Section 31.3. Administrators Strengths and Weaknesses

Previous page
Table of content
Next page

31.3. Administrators' Strengths and Weaknesses

The user interface described in the previous sections is an example of teaching and guiding the user to maintain the security of the system. As much as possible, Groove exposes security information (such as authentication colors) in a simple way that the user can understand. Nevertheless, there are situations in which more controlled mechanisms are needed. Groove also uses the technique of enforcing behaviors when appropriate.

A corporation can set up a management server to impose certain policies on its employees. For example, a corporation that does not need to communicate across enterprise boundaries might restrict Groove's ability to communicate with nonemployees. In that case, the Groove UI might warn Bob if he is receiving a message from someone who cannot be directly authenticated or who is not certified (i.e., someone who could be an impostor). In some cases, it might even be important to prevent such unauthenticated and uncertified communications.

As discussed, Groove provides as much security as possible without an administrator and provides increasing levels of security with centralized management. But administrators can themselves be a weak point in the security chain. Many users forget their passwords. Most systems provide a way for an administrator to recover or reset a user's password. When we originally designed a centralized password reset system, we relied on administrators to properly authenticate users before resetting their passwords. The process required administrators to verify out-of-band a temporary digital fingerprint generated for the user. The new password, therefore, did not need to be communicated in the clear since it was strongly encrypted in the user's temporary keys. In theory, this was a secure protocol because the out-of-band channel need only be an authenticated channel, rather than a confidential one.

Unfortunately, administrators are users too, and they are not familiar with this level of security. As a result, many Groove domain administrators skipped the important signature verification step and significantly weakened the overall system. Ideas for forcing the administrator to verify the fingerprint (e.g., by preventing progress until the fingerprint was manually typed in) were proposed, but were later rejected by customers. We learned that most administrators strongly favor using systems whose interfaces are similar to those of other popular applications, even if it means less security. In addition, a system that eliminates administrator intervention would, in practice, be more secure and deployable. Later designs of centralized password reset take these human elements into account and provide a relatively secure system that does not require administrator intervention and uses more common technologies (e.g., email, questions and answers, hints).


Previous page
Table of content
Next page
Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295
Authors: Lorrie Faith Cranor, Simson Garfinkel
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
The CISSP and CAP Prep Guide: Platinum Edition
Oracle Developer Forms Techniques
An Introduction to Design Patterns in C++ with Qt 4
Information Dashboard Design: The Effective Visual Communication of Data
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy