User-to-PC Authentication Through Confirmation on Mobile Devices: On Usability and Performance

TL;DR

This study explores a passwordless, token-based authentication method for PCs using mobile device confirmations, demonstrating improved usability and performance over traditional passwords through a user study.

Contribution

Introduces a mobile device confirmation approach for PC authentication, comparing biometric and button confirmation methods against passwords in terms of usability and efficiency.

Findings

Smartwatch confirmation outperformed passwords in speed.

Success rates were comparable across methods.

Participants preferred smartwatch-based authentication.

Abstract

Protecting personal computers (PCs) from unauthorized access typically relies on password authentication, which is know to suffer from cognitive burden and weak credentials. As many users nowadays carry mobile devices with advanced security features throughout their day, there is an opportunity to leverage these devices to improve authentication to PCs. In this paper we utilize a token-based passwordless approach where users authenticate to their PC by confirming the authentication request on their smartphones or smartwatches. Upon a request to login to the PC, or to evaluate privileges, the PC issues an authentication request that users receive on their mobile devices, where users can confirm or deny the request. We evaluate button tap and biometric fingerprint verification as confirmation variants, and compare their authentication duration, success rate, and usability to traditional password-based authentication in a user study with 30 participants and a total of 1,200 authentication attempts. Smartwatch-based authentication outperformed password-based authentication and smartphone-based variants in authentication duration, while showing comparable success rates. Participants rated smartwatch-based authentication highest in usability, followed by password-based authentication and smartphone-based authentication.