The Community for Technology Leaders
RSS Icon
Amir Herzberg , Bar Ilan University, Ramat Gan
Ronen Margulies , Bar Ilan University , Ramat Gan Holon
We present the results of a long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70\% detection rates, which is \emph{significantly better} than the 20\% received by the typical login ceremony. We also found that combining login bookmarks with interactive images and `non-working' buttons/links (which we refer to as \emph{negative training functions}) achieved the best detection rates (82\%) and overall resistance rates (93\%). As interactive custom images provide effective user-training against phishing, we extended its authentication usages. We present an adaptive authentication mechanism based on recognition of multiple custom images, which can be used for different web and mobile authentication scenarios. The mechanism relies on memorization of the custom images on each primary login, adaptively increasing the authentication difficulty upon detecting impersonation attacks, and recognizing all images for fallback authentication.
phishing, human factors, forcing functions, training, fallback authentication, learn-by-use graphical password, web security, mobile security, secure login ceremony, password reset
Amir Herzberg, Ronen Margulies, "Training Johnny to Authenticate (Safely)", IEEE Security & Privacy, , no. 1, pp. , PrePrints PrePrints, doi:10.1109/MSP.2011.129
17 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool