Authentication Melee: A Usability Analysis of Seven Web Authentication Systems

Scott Ruoti, Scott Ruoti, Kent Seamons, Charles Knutson, Dan Olsen, Scott Ruoti
2015 All Theses and Dissertations   unpublished
Authentication Melee: A Usability Analysis of Seven Web Passwords continue to dominate the authentication landscape in spite of numerous proposals to replace them. Even though usability is a key factor in replacing passwords, very few alternatives have been subjected to formal usability studies and even fewer have been analyzed using a standard metric. We report the results of four within-subjects usability studies for seven web authentication systems. These systems span federated, smartphone,
more » ... aper tokens, and email-based approaches. Our results indicate that participants prefer single sign-on systems. We utilize the Systems Usability Scale (SUS) as a standard metric for empirical analysis and find that it produces reliable, replicable results. SUS proves to be an accurate measure of baseline usability and we recommend that going forward all new authentication proposals be required to meet a minimum SUS score before being accepted by the security community. Our usability studies also gather insightful information from participants' qualitative responses: we find that transparency increases usability but also leads to confusion and a lack of trust, participants prefer single sign-on but wish to augment it with site-specific low-entropy passwords, and participants are intrigued by biometrics and phone-based authentication. ACKNOWLEDGMENTS Thanks go to Brent Roberts for help administering the user studies and providing some basic analysis of collected data. A special thanks goes to my wife, Emily Ruoti, for helping edit this thesis and the WWW'15 submission based on this thesis, and for all the other support she gave me throughout my Master's program.