Using fingerprint authentication to reduce system security: An empirical study

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2011, Pages 32-46

  Wimberly, Hugh ^a   Liebrock, Lorie M ^a  

^a NEW MEXICO INSTITUTE OF MINING AND TECHNOLOGY   (United States)

Author keywords

Risk compensation; Security policy; Two factor authentication; User study

Indexed keywords

BEHAVIORAL RESEARCH; SECURITY SYSTEMS;

EMPIRICAL STUDIES; FINGERPRINT AUTHENTICATION; FINGERPRINT READER; RISK COMPENSATIONS; SECURITY ARCHITECTURE; SECURITY POLICY; SYSTEM SECURITY; TWO FACTOR AUTHENTICATION; USER BEHAVIORS; USER STUDY;

AUTHENTICATION;

EID: 80051962268     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2011.35     Document Type: Conference Paper

References (34)

1. D. Florencio and C. Herley, "A large-scale study of web password habits," in WWW '07: Proceedings of the 16th International Conference on World Wide Web. Banff, Alberta, Canada: ACM, 2007, pp. 657-666. (Pubitemid 47582295)
2. J. E. Webber, D. Guster, P. Safonov, and M. B. Schmidt, "Weak password security: An empirical study." Information Security Journal: A Global Perspective, vol. 17, no. 1, pp. 45-54, 2008.
3. P. Hoonakker, N. Bornoe, and P. Carayon, "Password authentication from a human factors perspective: Results of a survey among end-users," Human Factors and Ergonomics Society Annual Meeting Proceedings, vol. 53, pp. 459-463(5), September 2009.
4. M. Dell'Amico, P. Michiardi, and Y. Roudier, "Password strength: an empirical analysis," in INFOCOM'10: Proceedings of the 29th Conference on Information Communications. Piscataway, NJ, USA: IEEE Press, 2010, pp. 983-991.
5. J. Yan, A. Blackwell, R. Anderson, and A. Grant, "Password memorability and security: empirical results," Security & Privacy, IEEE, vol. 2, no. 5, pp. 25-31, 2004. (Pubitemid 40168623)
6. A. Forget, S. Chiasson, P. van Oorschot, and R. Biddle, "Persuasion for stronger passwords: Motivation and pilot study," in Persuasive Technology, ser. Lecture Notes in Computer Science, 2008, vol. 5033, pp. 140-150.
7. D. Davis, F. Monrose, and M. K. Reiter, "On user choice in graphical password schemes," in In 13th USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, 2004, pp. 151-164.
8. L. Coventry, A. De Angeli, and G. Johnson, "Usability and biometric verification at the ATM interface," in CHI '03: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Ft. Lauderdale, Florida, USA: ACM, 2003, pp. 153-160.
9. A. Stewart, "On risk: perception and direction," Computers & Security, vol. 23, no. 5, pp. 362 - 370, 2004.
10. R. M. Trimpop, "Risk homeostasis theory: roblems of the past and promises for the future," Safety Science, vol. 22, no. 1-3, pp. 119 - 130, 1996. (Pubitemid 26290907)
11. M. Zviran and W. J. Haga, "Password security: an empirical study," J. Manage. Inf. Syst., vol. 15, pp. 161-185, March 1999. (Pubitemid 32716609)
12. K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, J. Cook, and E. E. Schultz, "Improving password security and memorability to protect personal and organizational information," International Journal of Human-Computer Studies, vol. 65, no. 8, pp. 744-757, 2007. (Pubitemid 46824074)
13. P. G. Inglesant and M. A. Sasse, "The true cost of unusable password policies: password use in the wild," in Proceedings of the 28th international conference on Human factors in computing systems, ser. CHI '10. Atlanta, Georgia, USA: ACM, 2010, pp. 383-392.
14. C. Herley, "So long, and no thanks for the externalities: the rational rejection of security advice by users," in Proceedings of the 2009 workshop on New security paradigms workshop, ser. NSPW '09, 2009, pp. 133-144.
15. S. Sagan, "The problem of redundancy problem: Why more nuclear security forces may produce less nuclear security," Risk Analysis, vol. 24, pp. 935-946, 2004. (Pubitemid 39238486)
16. L. O'Gorman, "Comparing passwords, tokens, and biometrics for user authentication," Proceedings of the IEEE, vol. 91, no. 12, pp. 2021-2040, Dec. 2003. (Pubitemid 40890781)
17. D. Weirich and M. A. Sasse, "Pretty good persuasion: a first step towards effective password security in the real world," in Proceedings of the 2001 workshop on New security paradigms, ser. NSPW '01. Cloudcroft, New Mexico: ACM, 2001, pp. 137-143.
18. J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton, "Analysis of end user security behaviors," Computers & Security, vol. 24, no. 2, pp. 124-133, 2005. (Pubitemid 40583824)
19. R. Dhamija and A. Perrig, "Déjà vu: a user study using images for authentication," in Proceedings of the 9th conference on USENIX Security Symposium - Volume 9, 2000, pp. 4-4.
20. S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, "Authentication using graphical passwords: effects of tolerance and image choice," in Proceedings of the 2005 symposium on Usable privacy and security, ser. SOUPS '05. Pittsburgh, Pennsylvania: ACM, 2005, pp. 1-12.
21. F. M. Streff and E. Geller, "An experimental test of risk compensation: Between-subject versus within-subject analyses," Accident Analysis & Prevention, vol. 20, no. 4, pp. 277 - 287, 1988.
22. T. Assum, T. Bjrnskau, S. Fosser, and F. Sagberg, "Risk compensation - the case of road lighting," Accident Analysis & Prevention, vol. 31, no. 5, pp. 545 - 553, 1999.
23. W. N. Evans and J. D. Graham, "Risk reduction or risk compensation? the case of mandatory safety-belt use laws," Journal of Risk and Uncertainty, vol. 4, pp. 61-73, 1991.
24. D. Besnard and B. Arief, "Computer security impaired by legitimate users," Computers & Security, vol. 23, no. 3, pp. 253 - 264, 2004.
25. R. West, "The psychology of security," Commun. ACM, vol. 51, pp. 34-40, April 2008. (Pubitemid 351530776)
26. E. Albrechtsen, "A qualitative study of users' view on information security," Computers & Security, vol. 26, no. 4, pp. 276 - 289, 2007. (Pubitemid 46873753)
27. M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek, "Password cracking using probabilistic context-free grammars," Security and Privacy, IEEE Symposium on, vol. 0, pp. 391-405, May 2009.
28. (2011, Mar.) Openwall wordlists collection. [Online]. Available: http://www.openwall.com/wordlists/
29. (2010) John the ripper password cracker. [Online]. Available: http://www.openwall.com/john/
30. M. Weir, S. Aggarwal, M. Collins, and H. Stern, "Testing metrics for password creation policies by attacking large sets of revealed passwords," in Proceedings of the 17th ACM conference on Computer and communications security, ser. CCS '10. Chicago, Illinois, USA: ACM, 2010, pp. 162-175.
31. D. Florêncio, C. Herley, and B. Coskun, "Do strong web passwords accomplish anything?" in Proceedings of the 2nd USENIX workshop on Hot topics in security. Berkeley, CA, USA: USENIX Association, 2007, pp. 10:1-10:6.
32. A. Adams and M. A. Sasse, "Users are not the enemy," Commun. ACM, vol. 42, pp. 40-46, December 1999.
33. R. McGill, J. W. Tukey, and W. A. Larsen, "Variations of Box Plots," The American Statistician, vol. 32, no. 1, pp. 12-16, 1978.
34. M. Bishop and D. V. Klein, "Improving system security via proactive password checking," Computers & Security, vol. 14, no. 3, pp. 233-249, 1995.