ebook img

Integrating a Usable Security Protocol into User Authentication Services Design Process PDF

410 Pages·2018·17.969 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Integrating a Usable Security Protocol into User Authentication Services Design Process

Contents Contents Integrating a Usable Security Protocol into User Authentication Services Design Process Integrating a Usable Security Protocol into User Authentication Services Design Process By Christina Braz Ahmed Seffah Bilal Naqvi CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2019 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper International Standard Book Number-13: 978-1-138-57768-8 (Hardback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Why this Book? ..................................................................................................xi Acknowledgments .............................................................................................xv 1 Usability and Security: Conflicts and Interdependencies ......................1 1.1 Introduction ......................................................................................1 1.1.1 The Interplay between Usability and Security as Key Quality Factors .....................................................................5 1.1.2 Background ..........................................................................6 1.1.2.1 How Security Engineers Addressed Usability/ HCI Concerns? ......................................................6 1.1.2.2 The Lack of Deep Usability/HCI Studies on Security in the HCI Community ...........................7 1.1.3 Objectives and Practical Outcomes of Usable Security Research ................................................................................8 1.1.4 Assumptions and Hypotheses Concerning Usable Security Research ................................................................10 1.1.5 Progress beyond the State-of-the-Art ...................................11 1.1.5.1 Service-Oriented and Model-Driven Engineering ......11 1.1.5.2 User-Experience-Driven Design ...........................13 1.1.5.3 Metrics-Based Usability and Security Evaluation ........15 1.1.5.4 Usable Secure Design Patterns and Pattern-Oriented Design ......................................18 2 Panoramic Overview of User Authentication Techniques ....................21 2.1 The Context of Authentication in Computer Security .....................22 2.2 User Authentication Market ............................................................23 2.3 User Authentication Use Cases ........................................................26 2.3.1 Endpoint Access ..................................................................26 2.3.2 Workforce Local Access ......................................................26 2.3.3 Workforce Remote Access ...................................................26 2.3.4 External Users’ Remote Access ............................................27 2.4 Elements of User Authentication .....................................................27 2.5 Architectural Design Patterns in Authentication .............................28 2.6 Authentication Factors .....................................................................29 vi ◾ Contents 2.7 User Authentication Methods ..........................................................32 2.7.1 Passwords and Personal Identification Numbers (PINs) ......32 2.7.2 Security Questions .............................................................34 2.7.3 Authentication (Security) Tokens ........................................35 2.7.3.1 Disconnected Tokens ...........................................36 2.7.3.2 Connected Tokens ...............................................43 2.7.4 Digest Access Authentication ..............................................45 2.7.5 Out-of-Band Authentication (OOBA) ...............................46 2.7.6 Risk-Based Authentication (RBA) .......................................48 2.7.7 Public Key Authentication ..................................................48 2.7.7.1 Encryption ...........................................................51 2.7.7.2 Digital Signatures ................................................51 2.7.8 Single Sign-On (SSO) .........................................................51 2.7.9 Biometrics ...........................................................................52 2.7.9.1 How Does the Biometric Authentication Process Work? ......................................................53 2.7.9.2 Unimodal and Multimodal Biometrics Systems .......55 2.7.9.3 Fingerprint Recognition .......................................57 2.7.9.4 Optical Recognition .............................................59 2.7.9.5 Facial Recognition ...............................................59 2.7.9.6 Voice Recognition ................................................59 2.7.9.7 Signature Recognition ..........................................60 2.7.9.8 Keystroke Recognition .........................................62 2.7.9.9 Advanced User Authentication Methods ..............62 2.7.10 Kerberos ..............................................................................67 3 Usable Security Concerns Related to Authentication Methods ................................................................................................69 3.1 Usability Concerns with Knowledge-Based Authentication (KBA) .......70 3.1.1 Passwords ............................................................................70 3.1.2 Security Questions ..............................................................73 3.2 Usability Concerns with Single Sign-On .........................................74 3.3 Usability Concerns with CAPTCHAs ............................................74 3.4 Usability Concerns with Public Key Authentication ........................74 3.5 Usability Concerns with Advanced Biometrics ................................76 3.5.1 GlanceID ............................................................................76 3.5.2 Usability Concerns with Biometrics ....................................78 3.6 Comparative Analysis of User Authentication Methods ..................79 4 Fundamentals of the Usable Security Protocol for User Authentication ......................................................................................85 Summary ...................................................................................................85 4.1 Introduction ....................................................................................85 Contents ◾ vii 4.2 The Goals, Operators, Methods, and Selection Rules (GOMS) Model ..............................................................................................86 4.2.1 GOMS: A Method for Cognitive Task Analysis ..................87 4.2.2 How to Develop a GOMS Model .......................................89 4.2.2.1 Identify User’s Goals ............................................89 4.2.2.2 Define Methods ..................................................90 4.2.2.3 Define Operators .................................................90 4.2.2.4 Selection Rules .....................................................91 4.2.3 Natural GOMS Language (NGOMSL) ..............................92 4.2.3.1 Cognitive Complexity Theory ..............................93 4.2.3.2 NGOMSL Steps Development Process ................95 4.2.4 Learning Time Predictions .................................................95 4.2.5 Execution Time Predictions ................................................97 4.2.6 NGOMSL Methodology ....................................................97 4.2.7 GOMS Limitations .............................................................98 4.3 Usability Evaluation Methods .........................................................98 4.3.1 General Usability Principles (“Heuristics”) for User Interface Design ..................................................................99 4.3.2 Cognitive Walkthrough ....................................................102 4.3.3 GOMS Model ...................................................................103 4.3.4 Additional User Research and Usability Evaluation Methods ............................................................................105 4.4 Usable Security Principles and Guidelines .....................................106 4.4.1 Computer Security Design Principles................................107 4.4.2 Design Guidelines for Security Management Systems.......109 4.4.3 Guidelines and Strategies for Secure Interaction Design .....111 4.4.4 Design Principles and Patterns for Aligning Security and Usability .....................................................................112 4.4.5 Criteria for Security Software to be Usable .......................113 4.4.6 Additional Criteria for Security Software to Be Usable ........114 4.4.7 General Security Usability Principles (Identity Management) ....................................................................114 5 The Usable Security Protocol Methodology: Define, Identify, and Develop ........................................................................................117 Summary .................................................................................................117 5.1 Methodology and Architecture ......................................................117 5.2 Define the Mission and the Conceptual Design Objective ............120 5.2.1 Formalize a Usable Security Definition .............................120 5.2.2 Define Task Scenario, Usability Scenario, and Security Scenario ............................................................................120 5.2.2.1 Types of Scenarios ..............................................120 5.2.3 Identify Users and Working Contexts ...............................122 viii ◾ Contents 5.3 Identify the Most Representative User Authentication Methods Categories ......................................................................................123 5.3.1 Understand the User Authentication Method ...................123 5.3.2 Carry out a Classification Analysis ....................................123 5.3.3 Comparative Analysis of User Authentication Methods ....124 5.3.4 Select the Most Representative User Authentication Methods and Their Categories ..........................................124 5.4 Develop the Natural GOMS Language (NGOMSL) ....................124 5.4.1 Classify and Prioritize the Cognitive Processes Generated by the NGOMSL Model..................................125 5.4.1.1 Standard Primitive External Operators ..............125 5.4.1.2 Standard Primitive Mental Operators ................125 5.4.1.3 Analyst-Defined Mental Operators ....................126 5.4.2 Understand the Total Execution Time and Total Learning Time ..................................................................127 5.4.2.1 The Total Execution Time .................................127 5.4.2.2 The Total Learning Time ..................................128 5.4.2.3 Example of TET and TLT .................................130 5.4.3 Calculate Total Execution Time and Total Learning Time for Tasks Scenarios ..................................................132 5.4.3.1 TASK: Check Business Email ............................132 5.4.3.2 TASK: Update the SecurID Token User Interface Specification ........................................136 5.4.3.3 TASK: Make an Electronic Funds Transfer .......142 5.4.3.4 TASK: Access a File on a Personal Laptop ..........150 5.4.4 Time-Level Analysis of NGOMSL....................................153 5.5 A Concluding Remark ...................................................................155 6 The Usable Security Protocol Methodology: Assess and Generate .....157 6.1 Develop the Authentication Risk-Assessment Matrix ....................157 6.1.1 Common Security Exploits Method .................................165 6.2 Generate the Usable Security Principles .........................................172 6.2.1 Introduce Cognitive Ergonomics ......................................175 6.2.1.1 Methods .............................................................177 6.2.1.2 The Cognitive Approach ....................................177 6.2.2 Identify and Explain the Main Cognitive Areas of Focus Relating to User Authentication ..............................178 6.2.2.1 Perception ..........................................................178 6.2.2.2 Memory .............................................................179 6.2.2.3 Storage ...............................................................180 6.2.2.4 Information Retrieval .........................................184 6.2.2.5 Password Memorability Issues ............................186 6.2.2.6 Mental Models ...................................................189 Contents ◾ ix 6.2.3 Develop the Cognitive Model of User Authentication (CMUA) ...........................................................................191 6.2.3.1 Why Use a Cognitive Architecture? ...................191 6.2.3.2 GLEAN3 (GOMS Language Evaluation and Analysis) .............................................................192 6.2.3.3 SOAR (State Operator and Result) Cognitive Architecture .......................................................193 6.2.3.4 Cognitive Model of User Authentication (CMUA) Cognitive Architecture .......................195 6.2.4 Define the Usable Security Principles and Develop a Cross-Cognitive Analysis .................................................200 7 The Usable Security Protocol Methodology: Formulate.....................205 7.1 Formulate the Usable Security Symmetry ......................................205 7.1.1 Security as a Usability Characteristic ...............................206 7.1.2 Usability Factors and Usability Criteria Mapping ............208 7.1.2.1 User Authentication Use Cases...........................210 7.1.2.2 Demonstrating the Usable Security Symmetry Inspection Method using a Multifunction Teller Machine ...................................................210 7.1.2.3 The Usable Security Symmetry Inspection Method ..............................................................224 7.2 Conclusion ....................................................................................287 8 The Usable Security Protocol Methodology: Demonstrate ................291 8.1 Introduction ..................................................................................291 8.1.1 The Demonstration of One-Time Password Authentication ..................................................................292 8.1.1.1 Wireless Local Area Network (WLAN) .............292 8.1.1.2 Hardware Token With OTP Functionality ........293 8.1.1.3 Personal Identification Number (PIN) ...............294 8.1.1.4 Tokencode ..........................................................295 8.1.2 How the OTP Demonstration Works ...............................295 8.1.3 One-Time Password Usability Testing ..............................299 8.1.3.1 Terms and Definitions .......................................299 8.1.3.2 Objectives Of The OTP Usability Testing ........300 8.1.3.3 Testing Tools ......................................................301 8.1.3.4 Testing Session ...................................................301 8.1.3.5 Testing Methods: Participant Tasks ...................301 8.1.4 Data Results ......................................................................302 8.1.5 Findings Summary ...........................................................303 8.2 One-Time Password Usability Issues: Discussion ...........................303 8.2.1 Convenient Form Factor ...................................................303

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.