Acceptance Testing Token-Based Authentication
Aim. Explore reactions to a proposed token-based authentication system, and compare this with how people perceive passwords and password management systems.
Research design, study implementation, systematic qualitative analysis, and write up
Interviews with lo-fi prototypes
What can we reasonably expect a user to manage in terms of carrying physical devices rather than relying on passwords and password management strategies?
Password strength depends on the password design process; since humans are typically responsible for designing their own passwords (with unreasonable expectations that we create a new and secure password for every system requiring a login), password strength is often not high. Solutions exist but users still rely heavily on weak password strategies. One solution, yet to be released, involves carrying multiple wearable devices to continuously authenticate the user's presence. How does this affect user acceptance of a token-based authentication system?
20 semi-structured interviews were conducted at the University of Cambridge, Computer Lab, in which participants (members of the public responding to an online advert) interacted with low-fidelity prototypes: two polymorph "authentication tokens" and several plastic "token-unlocking devices". Participants were asked to make choices between items to prompt comments about authentication tokens and uncover what criteria a token-based authentication system would need to meet to increase acceptability. We wanted to know what was important to potential users in terms of usability and security.
The interviews were video and audio recorded, allowing me to transcribe them. Transcriptions were analysed using a qualitative method for systematic, inductive, and empirical theory-creation: Grounded Theory.
The transcriptions from the first six interviews were subject to trial open-coding, followed by a consistency check with double coding (for intra-rater reliability) and blind coding (for inter-rater reliability), resulting in a coding frame. Open-coding proper started from the beginning, with the first sixteen interviews. The aim was to find commonalities in the data that reflected categories and revealed a set of themes. I then grouped codes into conceptual categories that reflected relationships. As well as blind coding, I sought feedback on interpretations of the data from two "inquiry auditors" (a research team member and a colleague at a different university). The final phase (selective coding) involved analysing code clusters with an aim to describe the data in terms of an underlying process.
The resulting theory was that the tangibility of authentication tokens increases perceived responsibility for mitigating security risks and having to manage physical items. The more devices a user has to carry, the greater the potential inconvenience and perceived risk due to the user having to rely on physical items. This is anxiety provoking. The full theory was presented in a published paper.
Challenges centred around the practicalities of: obtaining a range of participants within a reasonable time-frame; creating uniform, low-fidelity prototypes; and the involved process of performing grounded theory analysis on the data. These challenges were all met, and resulted in a thorough, systematic review of the problem space.