How can we make computer security systems usable by human users__ __ Computer security demands that we establish the identity of human users who access individual computers and online services. Conversely, human users need to be able to authenticate the identity of online services reached over a computer network.
This dissertation presents highly usable solutions for both the problems of human-computer authentication and computer-human authentication. The dissertation begins by presenting an overview of the usability and security problem. It explores the issues of human authentication by presenting a system called Deja Vu that uses graphical passwords to authenticate human users. It presents the results of a usability experiment that compares graphical passwords to traditional passwords.
Next, the dissertation considers the problem of phishing, the use of bogus websites that appear to be legitimate websites associated with financial institutions or other organizations to collect personal information. It presents the results of an empirical study that examines which attack strategies are successful and what proportion of users they fool.
Next, the dissertation presents a system called Dynamic Security Skins (DSS) that effectively allows online services to authenticate to human users, and vice versa. It presents an analysis and usability study of DSS.
Finally, the dissertation concludes with a discussion open problems in the area of usability and security.
Index Terms
- Authentication for humans: the design and evaluation of usable security systems
Recommendations
Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications securityWe propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityAnonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
Double-authentication-preventing signatures
Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and time-stamping authorities certify that a ...