A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process.
Presentation to BayCHI, December 12, 2017
2. Context
I’m a consultant to the National Institute of Standards
and Technology
Focusing on revising US Government digital identity
standards
Everything here is my own opinion; I don’t speak for
NIST!
This talk focuses on the usability aspects of
authentication, and the security aspects only incidentally
3. About SP 800-63
NIST Special Publication
800-63, Digital Identity
Guidelines
Intended for federal
government use, but
also widely used
commercially and
internationally
5. Executive Order 13681, “Improving the Security
of Consumer Financial Transactions”
“…ensure that all agencies making personal data
accessible to citizens through digital applications
require the use of multiple factors of authentication
and an effective identity proofing process, as
appropriate.”
6. Who are the Users?
Everybody:
Non-English speakers
Homeless people
Disabled veterans
Hospital patients
Physicians
Elderly
Students
Usability needs to consider all of these
Not just Federal employees!
Photo by Rob Curran on Unsplash
7. Usability Emphasis in
SP 800-63-3
Engaged NIST human-factors specialists
Included a Usability Considerations section in each
volume (A, B, and C)
Invited review on normative requirements that might
affect usability
8. Related Concepts
Accessibility: Can users with various disabilities
authenticate?
Availability: Can users authenticate under all
circumstances?
9. Authenticators
Nine authenticator types defined
Memorized secret (password, PIN, etc.)
Look-up secret
Out-of-band device
Single- and multi-factor OTP device
Single- and multi-factor crypto software
Single- and multi-factor crypto device
10. Factors
There are three authentication factors:
Something you know (password)
Something you have
Something you are (biometric)
Authenticators may provide 1 or 2 of these
12. Memorized Secrets
Passwords are:
Most used authenticators
Most hated authenticators
Relatively weak
But they’re the only “something you know”
Security questions no longer acceptable
13. Making Passwords More
Usable
Action Rationale
Get rid of composition rules
(include digits, symbols, etc.)
Frustrating for users, less
benefit than expected
Allow all printing characters
plus space
Maximum freedom in selection;
no technical reason otherwise
Allow Unicode characters
Memorable passwords in all
languages
Very long maximum length
Encourage long passwords,
passphrases
14. Frustration vs. Security
Recommend use of a blacklist for common passwords
Unfortunately not very transparent
Frustrated users make bad choices
Weak
passwords
allowed
Frustrated
users
Blacklist size
15. Password Visibility
Passwords are obscured to
inhibit “shoulder surfing”
Makes correct entry more
difficult, and often there is no
shoulder-surfing threat
Recommend making
passwords visible on
request
Future browser feature??
16. Pasting
Some sites disallow pasting:
<input type="test" onPaste="return false”>
Also disables password managers
Done to enhance security, but probably encourages
weaker passwords
SP 800-63B discourages blocking pasting
18. Look-up Secrets
List of machine-generated
one-time secrets
Not intended for memorization:
typically more complex
Less usable/accessible
because they require manual
transcription, subject to
misread/mistyping
Cheap and very suitable as a
backup authenticator
19. Out-of-Band
Requires a separate
communication channel,
usually separate device
Availability: cell phone
service is not always
available
Accessibility: Usually
requires transcription of a
secret from one device to
another, often time-limited
20. Single-factor One Time
Password (OTP)
Requires transcription
from device to login
session
Time based OTP
imposes a time limit on
this process
Photo credit: Wikimedia Commons
22. Cryptographic Software
Authenticators
Example: client certificate (with or without passphrase)
Process for installation of authenticator on user device
should be considered
Authenticators need to be organized for identification
25. About Biometrics…
Need to reproduce conditions of enrollment
Choice of finger (fingerprint)
Lighting conditions (iris)
Facial hair, expression, glasses (face)
Many modalities (fingerprint, iris, etc.) are not usable by some
people
Generally considered convenient to use, but familiarity is important
26. Summary
There isn’t a perfect authenticator, from either a
usability or security standpoint
Services should support a variety of ways to
authenticate and to enroll multiple authenticators per
user
28. Identity Proofing
Enrollment process: establishing that a digital identity
corresponds to a specific individual
Generally done only once at enrollment, but may be
repeated if all authenticators are lost
May be done in-person (preferred) or remotely
Less sensitive to convenience, but more sensitive to
accessibility (disabled, homeless, etc.)