Can Single Sign-on Improve Password Management? A Focus Group Study (original) (raw)
Related papers
Once IS Enough: Single Sign-On
2007
For eons, passwords have been the gatekeepers to information and data located that is behind a 'locked door' or stored in a secret location. It is no different today, as passwords are a key to secrets, however, what is different today is the number of passwords that one needs to construct, recall and keep safe. This multiplicity has created a memory overload for the user, less secure passwords, and often, a strain on computer help-desk staff. Password technologies that reduce the need for multiple passwords are evolving; their developers claim that the technologies lessen the security risk to a system due to a reduction in the number of passwords required to get through the day-today work of a 21 st century citizen. Smart cards, biometric devices, and Single Sign-On (SSO) systems are the most promoted alternatives. Specifically, Single Sign-On password systems are of interest to the study presented here. Single Sign-On allows end users to access multiple services and systems with a single username and password, therefore reducing the cognitive load on the end user and thus supposedly, reducing end user frustration which is turn reduces password-related security risks. This paper presents the results of a study conducted within two businesses that explored the influence SSO password systems have on system security.
Behavioral Analysis of Students’ Login Credentials Management in Mobile Environment
Journal of Industrial and Intelligent Information, 2013
The number of password-protected Internetbased applications is increasing significantly compared to a decade ago. Consequently, it causes an increase in the number of login credentials that users have to manage, for both Internet ad mobile environments. This paper presents a study that specifically focused on students' login credential management for mobile computing users. A behavioral study was conducted on 250 students from Universiti Utara Malaysia to understand how they managed their login credential while accessing the Internet via their mobile devices. The results suggested that students practiced poor login credential management. The paper recommends approaches that can be taken to improve login credential management for users with mobile devices.
Factors Influencing The Experiences of End-users in Password-Based Authentication System
Research Square (Research Square), 2024
Issues relating to password-based authentication has led to calls to an alternative in passwordless authentication. This call represents a comprehensive drift from password-based authentication irrespective of the introduction of multi-factor authentication, single sign-on and so on that are meant to strengthen the security of password-based authentication systems. As password-based authentication remains the most popular way of making sure end-users of computer, digital and information technology systems have authorised access to their valued assets and resources. The understanding of factors responsible for issues associated with password-based authentication continues to drive researchers and developers' interests. This paper is a follow-up to an initial effort in understanding the experiences of end-users in password-based authentication. This study used questionnaire-based design administered online through Google form in eliciting information from end-users that will help in determining how much factors like password hygiene culture, use of password management tools, economic and social status of end-users and so on contribute to their password experience. A total of 193 respondents were used in analysis and the result provide factors that contribute and those that do not contribute to the experiences of end-users in their use of password-based authentication systems. The result of this study will go a long way in strengthening the design, deployment and utilisation of password-based authentication.
Network authentication using single sign-on
Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology - CHiMiT '08, 2008
Healthcare organizations are struggling to meet industry best practices for information security as well as complying with regulatory requirements. Single sign-on technology is emerging as a leading technology for password authentication management and promises to improve security while curbing system maintenance costs. While the technology seems to be a simple viable solution for authentication, when placed in context, many socio-technical complexities emerge. One of these complexities is that of the mismatch between the users' mental models and the system model. This study was a 15-month ethnographic field study that followed the implementation of a single sign-on system in a hospital environment. It resulted in the finding that the misaligned mental models caused difficulties not only for the user but for the system administrators. The findings also indicate that not only was the user's mental model of the technology inaccurate, but the presentation of the technology by the information technology group contributed to this misaligned understanding. The end result was dissatisfaction with the new technology for both end users and the system administrators. In order to address the critical issue of mental model misalignment in the implementation of SSO technology, practitioners must first gain an understanding of the preexisting mental models had by the target users regarding authentication and then use this information to guide implementation of the new technology.
A Taxonomy of Single Sign-On Systems
Lecture Notes in Computer Science, 2003
At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction. Several architectures for SSO have been developed, each with different properties and underlying infrastructures. This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context. This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches.
Improving end user behaviour in password utilization: An action research initiative
Systemic Practice and Action Research, 2008
This paper is about the design and implementation of techniques and strategies to improve end user behavior in the utilization of passwords within a formal setting. The researchers were requested to investigate the issues inherent in the password management and utilization procedure within the client organization and thereby improve end user behavior in utilization of passwords within the organization. The researchers completed an action research study and successfully implemented a training program to improve system users' behavior related to passwords. They used a unique approach by designing training for creating passwords to fit with theories pertaining to human memory. In addition, the researchers also created and delivered security awareness training. The end users of the target information systems reported that after training they were able to use strong passwords (A strong password in our organization is one that has 15 characters with at least two numbers and one symbol) without writing them down. Requests to the help desk for password resets decreased. Users also reported that they are much more aware of security threats.
An Empirical Assessment of Factors Impeding Effective Password Management
Journal of Information Privacy and Security, 2008
Since passwords are one of the main mechanisms used to protect data and information, it is important to ensure that passwords are managed correctly and that those factors which will have a significant impact on password management are identified and prioritized. Therefore, in order for an information and communication technology (ICT) overall security program to be successful it must include a security awareness program or component. The aim of this paper is to perform an exploratory study with the objective of introducing certain fundamental causes that may impact password management. Empirical results, followed by a survey as well as the application of several management science techniques are presented.
“It Basically Started Using Me:” An Observational Study of Password Manager Usage
CHI Conference on Human Factors in Computing Systems
There is limited information regarding how users employ password managers in the wild and why they use them in that manner. To address this knowledge gap, we conduct observational interviews with 32 password manager users. Using grounded theory, we identify four theories describing the processes and rationale behind participants' usage of password managers. We find that many users simultaneously use both a browser-based and a third-party manager, using each as a backup for the other, with this new paradigm having intriguing usability and security implications. Users also eschew generated passwords because these passwords are challenging to enter and remember when the manager is unavailable, necessitating new generators that create easy-to-enter and remember passwords. Additionally, the credential audits provided by most managers overwhelm users, limiting their utility and indicating a need for more proactive and streamlined notification systems. We also discuss mobile usage, adoption and promotion, and other related topics. CCS CONCEPTS • Security and privacy → Usability in security and privacy; • Human-centered computing → User studies.
We are responsible of the accuracy of all opinion, technical comment, factual report, data, figure, illustration, and photographs in this report. We bear full responsibility for the checking whether material submitted is subjected to copyright or ownership right. UUM does not accept any liability for the accuracy of such comment, report, and other technical and factual information and the copyright or ownership right claims.