Institute for Software Research
School of Computer Science, Carnegie Mellon University


Practical security guidance for authentication-system designers

Joshua Tan

September 2020

Ph.D. Thesis
Societal Computing


Keywords: Computer security, authentication, usability, human factors, password policies, password-creation text feedback, public-key ļ¬ngerprints

Designers of authentication systems have a challenging task of balancing security requirements with organizational demands, including usability requirements and other practical constraints. They must design a system that is secure against modern attackers that are able to leverage increasingly large amounts of computational resources to undermine security protections. In some cases, system designers are subject to mandatory regulatory guidance that restricts that space of possible designs they are able to implement. Different organizations will have different levels of security requirements reflecting different threat models; designers must understand these requirements and design a solution specific to these requirements. Designers of authentication systems to be incorporated in consumer-facing products often must produce a solution that not only provides a given security level but that also does not undermine a high usability standard associated with the product brand. Different organizations will have different authentication needs; a single design solution will not work for all.

In designing an authentication system for an organization, system designers often rely on the guidance of security experts. Although system designers can often find security guidance on how to designan authentication system, this guidance may not always be applicable. For example, designers may be subject to regulatory requirements or usability constraints that preclude security solutions recommended by experts. In other cases, available security guidance may be incomplete, abstract, or incompatible with available resources. Security guidance for system designers should produce recommendations relevant for different scenarios; these recommendations should be both comprehensive and concrete.

In this thesis, I provide practical guidance for system designers tasked with designing an organizational password policy. This guidance is comprehensive, flexible to implementation requirements, concrete, and evaluated in experimental user studies considering both security and usability dimensions. Using a combination of machine-learning and statistical modeling methods, I explore techniques for expanding guidance available to system designers in the area of text feedback for password creation meters. I also provide design recommendations for applications that incorporate public-key fingerprint comparison, using user studies that evaluate the effective security of solutions providing varying levels of usability.

Thesis statement: The objective of this thesis is to provide practical, concrete, and actionable guidance for designing authentication systems that include textbased passwords or public-key fingerrprint verification, for systems subject to practical, real-world constraints and requirements. This guidance provides design recommendations sensitive to systems with different targeted security levels, organizational implementation requirements, and human usability constraints.

414 pages

Thesis Committee:
Lorrie Faith Cranor (Co-Chair)
Lujo Bauer (Co-Chair)
Matt Fredrikson
Mary Ellen Zurko (Massachusetts Institute of Technology)

James D. Herbsleb, Director, Institute for Software Research
Martial Hebert, Dean, School of Computer Science

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by