NISTIR 7983 Report: Authentication Diary Study Michelle Steves Dana Chisnell Angela Sasse Kat Krol Mary Theofanos Hannah Wald NISTIR 7983 Report: Authentication Diary Study Michelle Steves Information Access Division Information Technology Laboratory Dana Chisnell Usability Works Boston, MA Angela Sasse Kat Krol University College London London, UK Mary Theofanos Office of Data and Informatics Material Measurement Laboratory Hannah Wald Booze Allen Hamilton McLean, VA February 2014 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director TABLE OF CONTENTS EXECUTIVE SUMMARY ............................................................................................................................ 1 1 INTRODUCTION ................................................................................................................................. 3 2 BACKGROUND .................................................................................................................................... 5 2.1 AUTHENTICATION ............................................................................................................................. 5 2.2 USABILITY ........................................................................................................................................ 5 2.3 ENABLING TASKS AND PRIMARY TASKS ........................................................................................... 6 2.4 FRICTION .......................................................................................................................................... 6 2.5 THE COMPLIANCE BUDGET ................................................................................................................ 7 2.6 PASSWORD FATIGUE ......................................................................................................................... 7 2.7 IT AND AUTHENTICATION AT NIST .................................................................................................. 8 3 METHOD ............................................................................................................................................... 9 3.1 PARTICIPANTS .................................................................................................................................. 9 3.2 MATERIALS .....................................................................................................................................10 3.3 SETTING ...........................................................................................................................................10 3.4 PROCEDURE .....................................................................................................................................11 3.4.1 Briefing ...................................................................................................................................11 3.4.2 Data Collection Period ............................................................................................................12 3.4.3 Follow-Up Interviews .............................................................................................................12 4 RESULTS ..............................................................................................................................................13 4.1 WHEN DID PARTICIPANTS AUTHENTICATE?......................................................................................14 4.2 WHAT TYPES OF APPLICATIONS WERE USED? ...................................................................................15 4.2.1 Personal and work-related authentication events ....................................................................15 4.2.2 Types of applications requiring authentication .......................................................................16 4.2.3 Application subtypes ...............................................................................................................18 4.3 WHERE WERE THESE EVENTS TAKING PLACE? .................................................................................20 4.4 INFORMATION SURROUNDING HOW THESE EVENTS OCCURRED ........................................................21 4.4.1 Devices used to authenticate ...................................................................................................21 4.4.2 What was required for authentication? ....................................................................................24 4.4.3 Authentication information memorization and memory aids ..................................................29 4.4.4 Authentication problems .........................................................................................................35 4.4.5 Actions taken after encountering authentication problems .....................................................37 4.4.6 Participant frustration ratings ..................................................................................................37 5 VISUALIZING THE EFFECTS OF AUTHENTICATION: THE USER EXPERIENCE ...........41 5.1 THE “JOURNEY MAP” AS A TEMPLATE FOR USER EXPERIENCE VISUALIZATION .............................41 5.2 MEASURES USED IN THE USER EXPERIENCE CHART ........................................................................42 5.2.1 Frustration Rating ....................................................................................................................42 5.2.2 Interviewer Rating ...................................................................................................................43 5.2.3 Calculated Disruption ..............................................................................................................43 5.2.4 Composite Rating ....................................................................................................................46 5.3 USER EXPERIENCE CHARTS .............................................................................................................48 6 DISCUSSION ........................................................................................................................................53 6.1 HOW PARTICIPANTS PERCIEVED THEIR AUTHENTICATION WORKLOAD ..........................................53 6.2 SPECIFIC “FRICTION POINTS” DESCRIBED BY OUR PARTICIPANTS ...................................................55 6.2.1 Re-authenticating due to timed lockouts .................................................................................55 ii 6.2.2 Remembering a large number of passwords and when/where each one is supposed to be used 56 6.2.3 Managing a large number of authentication elements .............................................................57 6.2.4 Management workload for infrequently used passwords ........................................................57 6.2.5 Miscellaneous friction points ..................................................................................................58 6.3 PARTICIPANTS’ FEELINGS ABOUT THE NECESSITY AND EFFECTIVENESS OF AUTHENTICATION .......59 6.3.1 While all participants saw a need for organizational security at NIST, some questioned the effectiveness of current methods ..........................................................................................................59 6.3.2 Participants think organizational security measures are too demanding .................................60 6.3.3 Overall, participants believe SSO is the best way to address both security and usability issues 61 6.4 COPING WITH AUTHENTICATION .....................................................................................................62 6.4.1 Coping mechanisms used by participants................................................................................62 6.4.2 What participants’ coping mechanisms imply about their view of authentication and security 73 6.5 TRADING OFF PRODUCTIVITY FOR SECURITY ...................................................................................73 6.6 INSIGHTS REGARDING AUTHENTICATION, FRICTION, AND DISRUPTION ..........................................74 6.6.1 Authentication problems create considerable friction .............................................................74 6.6.2 Users experience friction from authentication even when there are no problems ...................75 6.6.3 Friction and disruption from authentication have long-term effects .......................................78 7 RECOMMENDATIONS .....................................................................................................................80 7.1 RETHINKING ASSUMPTIONS ABOUT AUTHENTICATION ...................................................................80 7.1.1 Users struggle with authentication because they are only human ...........................................80 7.1.2 More authentication is not necessarily better ..........................................................................81 7.2 MAKING PASSWORD-BASED AUTHENTICATION MORE USABLE ......................................................81 7.2.1 Listen to and work with users..................................................................................................81 7.2.2 Implement SSO .......................................................................................................................82 7.2.3 Consolidate and standardize authentication as much as possible ............................................82