Karen RenaudTHE END USER PLAYS A VITAL ROLE IN ACHIEVING SYSTEM SECURITY. If a security system is designed to accommodate the average user's needs and limitations, it is more likely that the system will succeed. Bear in mind that computer users are primarily goal directed and engaged in carrying out some taskand that maintaining security is usually not an integral part of that task. Hence, security systems are sometimes seen as an intrusion to be dealt with as quickly as possible so that users can continue with their primary task. Jonathan Grudin[1] found that humans would subvert any technology that did not directly benefit them in a group-based technological environment. This finding appears to apply to authentication mechanisms too: people often work around these mechanisms, which are put there explicitly to protect them, because they do not fully understand the benefits that will accrue from observation of security guidelines. Of course, security mechanisms do benefit end users, but they sometimes have a limited understanding of the whole security arena and do not have an insight into the benefits of taking the time to behave securely.
Password-based authentication is currently the most common authentication mechanism, but passwords are notoriously weak, mostly because of human information-processing limitations. People have too many passwords and PINs to remember, so they resort invariably to choosing easily remembered weak passwords, writing down the strong passwords, or using the same password with multiple accounts. All of these strategies weaken the password authentication mechanism. Biometrics is another common authentication mechanism. Besides being usually more expensive than passwords, biometrics is also somewhat unreliable because human beings are, by their very nature, variable. For example, fingerprint readers can misread if given dirty or damaged fingers; they can also be confused by users who don't place their fingers correctly on the reader. Some biometrics can also be readily compromised; for example, people can also unknowingly leave enough skin oil residue on the reader to enable an attacker to duplicate their fingerprints. This chapter provides an overview of the different authentication mechanisms and proposes a technique for comparing these mechanisms to support developers in making an informed choice for their systems. |