Authentication is the aspect of Internet security with which ordinary users are probably most familiar, and involved in most often. In the real world and in academic research, are we making progress in designing and deploying authentication mechanisms that are both usable and secure? We look at case studies involving, respectively, online banking (commercial offerings), proposed password managers (academic proposals), and extended validation certificates (browser interface betas and prototypes). We ask: By what metrics should we judge our progress? What are the true objectives of those who deploy "usable authentication" mechanisms? And what is the perceived value of usable security research in academia and in the real world?
Reception to follow.
Paul Van Oorschot is a Professor in the School of Computer Science at Carleton University (Ottawa), Canada Research Chair in Network and Software Security, and founding director of Carleton's Digital Security Group. He earlier worked in R&D in industry for 14 years, serves regularly on international conference program committees in security and cryptography, and is co-author of the standard reference Handbook of Applied Cryptography. His current research interests include authentication, application security, software protection, network security, and usable security. He was a director of the IACR (1993-2001) and program co-chair of NDSS 2001 and 2002, and is program chair of USENIX Security 2008.