Alternative Authentication in the Wild

TL;DR

This paper evaluates an alternative authentication method in real-world settings, highlighting its performance across diverse devices and contexts, and discusses the importance of field testing for authentication solutions.

Contribution

It provides an 'in the wild' evaluation of an alternative authentication mechanism, moving beyond lab tests to real-world deployment and analysis.

Findings

The mechanism's performance varied across different devices and contexts.

Field testing revealed practical strengths and limitations not apparent in lab evaluations.

The study emphasizes the importance of real-world testing for authentication methods.

Abstract

Alphanumeric authentication routinely fails to regulate access to resources with the required stringency, primarily due to usability issues. Initial deployment did not reveal the problems of passwords, deep and profound flaws only emerged once passwords were deployed in the wild. The need for a replacement is widely acknowledged yet despite over a decade of research into knowledge-based alternatives, few, if any, have been adopted by industry. Alternatives are unconvincing for three primary reasons. The first is that alternatives are rarely investigated beyond the initial proposal, with only the results from a constrained lab test provided to convince adopters of their viability. The second is that alternatives are seldom tested realistically where the authenticator mediates access to something of value. The third is that the testing rarely varies the device or context beyond that initially targeted. In the modern world different devices are used across a variety of contexts. What works well in one context may easily fail in another. Consequently, the contribution of this paper is an "in the wild" evaluation of an alternative authentication mechanism that had demonstrated promise in its lab evaluation. In the field test the mechanism was deployed to actual users to regulate access to an application in a context beyond that initially proposed. The performance of the mechanism is reported and discussed. We conclude by reflecting on the value of field evaluations of alternative authentication mechanisms.