Issue No.01 - January/February (2012 vol.10)
Amir Herzberg , Bar-Ilan University
Ronen Margulies , Bar-Ilan University
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.129
The authors present the results of a long-term user study of site-based login mechanisms that train users to log in safely. Interactive site-identifying images received 70 percent detection rates, which is significantly better than the 20 percent received by the typical login ceremony. They also found that combining login bookmarks with interactive images and nonworking buttons or links (called negative training functions) achieved the best detection rates (82 percent) and overall resistance rates (93 percent). Because interactive custom images provide effective user training against phishing, the authors extended its authentication usages. The authors present an adaptive authentication mechanism based on recognition of multiple custom images, which can be used for different Web and mobile authentication scenarios. The mechanism relies on memorization of the custom images on each primary login, adaptively increasing the authentication difficulty on detection of impersonation attacks, and recognizing all images for fallback authentication.
phishing, training, human factors, long-term user study, forcing functions, fallback authentication, password reset, graphical passwords, memorability
Amir Herzberg, Ronen Margulies, "Training Johnny to Authenticate (Safely)", IEEE Security & Privacy, vol.10, no. 1, pp. 37-45, January/February 2012, doi:10.1109/MSP.2011.129