A Tale of Two Studies: The Best and Worst of YubiKey Usability

Reynolds, J. K.; Smith, Trevor; Reese, Ken; Dickinson, Luke; Ruoti, Scott; Seamons, Kent E.

doi:10.1109/sp.2018.00067

Cited by 40 publications

(37 citation statements)

References 17 publications

(32 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Context-based user acceptance (U3) responses for websites with different types of sensitive personal data involved (online banking and social network) personal data or payment data is involved on a website. These results partly reflect Redmiles et al 's[37], Reynolds et al 's[39], and Dutson et al 's[16] observations regarding the accepted use of 2FA for only financial or sensitive data. However, personal trust in the online service seemed to be equally important, too:"[I'm not providing my phone number] because [then] different websites, for example via social media, can still reach me[...].…”

supporting

confidence: 84%

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

Wiefling

Dürmuth

Iacono³

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance. CCS CONCEPTS• Security and privacy → Authentication; Usability in security and privacy.

show abstract

supporting

confidence: 84%

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

Wiefling

Dürmuth

Iacono³

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…Multi-factor Authenticators can improve the security of organizations against opportunistic attacks, e.g., the Zomato breach. However, they may also affect the usability of the system, as shown in Table 3, and add costs to the organization both in terms of the employee time lost during authentication and cost incurred to replace lost hardware-based authenticators [116][117][118]. Security Management Tools are used to specify and monitor security policies consistently across an organization and manage other security tools.…”

Section: Requirementsmentioning

confidence: 99%

“…Therefore, we believe that improving the usability of security tools and mechanisms is crucial. Most of the existing usability research is focused on authentication [104,106,[116][117][118]. While there has been some work related to software usability in general [126], more research is needed to understand usability in the context of security tools and software to make them more usable, seamless, and non-disruptive.…”

Section: Future Research Directionsmentioning

confidence: 99%

SoK: Anatomy of Data Breaches

Saleem

Naveed

2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

We systematize the knowledge on data breaches into concise step-by-step breach workflows and use them to describe the breach methods. We present the most plausible workflows for 10 famous data breaches. We use information from a variety of sources to develop our breach workflows, however, we emphasize that for many data breaches, information about crucial steps was absent. We researched such steps to develop complete breach workflows; as such, our workflows provide descriptions of data breaches that were previously unavailable. For generalizability, we present a general workflow of 50 data breaches from 2015. Based on our data breach analysis, we develop requirements that organizations need to meet to thwart data breaches. We describe what requirements are met by existing security technologies and propose future research directions to thwart data breaches.

show abstract

“…To complement the hardware-based cryptography, a Two Factor Authentication (2FA) token may be used. Despite the availability of 2FA tokens in the market, such as Yubikey [42], a self-developed token, with support to PKCS #11, will be integrated into this IM architecture in future works.…”

Section: ) Hardware-based Cryptographymentioning

confidence: 99%

Securing Instant Messages With Hardware-Based Cryptography and Authentication in Browser Extension

et al. 2020

View full text Add to dashboard Cite

Instant Messaging (IM) provides near-real-time communication between users, which has shown to be a valuable tool for internal communication in companies and for general-purpose interaction among people. IM systems and supporting protocols, however, must consider security aspects to guarantee the messages' authenticity, confidentiality, and integrity. In this paper, we present a solution for integrating hardware-based public key cryptography into Converse.js, an open-source IM client for browsers enabled with the Extensible Messaging and Presence Protocol (XMPP). The proposal is developed as a plugin for Converse.js, thus overriding the original functions of the client; and a browser extension that is triggered by the plugin and is responsible for calling the encryption and decryption services for each sent and received message. This integrated artifact allowed the experimental validation of the proposal providing authenticity of IM users with digital certificates and protection of IM messages with hardware-based cryptography. Results also shows the proposed systems is resistent to adversarial attacks against confidentiality and integrity and it is secure when considering cryptrographic tests like the Hamming distance and the NIST SP800-22.

show abstract

A Tale of Two Studies: The Best and Worst of YubiKey Usability

Cited by 40 publications

References 17 publications

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

SoK: Anatomy of Data Breaches

Securing Instant Messages With Hardware-Based Cryptography and Authentication in Browser Extension

Contact Info

Product

Resources

About