This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
The Seven Flaws of Identity Management: Usability and Security Challenges
March/April 2008 (vol. 6 no. 2)
pp. 24-29
Rachna Dhamija, Harvard University
Lisa Dusseault, CommerceNet
Identity management systems' scale and complexity, combined with the privacy and security requirements demanded of them, create steep challenges for usability. In this article, the authors posit seven flaws or design challenges that must be met for the general public to accept and use identity management systems.

1. A. Acquisti and J. Grossklags, "Privacy and Rationality in Decision Making," IEEE Security &Privacy, vol. 3, no. 1, 2005, pp. 26–33.
2. B. Fitzpatrick and D. Recordon, "Thoughts on the Social Graph;" http://bradfitz.comsocial-graph-problem/.
3. A. Adams and M.A. Sasse, "Users Are Not the Enemy: Why Users Compromise Security Mechanisms and How to Take Remedial Measures," Comm. ACM, vol. 42, no. 12, 1999, pp. 40–46.
4. R. Dhamija, J.D. Tygar, and M. Hearst, "Why Phishing Works," Proc. Conf. Human Factors in Computing Systems (CHI 06), ACM Press, 2006, pp. 581–590.
5. McAfee-NCSA Online Safety Study, Oct. 2007; www.staysafeonline.info/newsamericanslackprotection.html .
6. AOL/NCSA Online Safety Study, Dec. 2005; www.staysafeonline.info/pdfsafety_study_2005.pdf .
7. D. Florencio and C. Herley, "A Large Scale Study of Web Password Habits," Proc. Int'l Word Wide Web Conf. (WWW 07), ACM Press, 2007, pp. 657–665.
8. R. Dhamija and A. Perrig, "DéjàVu: A User Study—Using Images for Authentication," Proc. 9th Usenix Security Symp., Usenix Assoc., 2000, pp. 45–58.
9. B.M. Gross and E.F. Churchill, "Addressing Constraints: Multiple Usernames Task Spillage and Notions of Identity," Proc. Conf. Human Factors in Computing Systems: Extended Abstracts (CHI 07), ACM Press, 2007, pp. 2393–2398.
10. K. Cameron, "Laws of Identity," blog, May 2005; ww.identityblog.com/stories/2004/12/09thelaws.html .
11. E. Maler, "r-e-s-p-e-c-t," blog, 19 June 2006; www.xmlgrrl.com/blog/archives/2006/06/19 r-e-s-p-e-c-t/.
12. N. Good et al., "Stopping Spyware at the Gate: A User Study of Privacy, Notice, and Spyware," Proc. Symp. Usable Privacy and Security (SOUPS 05), ACM Press, 2005, pp. 43–52.
13. J. Grossklags and N. Good, "Empirical Studies on Software Notices to Inform Policy Makers and Usability Designers," Proc. Usable Security (USEC 07), Lecture Notes in Computer Science, Springer, 2007.
14. M.S. Wogalter and W.J. Vigilante, "Attention Switch and Maintenance," Handbook of Warnings, M.S. Wogalter, ed., Lawrence Erlbaum Assoc., 2006, pp. 245–265.
15. D.A. Norman, Design Rules Based on Analyses of Human Error," Comm. ACM, vol. 26, no. 4, 1983, pp. 254–258.
16. B. Schwartz, "The Tyranny of Choice," Scientific Am., Apr. 2004, pp. 71–75.
17. S. Schechter et al., "The Emperor's New Security Indicators," Proc. IEEE Symp. Security and Privacy, IEEE CS Press, 2007, pp. 51–65.
18. J. Franks et al., "RFC2617: HTTP Authentication: Basic and Digest Access Authentication," June 1999; www.ietf.org/rfcrfc2617.txt.
19. Privacy Rights Clearinghouse, Chronology of Data Breaches, www.privacyrights.org/arChronDataBreaches.htm .
20. R. Stern, "What Happened in Vegas…," Phoenix New Times,31 May 2007; www.phoenixnewtimes.com/2007-05-31/news/ what-happened-in-vegasfull.

Index Terms:
usability, identity management, privacy
Citation:
Rachna Dhamija, Lisa Dusseault, "The Seven Flaws of Identity Management: Usability and Security Challenges," IEEE Security & Privacy, vol. 6, no. 2, pp. 24-29, March-April 2008, doi:10.1109/MSP.2008.49
Usage of this product signifies your acceptance of the Terms of Use.