security and privacy implications, including user authentication and authorization. User authentication in MCC is a critical requirement in securing cloud-based computations and communications. Despite its critical role, there is a gap for a comprehensive study of the authentication approaches in MCC which can provide a deep insight into the state-of-the-art research. This paper presents a comprehensive study of authentication methods in MCC to describe MCC authentication and compare it with that of cloud computing. The taxonomy of the state-of-the-art authentication methods is devised and the most credible efforts are critically reviewed. Moreover, we present a comparison of the state-of-the-art MCC authentication methods considering five evaluation metrics. The results suggest the need for futuristic authentication methods that are designed based on capabilities and limitations of MCC environment. Finally, the design factors deemed could lead to effective authentication mechanisms are presented, and open challenges are highlighted based on the weaknesses and strengths of existing authentication methods.
Data-Augmentation-Enabled Continuous User Authentication via Passive Vibration Response
2023, IEEE Internet of Things Journal
A broad review on non-intrusive active user authentication in biometrics
2023, Journal of Ambient Intelligence and Humanized Computing

View all citing articles on Scopus

View full text