On the security and usability of dual credential authentication in UK online banking

Mike Just; David Aspinall

On the security and usability of dual credential authentication in UK online banking

Mike Just, David Aspinall

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

This paper presents the results of a security and usability review of the authentication implementations used by more than 10 UK banks. Our focus is on their use of dual text credentials that combine two passwords, PINs, or challenge questions (and some “partial selection” variations). We model the authentication protocols based upon several deployment choices, such as the credential rules, and use the model to compare the security and usability properties of the implementations. Our results indicate some variation and inconsistency across the UK banking industry, from which we offer some suggestions for improved authentication protocol design.

Original language	English
Title of host publication	2012 International Conference for Internet Technology and Secured Transactions
Subtitle of host publication	ICITST 2012
Publisher	IEEE
Pages	259-264
Publication status	Published - 2012

Cite this

@inproceedings{5edfcb3870334a648691277f44dc779e,

title = "On the security and usability of dual credential authentication in UK online banking",

abstract = "This paper presents the results of a security and usability review of the authentication implementations used by more than 10 UK banks. Our focus is on their use of dual text credentials that combine two passwords, PINs, or challenge questions (and some “partial selection” variations). We model the authentication protocols based upon several deployment choices, such as the credential rules, and use the model to compare the security and usability properties of the implementations. Our results indicate some variation and inconsistency across the UK banking industry, from which we offer some suggestions for improved authentication protocol design.",

author = "Mike Just and David Aspinall",

year = "2012",

language = "English",

pages = "259--264",

booktitle = "2012 International Conference for Internet Technology and Secured Transactions",

publisher = "IEEE",

address = "United States",

}

TY - GEN

T1 - On the security and usability of dual credential authentication in UK online banking

AU - Just, Mike

AU - Aspinall, David

PY - 2012

Y1 - 2012

N2 - This paper presents the results of a security and usability review of the authentication implementations used by more than 10 UK banks. Our focus is on their use of dual text credentials that combine two passwords, PINs, or challenge questions (and some “partial selection” variations). We model the authentication protocols based upon several deployment choices, such as the credential rules, and use the model to compare the security and usability properties of the implementations. Our results indicate some variation and inconsistency across the UK banking industry, from which we offer some suggestions for improved authentication protocol design.

AB - This paper presents the results of a security and usability review of the authentication implementations used by more than 10 UK banks. Our focus is on their use of dual text credentials that combine two passwords, PINs, or challenge questions (and some “partial selection” variations). We model the authentication protocols based upon several deployment choices, such as the credential rules, and use the model to compare the security and usability properties of the implementations. Our results indicate some variation and inconsistency across the UK banking industry, from which we offer some suggestions for improved authentication protocol design.

M3 - Conference contribution

SP - 259

EP - 264

BT - 2012 International Conference for Internet Technology and Secured Transactions

PB - IEEE

ER -

On the security and usability of dual credential authentication in UK online banking

Abstract

Fingerprint

Cite this