A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process. Presentation to BayCHI, December 12, 2017

1. Making
User Authentication
More Usable
Jim Fenton
@jimfenton

2. Context
I’m a consultant to the National Institute of Standards
and Technology
Focusing on revising US Government digital identity
standards
Everything here is my own opinion; I don’t speak for
NIST!
This talk focuses on the usability aspects of
authentication, and the security aspects only incidentally

3. About SP 800-63
NIST Special Publication
800-63, Digital Identity
Guidelines
Intended for federal
government use, but
also widely used
commercially and
internationally

4. Four-volume Set
Enrollment and
Identity Proofing
SP 800-63A
Authentication and
Lifecycle Management
SP 800-63B
Federation and Assertions
SP 800-63C

5. Executive Order 13681, “Improving the Security
of Consumer Financial Transactions”
“…ensure that all agencies making personal data
accessible to citizens through digital applications
require the use of multiple factors of authentication
and an effective identity proofing process, as
appropriate.”

6. Who are the Users?
Everybody:
Non-English speakers
Homeless people
Disabled veterans
Hospital patients
Physicians
Elderly
Students
Usability needs to consider all of these
Not just Federal employees!
Photo by Rob Curran on Unsplash

7. Usability Emphasis in
SP 800-63-3
Engaged NIST human-factors specialists
Included a Usability Considerations section in each
volume (A, B, and C)
Invited review on normative requirements that might
affect usability

8. Related Concepts
Accessibility: Can users with various disabilities
authenticate?
Availability: Can users authenticate under all
circumstances?

9. Authenticators
Nine authenticator types defined
Memorized secret (password, PIN, etc.)
Look-up secret
Out-of-band device
Single- and multi-factor OTP device
Single- and multi-factor crypto software
Single- and multi-factor crypto device

10. Factors
There are three authentication factors:
Something you know (password)
Something you have
Something you are (biometric)
Authenticators may provide 1 or 2 of these

11. Memorized Secrets
Passwords, passphrases, PINs, etc.

12. Memorized Secrets
Passwords are:
Most used authenticators
Most hated authenticators
Relatively weak
But they’re the only “something you know”
Security questions no longer acceptable

13. Making Passwords More
Usable
Action Rationale
Get rid of composition rules
(include digits, symbols, etc.)
Frustrating for users, less
benefit than expected
Allow all printing characters
plus space
Maximum freedom in selection;
no technical reason otherwise
Allow Unicode characters
Memorable passwords in all
languages
Very long maximum length
Encourage long passwords,
passphrases

14. Frustration vs. Security
Recommend use of a blacklist for common passwords
Unfortunately not very transparent
Frustrated users make bad choices
Weak
passwords
allowed
Frustrated
users
Blacklist size

15. Password Visibility
Passwords are obscured to
inhibit “shoulder surfing”
Makes correct entry more
difficult, and often there is no
shoulder-surfing threat
Recommend making
passwords visible on
request
Future browser feature??

16. Pasting
Some sites disallow pasting:
<input type="test" onPaste="return false”>
Also disables password managers
Done to enhance security, but probably encourages
weaker passwords
SP 800-63B discourages blocking pasting

17. Other Authenticators

18. Look-up Secrets
List of machine-generated
one-time secrets
Not intended for memorization:
typically more complex
Less usable/accessible
because they require manual
transcription, subject to
misread/mistyping
Cheap and very suitable as a
backup authenticator

19. Out-of-Band
Requires a separate
communication channel,
usually separate device
Availability: cell phone
service is not always
available
Accessibility: Usually
requires transcription of a
secret from one device to
another, often time-limited

20. Single-factor One Time
Password (OTP)
Requires transcription
from device to login
session
Time based OTP
imposes a time limit on
this process
Photo credit: Wikimedia Commons

21. Multi-factor OTP
Requires transcription of
secret from
authenticator to login
session
Typing on small device
may be challenging
Photo credit: HID

22. Cryptographic Software
Authenticators
Example: client certificate (with or without passphrase)
Process for installation of authenticator on user device
should be considered
Authenticators need to be organized for identification

23. Single-factor
Cryptographic Device
Availability: Requires an
interface (e.g., USB) to
connect to
authenticating device
Location of some ports
is inconvenient for
pushing the button
Photo credit: Yubico

24. Multi-factor
Cryptographic Device
Availability: Requires an
interface or adapter to
connect to
authenticating device

25. About Biometrics…
Need to reproduce conditions of enrollment
Choice of finger (fingerprint)
Lighting conditions (iris)
Facial hair, expression, glasses (face)
Many modalities (fingerprint, iris, etc.) are not usable by some
people
Generally considered convenient to use, but familiarity is important

26. Summary
There isn’t a perfect authenticator, from either a
usability or security standpoint
Services should support a variety of ways to
authenticate and to enroll multiple authenticators per
user

27. Identity Proofing

28. Identity Proofing
Enrollment process: establishing that a digital identity
corresponds to a specific individual
Generally done only once at enrollment, but may be
repeated if all authenticators are lost
May be done in-person (preferred) or remotely
Less sensitive to convenience, but more sensitive to
accessibility (disabled, homeless, etc.)

29. Questions?