Costs and benefits of authentication advice
Hazel Murray, David Malone
TL;DR
This paper examines the ambiguous and contradictory nature of authentication security advice, proposing a formal framework to identify its costs and benefits through user studies and analysis.
Contribution
It introduces a formal approach to evaluate the costs and benefits of authentication advice, supported by empirical user studies and a framework for analysis.
Findings
Some security advice has high costs with limited benefits.
Certain advice may be ambiguous or contradictory, reducing effectiveness.
A framework can systematically evaluate the value of authentication guidance.
Abstract
Authentication security advice is given with the goal of guiding users and organisations towards secure actions and practices. In this paper, we demonstrate that security advice can be ambiguous, contradictory and at times may not even have any clear benefits. We expand on current work by defining a formal approach to identifying costs of security advice and instigate a user study to identify the costs that apply to a large range of authentication advice. We also apply a simple framework for analysing the authentication related security benefits of advice. This allows us to identify costs and benefits for all classes of security advice.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security · Privacy, Security, and Data Protection · User Authentication and Security Systems