SaTC: CORE: Small: Identifying and Quantifying Design Principles For Improving Password Manager Usage


Project Summary

Weak and reused passwords have significant negative impacts at the individual, organization, and nation-state levels. Password managers can address these problems, but their security-critical functionality—for example, password generation, credential audits, and password sharing—is underutilized, and there is a gap in the knowledge base regarding the underlying causes for this issue or how to mitigate it. My overall objective is to quantify and explain the ability of competing design principles to encourage full usage of the security functionality found in password managers. My central hypothesis is that design principles that address user-identified usability challenges will increase users’ willingness to utilize security features. The rationale for this research is that it will increase the understanding of underlying issues, identify generalizable design principles, and promote the design of more usable and secure password managers. In addition to having supportive preliminary data, I am well-prepared to undertake this research due to my experience evaluating authentication systems and my successful track record applying a similar research approach for usable, secure email.

I will achieve my overall objective by pursuing the following three specific aims. (Aim 1) I will identify and quantify design principles for generating passwords that meet user needs, describing how competing design principles increase users’ willingness to replace their current passwords with generated passwords. (Aim 2) I will identify and quantify design principles for credential audits, determining the extent to which different designs improve users’ compliance with suggested actions. (Aim 3) I will describe the unique processes, needs, and challenges parents and children face using password managers and identify and quantify the design principles that promote secure parent-child password management.

The proposed research is creative and original in that it breaks from the status quo of high-level usability assessments (applied research), instead quantifying and explaining the ability of generalizable design principles to address usability issues and improve the utilization of security features (basic research). Critically, I expect this approach to identify generalizable design principles that will apply to all password managers and other authentication systems. My educational objective in this work is to engage undergraduate students in computer security research, increasing the number of students that pursue education in computer security. I will accomplish this by working with undergraduate researchers from traditionally marginalized groups to lead the research in Aim 2. This research will also contribute to two Ph.D. dissertations, increasing the nation’s supply of highly trained security experts.

Intellectual Merit: This research will help fill the critical knowledge gap regarding which system designs and principles can improve the utilization of security-critical functionality in password managers. This contribution is significant because it promotes the principled design of password managers, improving security and usability. This research will also systematize the devices used for authentication and quantify their input characteristics. Finally, it will describe the unique processes, needs, and challenges parents and children face using password managers.

Broader Impacts: Strengthening password managers will improve the security of tens of millions and increase national security, one of the NSF’s desired societal impacts. This research will develop tooling that enables the design and evaluation of authentication schemes on non-traditional input modalities (e.g., IoT devices). The education plan will provide undergraduate students with cybersecurity research experiences, demonstrating that computer science is more than just coding and encouraging them to continue their study of these topics.

Keywords: Human-centric computing; Authentication and access control

Publications

Conferences

"If I Could Do This, I Feel Anyone Could:" The Design and Evaluation of A Secondary Authentication Factor Manager. Garrett Smith, Tarun Yadav, Jonathan Dutson, Scott Ruoti, and Kent Seamons. In Proceedings of the 32nd USENIX Security Symposium. USENIX, 2023. (USENIX Security, 29% acceptance rate)
Abstract:  Two-factor authentication (2FA) defends against account compromise by protecting an account with both a password—the primary authentication factor—and a device or resource that is hard to steal—the secondary authentication factor (SAF). However, prior research shows that users need help registering their SAFs with websites and successfully enabling 2FA. To address these issues, we propose the concept of a SAF manager that helps users manage SAFs through their entire life cycle: setup, authentication, removal, replacement, and auditing. We design and implement two proof-of-concept prototypes. In a between-subjects user study (N=60), we demonstrate that our design improves users' ability to correctly and quickly setup and remove a SAF on their accounts. Qualitative results show that users responded very positively to the SAF manager and were enthusiastic about its ability to help them rapidly replace a SAF. Furthermore, our SAF manager prevented fatal errors that users experienced when not using the manager.

Ph.D. Dissertations

Enhancing Security and Usability in Password-Based Web Systems Through Standardized Authentication Interactions. Anuj Gautam. Ph.D. Dissertation. University of Tennessee, 2024.
Abstract:  Password-based authentication is the predominant method for securing access on the web, yet it is fraught with challenges due to the web’s lack of inherent design for authentication. Password managers have emerged as auxiliary tools to assist users in generating, storing, and inputting passwords more securely and efficiently. But both the browser and the server are oblivious of the password manager’s presence, leading to usability and security issues. However, because the web wasn’t originally built to accommodate password-based authentication, password managers serve as a temporary fix and encounter several usability and security problems that limit their widespread use. This dissertation proposes a novel approach to enhance the usability and security of password-based authentication by integrating authentication as a core component of the web infrastructure, through the introduction of standardized interfaces for the interaction among browsers, password managers, and websites. To achieve this, the dissertation introduces four implementations as an exploration: (1) the development of a Password Composition Policy (PCP) language designed to standardize and enhance password generation processes; (2) the creation of a Secure Browser Channel (SBC) aimed at bolstering security of passwords against prevalent web threats such as cross-site scripting (XSS) attacks and malicious browser extensions; (3) implementing the concept of SBC in FIDO2 passwordless authentication to show that the concept is important to more than just passwords; and (4) the application of SBC in different context than credential entry – the detection and auditing of browser-based attacks. We implemented and performed real-world evaluations, demonstrating their practical viability and effectiveness in improving web authentication. The dissertation concludes with reflections on the lessons learned from these implementations and outlines future research directions that could further cement authentication as an integral, first-class component of the web, thereby substantially improving the security and usability landscape of web authentication.

Master's Theses

Bridging User Preferences and Security Demands: A User-Centric Approach to Password Generation. David Huang. Master's Thesis. University of Tennessee, 2024.
Abstract:  This thesis introduces a novel password generation algorithm that aligns user-specified password composition policies (PCPs) with those required by websites, aiming to enhance security and usability. Traditional password generators focus on maximizing entropy but often neglect user ease, producing passwords that are either too complex to remember or too simple to be secure. Our research proposes a user-centric interface and algorithm that integrates the PCPs articulated by users with website requirements, facilitating a balance between security and convenience. We developed a system architecture that includes a baseline interface inspired by existing password generators and an advanced, user-centric interface that collects comprehensive user data, such as sensitivity preferences and device usage. Our methodology involves experimental testing to evaluate the algorithm’s security and functionality. Initial tests confirm that our algorithm can merge different PCPs and produce compliant, secure passwords. Our work not only demonstrates the feasibility of a user-centric approach to password generation but also highlights its practical benefits. By emphasizing enhanced security and user satisfaction without overcomplicating the user experience, our approach paves the way for a more secure and user-friendly digital landscape, instilling optimism about its potential implementation.
Survey of Input Modalities in The Western World. John Sadik. Master's Thesis. University of Tennessee, 2023.
Abstract:  Having your account compromised can lead to serious complications in your life. One way accounts become compromised is through the security risks associated with weak passwords and reused passwords [22,23]. In this thesis, we seek to understand how entering passwords on non-PC devices contributes to the problems of weak and reused passwords. To do so, we conducted a survey that was distributed to people in the the Western World. In our survey results, we found that users commented about how the current password model was not created with a variety of device types in mind, which created frustrations and complexity in the authentication process. We also found that users will try to prioritize using the devices that are fast and the ones they are familiar with. While users are most frequently authenticating using keyboards and mice, and generally had a strong preference for physical devices, we also found that touchscreen and mobile devices were the next most frequent device used to authenticate. When authenticating on other devices, users listed a number of frustrations like not having access to password managers and having to use arrow keys to input passwords, which made the whole process slower and more complex. Ultimately, these frustrations caused a majority of users to create intentionally weak passwords so they could authenticate faster and it caused other users to simply refuse to use the device or service. This shows that there are specific user needs that are not being met when it comes to the current authentication scheme, and to rectify this, we suggest a preliminary model for how password managers might better meet these needs in the conclusion of this paper.