Professor Angela Sasse, director of the research institute for the science of cyber security at University College London, was talking on “What's wrong with Usable security” at an event at the University of Surrey on Tuesday.
Sasse, one of the authors of the acclaimed ‘Users are not the enemy' research paper published back in 1999, said that there has been widespread awareness for some time that security needs to be usable. She cited Dutch linguist and cryptographer Auguste Kerckhoffs' 1883 'La cryptographie militaire' as having a big focus on usable security in three of its six modules (the key should be memorable; the system should be easy and the apparatus or documents should be portable and operable by a single person), as well as the 1975 paper by Jerome Saltzer and MD Schroeder describing the seven criteria for building secure computer systems.
“We need to get back to that,” stressed Sasse.
The professor did, however, point to a lot of activity, at least on the research side, on improving usable security. She noted Cambridge University professor Ross Anderson and cryptography expert Bruce Schneier, formerly of BT but now CTO of Co3, as having formed the invite-only workshops, and added that the ACM Symposium on Usable Privacy and Security (SOUPS) has been running since 2005 and that the Security and Human Behaviour (SHB) conference has been an annual event since 2008. There are now even university modules on usable security, said Masse.
But the professor was keen to stress that many facets of security remain bewitching to the end user, and said that that was particularly true of authentication, where a flurry of password alternatives have been suggested since the early 1990s.
At the conference, she cited numerous examples include Passfaces – a “very memorable” face recognition version of authentication that was ‘useless' if you had more than one password, Draw a Secret and BDAS – both of which were hampered by similar drawing patterns and easy 'guess-ability'.
“Blokes often go for the one that most looks like a female model,” said Masse on the Passfaces flaw.
Slightly zanier alternatives, proposed by researchers over the years, have included singing your password (Reynaud et al NSPW 2007), thinking your passwords and biometrics. Even single-sign on (SSO), as used by a number of companies, is restricted because the number of emerging technologies mean that users are still going to have six to eight passwords anyway, Masse said.
The trouble for authentication, she added, is that there's only so much time end-users are willing to spend on it before they give up in the interests of preserving their productivity.
Using a simple time and motion study, Masse and other researchers found that security is a “significant drain on productivity” and said that PC users can expect to spend three weeks a year logging in, and or maintaining or failing authentication.
“That is just unacceptable,” said the professor. “People are willing and able to spend a certain amount of time on a non-productive task, like security, but they have a built-in meter [for tolerance].”
She said that this threshold was around three percent of time in most organisations, or five percent in companies with a higher focus on security.
As a result, it's suggested that numerous workers are backing away from services that drain their time. Masse claimed that remote logging usage has declined 10 to 25 percent “depending which month you look at”, and – as a blow to BYOD – said that some users would decide against logging into work services altogether outside of working hours if the authentication was unnecessarily tricky.
“They won't do anything until three days later.” The problem is exagerated on mobile, with 50 percent plus of entries on touchscreens now seeing the entry time 3x longer, and the error rate 5x higher.
Those that are persevering are often writing down passwords on paper, just to keep on top of things, although Masse points to the example of SAS people in Libya and the world Cup chief of people being unaware how these can get captured by the media. “Let's get real – that happens all the time.”
Audience members may have been brought up the possibility of password managers, but Masse pointed out the lack of joined up effort when a user switches from a Windows PC to tablet or smartphone on another OS.
Passwords are unavoidable but Masse believes that some authentication is unnecessary.
“90 percent of explicit authentication events are unnecessary and could be removed. Very often authentication is used for reasons because administrator or developers can't think of anything better – or making users authenticate because they can't handle access control side.
“I think we could remove lots of events, and use implicit rather than explicit authentication.” She points to the Cambridge PICO project, which asks for authentication but only after judging if and when the user has moved from their seat.
“Security shouldn't be an obstacle. We have to respect and engage users rather than just pushing this down on them. We need to work with them, to listen to them on what security requirements they want, what they can cope with, and how it can integrate with what they're already using.”
“Then they can be the last line of defence when automated measures fail.”
Barry Scott, technical director EMEA at Centrify, agreed with Masse that the world needs to move on from passwords, suggesting that ‘zero sign on' is the future.
“The password is a problem; users can't remember them and new form factors aren't great for entering them on,” he told SCMagazineUK.com.
But he warned that passwords are just one part of the problem, with the other being that there is ‘too much privilege' and access control.