Authentication for humans: the design and evaluation of usable security systems

How can we make computer security systems usable by human users? Computer security demands that we establish the identity of human users who access individual computers and online services.Conversely, human users need to be able to authenticate the identity of online services reached over a computer network. This dissertation presents highly usable solutions for both the problems of human-computer authentication and computer-human authentication. The dissertation begins by presenting an overview of the usability and security problem.It explores the issues of human authentication by presenting a system called Deja Vu that uses graphical passwords to authenticate human users. It presents the results of a usability experiment that compares graphical passwords to traditional passwords. Next, the dissertation considers the problem of phishing, the use of bogus websites that appear to be legitimate websites associated with financial institutions or other organizations to collect personal information.It presents the results of an empirical study that examines which attack strategies are successful and what proportion of users they fool. Next, the dissertation presents a system called Dynamic Security Skins (DSS) that effectively allows online services to authenticate to human users, and vice versa. It presents an analysis and usability study of DSS. Finally, the dissertation concludes with a discussion open problems in the area of usability and security.