The Seven Flaws of Identity Management: Usability and Security Challenges (Paper: Dhamija, R., Dusseault, L., IEEE Security and Privacy, Volume 6, Issue 2, March – April 2008) Abstract, HTML
Abstract: Web identity management systems are complex systems with powerful features—and many potential vulnerabilities. They aim to facilitate the management of identifiers, credentials, personal information, and the presentation of this information to other parties. In many schemes, an identity provider (IdP) issues identities or credentials to users, while a relying party (RP) depends on the IdP to check the user credentials before it allows users access to website services. By separating the role of and IdP from the RP, identity management systems let users leverage one identifier across multiple Web services.
The Emperor’s New Security Indicators (Paper: Schechter, S. E., Dhamija, R., Ozment, A., Fischer, I., The 2007 IEEE Symposium on Security and Privacy, May 2007) Abstract, PDF
Abstract: We evaluate website authentication measures that are designed to protect users from man-in-the-middle, ‘phishing,’ and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant’s site-authentication image—the customer-selected image that many websites now expect their users to verify before entering their passwords. Finally, we replaced the bank’s password-entry page with a warning page. After each clue, we determined whether participants entered their passwords or withheld them. We also investigate how a study’s design affects participant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused instructions. We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 23 of the 25 (92%) participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants’ security behavior: role-playing participants behaved significantly less securely than those using their own passwords.