That Depends -- Assessing User Perceptions of Authentication Schemes across Contexts of Use

TL;DR

This study investigates how user perceptions of different authentication schemes vary across contexts of use, highlighting the importance of subjective factors in authentication acceptance and informing better design choices.

Contribution

It provides an in-depth analysis of user perceptions of password, fingerprint, and smartphone-based schemes across various contexts, emphasizing the influence of subjective perceptions on authentication choices.

Findings

Perceptions of usability, security, and trust vary significantly across schemes and contexts.

User preferences are strongly influenced by perceived effort and privacy concerns.

Context of use impacts user acceptance and perception of authentication schemes.

Abstract

Choosing authentication schemes for a specific purpose is challenging for service providers, developers, and researchers. Previous ratings of technical and objective aspects showed that available schemes all have strengths and limitations. Yet, the security of authentication also relies on user perceptions which affect acceptance and user behaviour and can deviate from technical aspects. To shine light on the issue and support researchers, developers, and service-providers confronted with authentication choice, we conducted an in-depth analysis of user perceptions of the password, fingerprint, and a smartphone-based scheme in an online study with 201 participants. As authentication is a secondary task that needs to be evaluated in the context of authentication purpose, we also compared perceptions across four contexts of use with varying sensitivity levels: email accounts, online banking, social networks, and smart homes. The results revealed how perceptions of usability, security, privacy, trust, effort, and qualitative features of the schemes are related to user preferences. The results increase awareness for the influence of subjective perceptions and have practical implications for decision-makers. They can inform a) the choice between several adequate schemes, b) the authentication design to reduce concerns or security-related misconceptions, and c) the development of context-dependent authentication.