70 likes | 230 Views
A Behavioral Analysis of Passphrase Design and Effectiveness. Mark Keith, Benjamin Shao, & Paul Steinbart Journal of the Association for Information Systems (2009) Gun- woong Lee. Overview. Research Motivation and Questions Passwords vs. Passphrases Security vs. Usability
E N D
A Behavioral Analysis of Passphrase Design and Effectiveness Mark Keith, Benjamin Shao, & Paul Steinbart Journal of the Association for Information Systems (2009) Gun-woong Lee
Overview • Research Motivation and Questions • Passwords vs. Passphrases • Security vs. Usability • Does the passphrase enhance the usability as compared to conventional passwords? • Behavioral Effects • Typing mistake vs. Memory errors • Do passphrases increase the memorability and reduce typing errors? • Psychological Effects • Login failure / User Perceptions / Intent to Adopt • Do enhanced authentication credential increase the user perceptions and intent to adopt the system? • Theoretical Background • Memory-based login failure: Chucking & Phonological similarity effect • Typographical-based login failures: Skilled Typing (WTD) • User Perception and intent to adopt: User Perceptions and Technology acceptance • Methodology • Longitudinal Filed Study: controlled experiment + Survey
Research Framework and Hypotheses Behavioral Effects Psychological Effects Survey Experiment
Findings One student used all keyboard characters!
Strengthens • Research motivation • Motivated by academic an practical needs • Evaluate conflict results of usability of Passphrases • Create new knowledge about effective Passphrases design • Theoretical Background • Use of multiple theories from various disciplines • Theory-enabled hypotheses • Strong theoretical foundations • Methodology • Combined methods • Behavioral effects (experiment) & Psychological effects (Survey) • Contributions • IS researchers: future avenues for future research • Practitioners: help them to develop polices enhancing security and usability
Weaknesses and Extensions • Limited experimental setting • Consider Login frequency & Efficiency
Weaknesses and Extensions • Weak assumption • Participants in the study could easily recall their passphrases • Since the system might be the only one that requires passphrases • If many IT systems utilize the passphrases ? • Users may have various passphrases for the different systems • Difficult for the users to memorize the correct passphrases for each system • Extra Costs and Efforts • Passphrases may induce costs and efforts of system managers, developers, & users • Changes in the overall layout of the user interface. • Subjective Criteria for distinguishing login failure types • Typo or a memory error ? • Lee99 vs. Lee999