Details
Original language | English |
---|---|
Title of host publication | CCS 2023 |
Subtitle of host publication | Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security |
Pages | 2740-2754 |
Number of pages | 15 |
ISBN (electronic) | 9798400700507 |
Publication status | Published - 21 Nov 2023 |
Event | 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 - Copenhagen, Denmark Duration: 26 Nov 2023 → 30 Nov 2023 |
Abstract
Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usability is challenging for developers. Previous work found that developers use online resources to inform security decisions when writing code. Similar to other areas, lots of authentication advice for developers is available online, including blog posts, discussions on Stack Overflow, research papers, or guidelines by institutions like OWASP or NIST. We are the first to explore developer advice on authentication that affects usable security for end-users. Based on a survey with 18 professional web developers, we obtained 406 documents and qualitatively analyzed 272 contained pieces of advice in depth. We aim to understand the accessibility and quality of online advice and provide insights into how online advice might contribute to (in)secure and (un)usable authentication. We find that advice is scattered and that finding recommendable, consistent advice is a challenge for developers, among others. The most common advice is for password-based authentication, but little for more modern alternatives. Unfortunately, many pieces of advice are debatable (e.g., complex password policies), outdated (e.g., enforcing regular password changes), or contradicting and might lead to unusable or insecure authentication. Based on our findings, we make recommendations for developers, advice providers, official institutions, and academia on how to improve online advice for developers.
Keywords
- Advice, Authentication, Software Development, Usable Security
ASJC Scopus subject areas
- Computer Science(all)
- Computer Networks and Communications
- Computer Science(all)
- Computer Science Applications
- Computer Science(all)
- Software
Cite this
- Standard
- Harvard
- Apa
- Vancouver
- BibTeX
- RIS
CCS 2023 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023. p. 2740-2754.
Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review
}
TY - GEN
T1 - “Make Them Change it Every Week!”
T2 - 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023
AU - Klemmer, Jan H.
AU - Gutfleisch, Marco
AU - Sasse, M. Angela
AU - Stransky, Christian
AU - Fahl, Sascha
AU - Acar, Yasemin
N1 - Funding Information: We thank the anonymous reviewers for their valuable feedback and for helping us to improve this paper. We thank our study’s participants for taking their time and allowing us to gain interesting insights. This research was funded by the Deutsche Forschungsge-meinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC 2092 CaSa – 390781972.
PY - 2023/11/21
Y1 - 2023/11/21
N2 - Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usability is challenging for developers. Previous work found that developers use online resources to inform security decisions when writing code. Similar to other areas, lots of authentication advice for developers is available online, including blog posts, discussions on Stack Overflow, research papers, or guidelines by institutions like OWASP or NIST. We are the first to explore developer advice on authentication that affects usable security for end-users. Based on a survey with 18 professional web developers, we obtained 406 documents and qualitatively analyzed 272 contained pieces of advice in depth. We aim to understand the accessibility and quality of online advice and provide insights into how online advice might contribute to (in)secure and (un)usable authentication. We find that advice is scattered and that finding recommendable, consistent advice is a challenge for developers, among others. The most common advice is for password-based authentication, but little for more modern alternatives. Unfortunately, many pieces of advice are debatable (e.g., complex password policies), outdated (e.g., enforcing regular password changes), or contradicting and might lead to unusable or insecure authentication. Based on our findings, we make recommendations for developers, advice providers, official institutions, and academia on how to improve online advice for developers.
AB - Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usability is challenging for developers. Previous work found that developers use online resources to inform security decisions when writing code. Similar to other areas, lots of authentication advice for developers is available online, including blog posts, discussions on Stack Overflow, research papers, or guidelines by institutions like OWASP or NIST. We are the first to explore developer advice on authentication that affects usable security for end-users. Based on a survey with 18 professional web developers, we obtained 406 documents and qualitatively analyzed 272 contained pieces of advice in depth. We aim to understand the accessibility and quality of online advice and provide insights into how online advice might contribute to (in)secure and (un)usable authentication. We find that advice is scattered and that finding recommendable, consistent advice is a challenge for developers, among others. The most common advice is for password-based authentication, but little for more modern alternatives. Unfortunately, many pieces of advice are debatable (e.g., complex password policies), outdated (e.g., enforcing regular password changes), or contradicting and might lead to unusable or insecure authentication. Based on our findings, we make recommendations for developers, advice providers, official institutions, and academia on how to improve online advice for developers.
KW - Advice
KW - Authentication
KW - Software Development
KW - Usable Security
UR - http://www.scopus.com/inward/record.url?scp=85179840643&partnerID=8YFLogxK
U2 - 10.48550/arXiv.2309.00744
DO - 10.48550/arXiv.2309.00744
M3 - Conference contribution
AN - SCOPUS:85179840643
SP - 2740
EP - 2754
BT - CCS 2023
Y2 - 26 November 2023 through 30 November 2023
ER -