Abstract
Security and usability need not be mutually exclusive. Yet research indicates user acceptance of security systems is not a given and has become a major issue in terms of efficiency versus security. We will be analyzing how enhanced information security controls affect users and the usability of systems. The focus will be on three controls that are common across large organizations: secure tokens, biometrics, and the use of complex passwords.
As Information Security controls provide more protections and enhancements when it comes to securing data, the trade-off is always user functionality being impeded in the process. Consequentially, we look to the research for answers and innovative best practices.
Introduction
In our research, we will address the question of whether there are adverse effects on usability when additional stringent information security controls are implemented. How we can prevent or lessen these effects on usability since security controls are a necessity to protect against illegal access to organizations. We know that in many instances, additional security controls, namely password complexity, biometrics, and secure tokens, have a large effect on usability.
This question is important because, as the world becomes more reliant on the Internet and devices are connected globally, we need to understand how to maximize the protection of our assets, but at the same time not dilute usability. By understanding how these controls affect usability, we hope development processes can be factored in to minimize the impact. Also, assuming the correlation between information security and usability will help design systems that create a balance between the two in the implementation process.
To address these questions, we will be utilizing scholarly articles found on the Internet to understand password complexity, biometrics, and secure tokens. We will also interview Information Security engineers to understand their strategies to secure an organization’s information system while trying to maintain usability. The pitfalls we anticipate is that the usability factor has not been regarded as a critical component when deciding Information Security.
Literature Review
“Although poor security usability represents a significant vulnerability, a literature search on risk analysis and usability revealed no publication where this is explicitly mentioned” (Josang et al., 2007, p. 9). It is vital to the success of security control implementation that usability is considered. If a user is affected negatively, they are more likely to circumvent the controls or not utilize the system altogether. “The design and the development of a secure software system require the inclusion of yet another important requirement: usability” (Flechais et al., 2007, p. 1).
When designing a security system or control, there are many factors that must be taken into consideration. “Security and usability elements can’t be sprinkled on a product like magic pixie dust. We must incorporate both goals throughout the design process” (Yee, 2004, p. 48). “There have been a number of attempts to define usability: The International Standard Organization (ISO) defines it as the extent to which a product can be used by the specified user to achieve specific goals…” (Kainda, 2010, p. 2).
We will be discussing three main security controls that affect usability: password complexity, biometrics, and secure tokens. “Passwords are the first line of defense against attacks to a computer system. The rules for password choice can certainly be a cumbersome problem for a user and a security problem for a system” (Braz & Robert, 2006, p. 2). Password complexity is a requirement because hackers can decrypt passwords within seconds depending on the complexity; the tradeoff is that usability drops down the more stringent the password complexity requirements become. “Secure tokens are also small cards used to provide authentication through a log-on challenge…” (Schultz et al., 2001, p. 626).
Secure tokens allow for secure logins since this is part of a two-factor authentication process. The problem with usability is that users only have a few seconds to input a code, and often the secure token device is lost. The last control is biometrics, which is probably the most secure means of user authentication. “Users cannot pass their biometric characteristics to other users as easily as they do with their cards or passwords” (Matyas & Riha, 2002, p. 230).
Although it is the securest means of authentication, it is also one of the most difficult to implement due to individual issues with biometrics; for instance, users may have retinal damage, which negates retinal scanners, and sweaty hands can cause issues with fingerprint readers.
Typically, in information security, there is a seesaw effect when it comes to security and usability. “It is a view of some that improving one affects the other in a negative way” (Kainda et al., 2010, p. 1). It is a balancing act for the information security team to implement security controls to keep the company safe, but also minimize the impact of these security controls on user usability. “Usability can be defined as the extent to which a product can be used by specified users to achieve specified goals” (Braz & Robert, 2006, p. 2). Heavy consideration must be taken when deciding security controls to implement and its negative effects on usability.
Password Insecurity
In 2012, researcher and famed password cracker Jeremi Gosney demonstrated a machine that broke all 6.63 quadrillion possible combinations of an eight-digit password in five-and-a-half hours (Leyden, 2012). For a twenty-character password, however, Gosney’s machine would potentially take up to 9,277,379,140 years to crack a single password (Kaneesha, 2018). Today, hackers with less benign intentions than Jeremi Gosney cause substantial damage to various organizations, companies, and individuals.
With the global average cost for a company to contain a data breach approaching $4 million in 2017, companies are forced to adopt more stringent, sophisticated, and diverse measures to protect themselves and ensure high levels of data security (Kernighan, 2017).
While a twenty-character password with each character chosen out of a possible 95 uppercase, lowercase, numbers, and symbols would certainly stifle hackers, customers will likely be deterred also from the difficulty of remembering such a long password; just as a company’s customers and internal users would express similar frustration over the increasing need to change passwords frequently, not use the same password repeatedly and not duplicate use of a password for different applications or websites, as is the current best practice (O’Gorman, 2008).
The approach to the development of complex security controls and protocols that guard against hacking has to be balanced with the need to ensure such controls do not inconvenience users to the point of rendering the information technology unused and unusable.
The use of longer, more complex passwords proved to be no match for the growing sophistication and digital technologies of the hackers to “guess” any combination of characters and symbols (Kernighan, 2017). Almost from the beginning, industry experts doubted the effectiveness of an approach that tries to keep one step ahead of hackers who seemingly cannot be beaten at their own game (Kernighan, 2017). As such, technology evolved to meet this new challenge. Password Managers software such as Dashlane, Laskey, and Keepass allows safekeeping of all passwords in a secure, encrypted database protected by one single super-password (Kaneesha, 2018).
Another popular method used to protect information is through the increased frequency of changing passwords. The central idea being that by narrowing the time window that hackers have to alternate combinations of letters, numbers and symbols reduces the probability of their success—as many of the tools favored by hackers require prolonged periods of time to work (OGorman, 2008). At the same time, servers containing all passwords can be attacked by hackers, which means that all personal information needed for authentication can be stolen (Kernighan, 2017). The more frequently passwords are changed, and thereby introducing new variants, the less likely all compromised passwords will still be valid. However, experts are not unanimous regarding the effectiveness of this approach.
Along with concerns regarding the efficacy of the password security measures discussed above, there is the question of the usability factor (Kernighan, 2017). Extremely long and complex passwords introduce additional difficulties for users who simply want to access the information system quickly when they need it. However, the need to create more complex passwords ever—and alter them more frequently–has been shown to increase the level of user dissatisfaction (Kernighan, 2017). This perceived lack of user-friendliness impacts individuals with poor computer literacy to a greater degree.
Fortunately, Information Security experts have devised other approaches to thwart hackers without deterring users. Beyond the traditional combination of user ID and Password, other options include Single Sign-On (SSO) and Multi-Factor Authentication (MFA) that uses hardware to authenticate the identity of the person accessing the system (Kaneesha, 2018).
Experts presuppose the use of several tools at the same time (Carpenter, n.d.) to mitigate the ever-growing risks, whereas the use of only passwords will no longer suffice when it comes to protecting the most vulnerable data (Carpenter, n.d.). SSO and MFA are gaining traction as a means to augment, rather than replace, password protection. Undoubtedly for users, this approach is a welcome alternative to twenty-plus character passwords that must be changed monthly and differentiated for each system application. To be sure, SSO and MFA will not replace passwords—only decrease the need to implement exceedingly complex password protocols that frustrate users and hinder productivity because information cannot be accessed efficiently (Carpenter, n.d.).
Tokens
Another type of information security control that differentiates from biometrics and complex passwords are security tokens. “A security token is a portable device that authenticates a person’s identity electronically by storing some sort of personal information” (Investopedia, 2016). Some examples of these devices may be USB tokens that plug into USB ports, electronics key fob tokens, or wireless Bluetooth tokens. More broad categories for these tokens can be classified as contactless hardware tokens with pre-installed secret keys, reprogrammable near field communication (NFC) tokens, and U2F tokens (Roberts, 2018).
These tokens serve as two-factored authentication in many situations, often requiring both the security token and some sort of other security control. This can lead to better security for the organization that implements the protocols to use security tokens as a standard process. But where does the line for usability versus security come into play with tokens? Are there some situations where tokens are a risk to the security or become troublesome for users? We will go over some of the benefits and risks that security tokens, specifically mobile devices, may play in an organization to find the usability versus security factor.
There are many types of security tokens that have been used by different companies over the years. Some have come in USB form or a device that is autonomous and stores a key or passwords that changes periodically. These types of security tokens cause usability frustration in the past because it required the users to carry additional devices than what they normally would outside of work. Over the years, a popular method for using a security token has been through a mobile device, such as a smartphone. This has worked well for some situations because most people use smartphones today.
A company called RSA security has been using a token called RSA SecurID for their end-users since the 1980s. Their employees would use a PIN plus the SecurID’s temporary password to login to their systems. Now RSA has shifted to a mobile device, RSA Mobile, that has replaced the SecurID. “With RSA Mobile, users still set and are responsible for their PIN. Also, they receive a random access code via an SMS message on their already-existing, already-in-use mobile phones, rather than on an RSA SecurID token” (RSA Security uses phones as a security token, 2002). This method could be more convenient for the user because their phone that they already have with them serves as the security token, as opposed to carrying the RSA SecurID token in addition.
Another company that utilizes mobile phones as security tokens is Wenger Corporation. Their head of information securities, Jason Price, sat and talked about the advantages and disadvantages that using employee’s mobile devices had on the company’s securities and usability. “Before mobile security tokens were implemented into our login processes, unauthorized access was high and out of control. Now that we have implemented the security token, our risky access breaches have stayed at bay” (Jason Price, October 10, 2018).
Jason explained how there is some risk in using mobile devices, however. “The sending of SMS codes can be compromised during authentication” (Jason Price, October 10, 2018). He mentioned that these occurrences would be rare and have much less probability of a breach than the authentication processes that were implemented before. When asked about the inconveniences of the security token for usability, Jason stated that the only problems that are experienced are if an employee forgets their phone at home.
This is another rare circumstance that occurs only once in a great while. The tradeoff for security compared to usability is a vast improvement for Wenger Corporation’s choice in implementation security tokens.
Security tokens seem to be a fairly easy way to create a two-factor, or multi-factor, authentication system, especially when using a mobile device. There are multiple cases where this type of security control can easily be used on a user’s mobile device, which takes much inconvenience out of the process. The fact that multi-factor authentication helps reduce unauthorized access gives reason to why this security control serves as a good solution for users and security.
Biometric Security Controls
“Biometric security systems can be broken down into two sub-categories, physiologically based and those with behavioral components” (Schultz et al., 2001, p. 625). An important reason why biometrics impedes usability is that it goes against one of Kerckhoff’s security principles. According to Kerckhoff, “a system must be easy to use and must neither require stress of mind nor the knowledge of a long series of rules” (Josang et al., 2007, p. 269).
One information security control that has a high effect on users and usability is biometrics. Biometrics is the use of human characteristic measurements for access control; this can include fingerprints, retina scanners, and facial recognition. “Biometrics characteristics are (or rather should be) unique and not duplicable or transferable” (Matyas & Riha, 2002, p. 228). Why is using biometric authentication appealing to corporations and businesses? One advantage is, “Users cannot pass their biometric characteristics to other users as easily as they do with their cards or passwords” (Matyas & Riha, 2002, p.230).
This allows companies to truly authenticate a user, and verify that they are who they say they are. “Most biometric techniques are based on something that cannot be lost or forgotten” (Matyas & Riha, 2002, p. 231). Since biometrics is based on human characters like fingerprints and retinal scans, it is something that a user will, in most cases, have access to at any given time.
There are many advantages to utilizing biometric authentication, but there are also many problems that could cause usability to fall if not done correctly. A security engineer said, “Fingerprint biometrics are difficult to get right, usability depends on how well the measurements are done, and capabilities of the hardware” (K. Avooske, personal communication, October 9, 2018). One reason why biometrics affects users is that not all individuals can use any biometric system in place. At a server data center, they may have fingerprint readers who will not be usable for a person with no hands or retinal scanners for visually impaired people.
These types of situations will either cause the user not to be able to authenticate or cause additional hassle of finding a different way to authenticate. Another disadvantage is that some users will find its use intrusive to their personal beliefs or space. “In some countries, people do not like to touch something that has already been touched…people do not like to be photographed, or their faces are completely covered” (Matyas & Riha, 2002, p. 232).
Generally, biometric authentication is paired with another type of authentication (e.g., PIN, password, or token), this is called two-factor authentication. “The redundancy of the authentication augments the security level, but at the same time diminishes the user experience” (Braz & Robert, 2006, p. 4). Typically, biometric systems have a high failure rate and are difficult to set up properly. Troubleshooting issues inherent to these systems can be cumbersome and time-consuming. “Physiological systems have historically tended to be expensive, obtrusive, and low in user acceptance” (Schultz et al., 2001, p. 625).
When deciding on an information security control, it is important to understand the technical support that is required to utilize it. Biometric systems require very expensive hardware and software, technical staff to troubleshoot issues and users that are technical enough to understand how to use the control. “Designing a system that appropriately accommodates these differing levels of aptitude and training is vital if the countermeasures are to be dependable” (Flechais et al., 2007, p. 1). If users are not knowledgeable enough to use the system, they will either get frustrated or find ways to circumvent the control.
Multi-Factor Authentication
The idea behind MFA is the use of several different means to verify an individuals identity in order to grant the needed access to software, systems, and data. To authenticate individuals, the system analyzes key personal facts that only a certain user would be able to name, such as what they are, where they are, what they have (Carpenter, n.d.). By implying some piece of information—a clue—that the true person knows, system access is gained in a less random fashion.
That is, it can’t be gamed by guessing or stealing a code. An obvious advantage of the MFA approach is the enhanced level of security that is achieved due to the combination of unique attributes that only one person can possess (Sabella et al., 2018).
Although nothing can guarantee one hundred percent secure access, for the ultimate in multi-faceted Information System login security, the traditional password supported by a security token and biometrical data is very difficult to fake; and the location feature helps to ensure that a person can access the system from known places and the country from which the user is registered. Yet it is important to note that specialists emphasize the use of all tactics in concert—the role of each is equally important—to maximize effectiveness (O’Gorman, 2008).
Single Sign-on
The concept of single sign-on (SSO) is arguably the most passive approach to login security and probably considered the most user-friendly compared to methods previously discussed. In the case of SSO, the individual user carries out a master sign-on at the beginning of their working period to authenticate themselves (Sabella et al., 2018). If there is the need to use another software or database, SSO will grant the additional access to the same user without requiring another unique password, or even re-entry of the master sign-on and password, in most cases (Cross, 2014).
SSO collects and stores all access details and credentials for the system, which eliminates the need for users to create and remember so many passwords, and thereby reduces keystrokes, saves time, and improves productivity (Cross, 2014). With the growing popularity of web-based applications, software as a service, ERP systems, SharePoint, etc., single sign-on is a popular feature. However, with such ease of use comes an obvious drawback: The master sign-on and password must be foolproof.
Combined Approach
Most companies today rely on login ID and password alone to secure access to their systems and data. Increasingly long and complex passwords are often thought to be the only line of defense against hackers. Yet, we may have now reached a point of diminishing returns given the publics’ desire for user-friendly access to technology and attitudes toward the unintended results of putting too many obstacles in the way of the people who you want to utilize the Information System for fear of allowing access by those that you don’t (Sabella et al., 2018).
To solve this conundrum, one must recognize that, in time, hackers will ultimately prevail—no matter how long the password, how complex, or how often altered. That is why experts in the field are recommending utilizing more than one defense mechanism, such as MFA encompassing tokens, passwords, and facial recognition along with SSO in order to create a digital environment that is both highly secure and highly user-friendly.
For instance, facial recognition might be required at the start of the workday, followed by an SSO access to all systems from the master sign-on/password (Drinkwater, 2018). Changes in location will be monitored by the system and will trigger an additional verification procedure that might demand token or another element of MFA to prove the identity and continue using SSO for access to all databases or other software.
According to a 2012 Global Security Report by Trustwave, the most commonly used password by global businesses is “Password1” (Cobb, 2012). This may not come as too big a surprise, yet the Information Security Office should take note of the risk this poses. The kneejerk reaction may be to mandate tougher password protocols, rather, the combined, multi-stage approach described above offers the most promise when the goal is to balance security with usability (Carpenter, n.d.).
Discussion
The main claim to passwords is that they are not able to provide a decent level of protection of confidential information. There are many examples that prove that passwords are easy to steal. Imgur’s online image upload, storage, and sharing service suffered from a compromise of user passwords due to weak security protocols. As a result of this leakage affected 1.7 million accounts (Menard, Bott, & Crossler, 2017). Another claim to passwords is the need to remember a vast number of combinations of letters, numbers, and symbols. Limiting the number of passwords using one or two for all websites is also not an option; it will only increase the risk of compromise.
Tokens, both soft and hardware, provide a decent level of security, because they require the presence of any element when trying to log in. Tokens do not connect to the network but generate one-time passwords based on “seed record” synchronized with the central server.
One of the leading companies producing tokens is Tokenize, whose office is located in New York. Tokenize offers synchronization of the full range of devices and operations that help both with credit card purchases and computer unlock. Despite the advantages, the introduction of tokens is a severe puzzle for business. First of all, it concerns the cost of introducing tokens in the enterprise, as it requires every employee to have a device. Also, the presence of these devices is a prerequisite if a user wants to log in to the system.
Biometrics uses data such as fingerprints or face scans to authenticate. This method became very popular among users after Apple implemented Touch ID and Face ID in their devices. What distinguishes biometrics from other authorization methods is that it is based on the identification of the essence of the user as a person. For example, fingerprints cannot be stolen or hacked like other authentication methods. Also, biometrics offers a more enjoyable user experience, allowing you to log in much faster and more convenient. Currently, many leading companies offer a biometric solution for authentication.
For example, Microsoft Hello has fingerprint and face recognition features for desktop users (Akhtar et al., 2018). However, biometrics also has disadvantages. Many modern biometric systems still have problems with recognition accuracy and are also quite expensive. Biometrics is vulnerable to the actions of criminals. The latest research conducted by Japanese experts has shown that some biometric data can be faked using high-resolution photos.
One of the alternative methods of protection is to authenticate using the phone (dual authentication). This category includes several authentication methods that might quickly become the main solutions: mobile tokens, SMS authentication, and applications that support Push Notifications. When a user requests the server, he or she instantly receives a notification, which contains either a question to confirm the identity or just information that was logged in. The main advantage of this method is pleasant usability, as there is no need to use one-time passwords, or always carry some device.
Conclusion
To maintain appropriate security standards for protection of company assets, employees, and ordinary users, businesses should think seriously about implementing more secure authentication systems.
Each of the presented methods has its pros and cons regarding usability, but the combination and synthesis of systems can help prevent theft of information resources. It seems most reasonable that the best line of defense is to use a cell phone app for random tokenization with a password for dual authentication. For better protection, it can be combined with fingerprint and access card for access to sensitive hardware areas such as server rooms. It is possible that a perfect authentication method will be invented in the future, but so far we have the alternatives described.
References
Akhtar, Z., Hadid, A., Nixon, M., Tistarelli, M., Dugelay, J. L., & Marcel, S. (2018). Biometrics: In search of identity and security (Q & A). IEEE MultiMedia.
Braz, C., & Robert, J. (2006). Security and usability. Proceedings of the 18th International Conference on Asocciation Francophone Dinteraction Homme-Machine – IHM 06, 1-6. Web.
Carpenter, J. (n.d.). Multi-factor authentication and single sign-on explained. Web.
Cobb, M (2012). Password security best practices: Change passwords to passphrases. ComputerWeekly.com. Web.
Cross, J. (2014). Internet security: How to maintain privacy on the Internet and protect your money in today’s digital world. New York, NY: CreateSpace Independent Publishing Platform.
Drinkwater, D. (2018). What is single sign-on? How SSO improves security and the user experience. CSO.
Flechais, I., Mascolo, C., & Sasse, M. A. (2007). Integrating security and usability into the requirements and design process. International Journal of Electronic Security and Digital Forensics,1(1), 1-10. Web.
Investopedia. (2016). Security Token.
Jøsang, A., Alfayyadh, B., Grandison, T., Alzomai, M., & Mcnamara, J. (2007). Security Usability Principles for Vulnerability Analysis and Risk Assessment. Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007),1-11. Web.
Kainda, R., Fléchais, I., & Roscoe, A. (2010). Security and Usability: Analysis and Evaluation. 2010 International Conference on Availability, Reliability and Security,1-8. Web.
Kaneesha, D. (2018) Security best practices – part 1: Passwords. Web.
Kernighan, B. (2017). Understanding the digital world: What you need to know about computers, the Internet, privacy, and security. Princeton, NJ: Princeton University Press.
Leyden, J. (2012) GPU stuffed monster cracks Windows passwords in minutes.
Matyáš, V., & Říha, Z. (2002). Biometric authentication – Security and usability. In B. Jerman-Blažič, & T. Klobučar (Eds.), Advanced communications and multimedia security (pp. 227-240). Boston, MA: Springer.
Menard, P., Bott, G. J., & Crossler, R. E. (2017). User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of Management Information Systems, 34(4), 1203-1230.
OGorman, L. (2008). Securing business’s front door – Password, token, and biometric authentication.
Roberts, C. (2018). What are the advantages/disadvantages of using a physical security token?
RSA Security uses phones as security token. (2002). RCR Wireless News, 21(36), 14. Web.
Sabella, A., Irons-Mclean, R., & Yannuzzi, M. (2018). Orchestrating and automating security for the Internet of things: Delivering advanced security capabilities from edge to cloud for IoT. San Jose, CA: Cisco Press.
Schultz, E. E., Proctor, R. W., Lien, M.-C., & Salvendy, G. (2001). Usability and security: An appraisal of usability issues in information security methods. Computers & Security, 20(7), 620-634. Web.