Authentication events are so woven into our lives that we often take them for granted. They’re the times we open a house or a car with a key, when we use a pin number to access a phone or an ATM, when we log in online.
Some of these events – especially those involving computers – have been fairly well scrutinized over the last decade, says HP Immersive Experiences Labresearcher Mary Baker.
“We have a lot of work now about passwords and codes, especially about how to make them stronger,” Baker notes. “But what about the overall burden that authentication places on our lives? Is that something that bothers people? And if it is, what can we do about it?”
Baker and fellow researchers presented some answers to these questions at the USENIX Symposium on Usable Privacy and Security in Denver, Colorado this summer, showing that authentication is indeed a burden on people. It also remains a surprisingly physical experience and one that fails far more often than we might expect.
These findings suggest a need to work on physical and digital authentication in tandem, argues Baker, and point to the potential value of developing a “universal authenticator” that provides access to the many physical and virtual locations that we want to keep secure.
The research, published in the symposium’s proceedings, also reveals that people’s feelings about authentication vary greatly, pointing to challenges for anyone looking to design authenticators that have widespread appeal.
What is technology making harder?
The HP Labs team’s interest in authentication originated with a broader, slightly contrarian question: if technology is making many aspects of our lives easier, what is actually getting harder to do?
“One of the things we noticed is that there are more and more demands on us to remember things or carry things with us in order to have access to resources that we’re supposed to be able to reach by virtue of who we are,” Baker recalls.
Her hunch was that if those demands were too onerous, people would look for workarounds or even abandon the security systems available to them. Even the most secure key, badge, or password isn’t much help, after all, if it’s so burdensome to use that no one will use it.
To find out how people experienced authentication, and what they felt about those experiences, Baker, colleague Jeremy Gummeson, and intern Shrirang Mare from Dartmouth College, designed a study where participants recorded on a digital wristwatch every authentication experience they had over a week. The watch was equipped with a simple diary application where users could note each authentication they attempted, the kind of event it was (opening a door, getting online etc.), the authenticator they used (a key, a badge, a code) and whether they were successful or not.
An experience with room for improvement
On reviewing a total of 4,623 hours of logs, the HP researchers found some surprising results. On average, 25% of a person’s daily authentications still required analog physical tokens, such as badges or car or door keys, suggesting both the degree to which authentication remains a daily inconvenience for many and that opportunities abound for new approaches to token-based digital authentication.
“That was especially interesting because we didn’t really have any data for the relative ratios of physical to digital authentication in people’s lives before we did this study,” Baker reports.
Many types of authentication were also far less reliable than expected. People who should have been allowed access to somewhere or something were denied it as much as 12% of the time depending on the type of authentication.
Additionally, interviews with study participants revealed a wide variety of opinions about each specific kind of authentication – a finding that complicates efforts to devise a single solution for all authentication needs.
Despite that complexity, Baker believes that the results do help us better understand what it might take to create a universal authenticator – one that unlocks everything you need access to. “That’s still pretty far out in terms of covering all possible types of authentication,” she suggests. “But we can do pieces of that work now and this is helping us figure out which pieces would be best to tackle, if that’s something that we as a lab would like to pursue.”