When will users drop their passwords (and move to a more secure form of authentication)?

October 21, 2013

Today I read an interesting paper by Marian Harbach and colleagues from the University of Hannover. They have studied the factors that influence the acceptance of new methods authentication online. In particular, they have studied user attitudes towards using the new German electronic identity card (nPA) as a replacement for username/password based authentication online. This is highly relevant for our own work on IRMA, a platform for authentication based on attribute based credentials.

Their results are based on group interviews with three small focus groups. In the course of these interviews they discussed the security of using username/password for signing in to online services, and asked the members whether they would consider using an eID-based from of authentication instead. Apart from the well known chicken-and-egg problem (without users there are no service providers accepting eID and vice versa), they discovered the following important considerations.

  • Users perceive passwords to be reasonable secure. They believe they have more control over memorised passwords, compared to using password managers or other (to them totally opaque) authentication technologies, like an eID based system. They inherently distrust these systems. Syncing passwords in the cloud is similarly not trusted.
  • Privacy friendly authentication using a government issued identity card is not properly understood (and looked upon with suspicion).
  • On the other hand, a government issued form of authentication (i.e. without the privacy-preserving part) is perceived as trusted (compared to Facebook-Connect like systems).
  • Users need to be convinced of the added value and trustworthiness of a new systems by friends, family, experts and positive press coverage.
  • The need of additional hardware (a smart card reader) is a large barrier to adoption, not only because of the cost, but also because users value the comfort of using smartphones, tablets and laptops everywhere. (IRMA does not require a separate card reader as it uses a contactless smartcard that can be read by smartphones and tablets with NFC.)
  • A killer app is important: if users would need to use eID based authentication for some services that they use on a daily basis, they would soon use eID based authentication for all their services.

Note: like IRMA, the German eID system implements a form of pseudonyms. These pseudonyms can not be linked across different service providers and cannot be traced back to the identity of the cardholder. Thus they provide a means for pseudonymous identification. Because of limited security (essentially ownership of the pseudonym is only proven because it is transmitted over a secure channel between the card and the service provider; if a single card, or this channel, is corrupted, it can claim ownership of an arbitrary pseudonym) the German eID system is less suitable for pseudonymous authentication. The inherently more secure way our IRMA platform implements full fledged and cryptographically secured attribute based credentials makes it better suited for this task.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
UbiKiMa : migrating from passwords to secure authentication. | Jaap-Henk Hoepman - on security, privacy and…
, 2013-11-19 20:07:45

[…] are insecure, passwords are still the main form of authentication available on the web. There are several reasons for this. Users are used to passwords, and trust them. Teaching them to use something new requires time and […]