We perform a comprehensive analysis and comparison of 14 web single sign-on (SSO) systems proposed and/or deployed over the past decade, including federated identity and credential/password ...management schemes. We identify common design properties and use them to develop a taxonomy for SSO schemes, highlighting the associated tradeoffs in benefits (positive attributes) offered. We develop a framework to evaluate the schemes, in which we identify 14 security, usability, deployability, and privacy benefits. We also discuss how differences in priorities between users, service providers, and identity providers impact the design and deployment of SSO schemes.
Full text
Available for:
IZUM, KILJ, NUK, PILJ, SAZU, UL, UM, UPUK
The challenge of achieving passwordless user authentication is real given the prevalence of web applications that keep asking passwords. Complicating this issue further, in an enterprise environment, ...a single sign-on (SSO) service is often maintained but not all applications can be integrated with it. We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server. We propose and implement novel techniques for synchronization (pairing) and recovery of this Master Key. We compare our solution to previous work using different evaluation frameworks, demonstrating that our hybrid solution combines the benefits of credential management and federated identity systems.
•Introduces passwordless SSO with secure credential management.•Enhances security and privacy with a client-side Master Key encryption scheme.•Features novel Master Key sync and recovery techniques.•Outperforms widely adopted solutions in usability, security and privacy.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
This paper investigates the factors that influence the actual use of password managers. In this paper, we have integrated some factors from the Technology Acceptance Model (perceived ease of use, ...perceived usefulness, and attitude) with other factors from the literature review (user readiness, awareness, and motivation) to investigate the influence of these factors on the use of password managers. The authors used an online questionnaire to collect data. The questionnaire was distributed by using two social media platforms (Twitter and WhatsApp). There were 171 participants from 6 countries who completed the questionnaire. Structural equation modelling was employed by using SmartPLS-3 software to analyse the data. Findings indicate that perceived ease of use, perceived usefulness, and user readiness have a positive impact and are substantially associated with attitude, thus influencing the actual use of password managers. Likewise, perceived usefulness, user readiness, and awareness have a positive impact and are significantly associated with motivation of users to use it, which also influences the actual use of password managers.
Why don't individuals follow the best information security practices? We address an aspect of this question by focusing on one of the most common authentication methods – passwords. To promote better ...password habits, security experts consistently recommend the use of password managers as a best practice, but recent research shows their usage rate is low. Therefore, understanding the factors that influence the use of a password manager is important. We contribute to this cause by drawing on information security and technology adoption literature. Survey results from 120 participants with varying numbers of internet accounts yield some counterintuitive findings. As proposed, perceived severity and perceived vulnerability of password loss strongly influenced intent to use password managers. However, perceived ease of use diminished the intent to use password managers, and trust is only partially supported. Our results indicate that 'security' aspects of password managers are more important than 'usability' aspec
Full text
Available for:
CEKLJ, FFLJ, IZUM, KILJ, NUK, ODKLJ, PILJ, PNG, SAZU, UL, UM, UPUK
In this paper, we investigate the main and qualifying effect of Hofstede's uncertainty avoidance dimension (i.e., a culture's acceptance of ambiguous or uncertain situations) of national culture on ...an individual's protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK, ZRSKP
Security professionals often suggest password managers as one of the best measures for the end-users. However, the end-users have shown reluctance in adopting them, mostly due to the trust factor. ...The purpose of the paper was to examine the relationship of initial trust, and it’s antecedents with the password manager’s adoption intention. In this regard, using the Initial Trust Model as a framework, data from 289 respondents (age 18-35) were collected through a crowdsourcing website and analyzed using structural equation modeling (SEM) in SmartPLS 3.2. Results show that initial trust has a significant effect on the intention to adopt a password manager. In initial trust formation, firm reputation and structural assurances play a significant role, whereas personal propensity to trust does not significantly relate to initial trust. Moreover, firm reputation and structural assurances indirectly affect intention to adopt password managers.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
Why don't individuals follow the best information security practices? We address an aspect of this question by focusing on one of the most common authentication methods – passwords. To promote better ...password habits, security experts consistently recommend the use of password managers as a best practice, but recent research shows their usage rate is low. Therefore, understanding the factors that influence the use of a password manager is important. We contribute to this cause by drawing on information security and technology adoption literature. Survey results from 120 participants with varying numbers of internet accounts yield some counterintuitive findings. As proposed, perceived severity and perceived vulnerability of password loss strongly influenced intent to use password managers. However, perceived ease of use diminished the intent to use password managers, and trust is only partially supported. Our results indicate that 'security' aspects of password managers are more important than 'usability' aspects. The implications of these findings for password management are discussed.
Full text
Available for:
CEKLJ, FFLJ, IZUM, KILJ, NUK, ODKLJ, PILJ, PNG, SAZU, UL, UM, UPUK
Phishing Attacks on Modern Android Aonzo, Simone; Merlo, Alessio; Tavella, Giulio ...
Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security,
10/2018
Conference Proceeding
Modern versions of Android have introduced a number of features in the name of convenience. This paper shows how two of these features, mobile password managers and Instant Apps, can be abused to ...make phishing attacks that are significantly more practical than existing ones. We have studied the leading password managers for mobile and we uncovered a number of design issues that leave them open to attacks. For example, we show it is possible to trick password managers into auto-suggesting credentials associated with arbitrary attacker-chosen websites. We then show how an attacker can abuse the recently introduced Instant Apps technology to allow a remote attacker to gain full UI control and, by abusing password managers, to implement an end-to-end phishing attack requiring only few user's clicks. We also found that mobile password managers are vulnerable to "hidden fields" attacks, which makes these attacks even more practical and problematic. We conclude this paper by proposing a new secure-by-design API that avoids common errors and we show that the secure implementation of autofill functionality will require a community-wide effort, which this work hopes to inspire.
"I don't see why I would ever want to use it" Seiler-Hwang, Sunyoung; Arias-Cabarcos, Patricia; Marín, Andrés ...
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security,
11/2019
Conference Proceeding
Passwords are an often unavoidable authentication mechanism, despite the availability of additional alternative means. In the case of smartphones, usability problems are aggravated because ...interaction happens through small screens and multilayer keyboards. While password managers (PMs) can improve this situation and contribute to hardening security, their adoption is far from widespread. To understand the underlying reasons, we conducted the first empirical usability study of mobile PMs, covering both quantitative and qualitative evaluations. Our findings show that popular PMs are barely acceptable according to the standard System Usability Scale, and that there are three key areas for improvement: integration with external applications, security, and user guidance and interaction. We build on the collected evidence to suggest recommendations that can fill this gap.
Purpose
This paper aims to examine the impact an individual’s long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security actions taken in ...the context of the dangers related to poor account access management.
Design/methodology/approach
The paper relied upon survey data and actual usage information from a culturally diverse sample of 227 individuals who were introduced to the specific security problem and the accepted solution of using a password manager application.
Findings
The paper provides empirical evidence that the effect of positive attitudes increased when individuals were more long-term oriented, but the effect was reversed for average/negative attitudes toward the voluntary security behavior. Furthermore, participants with high long-term orientation and strong positive attitudes toward the security action actually adopted password manager applications 57 per cent more than the average adoption rate across the sample.
Research limitations/implications
Due to the research approach (survey data), security context and sample population, the research results may lack generalizability.
Practical implications
The findings suggest that security awareness messaging and training should account for differences in long-term orientation of the target audience and integrate the distinctly different types of messages that have been shown to improve an individual’s participation in voluntary security actions.
Originality/value
The paper addresses previous research calls for examining possible cultural differences that impact security behaviors and is the only study that has focused on the impact of long-term orientation, specifically on voluntary security actions.
PDF
