Practical Security Guidance for Authentication-System Designers

Designers of authentication systems have a challenging task of balancing security requirements with organizational demands, including usability requirements and other practical constraints. They must design a system that is secure against modern attackers that are able to leverage increasingly large amounts of computational resources to undermine security protections. In some cases, system designers are subject to mandatory regulatory guidance that restricts that space of possible designs they are able to implement. Different organizations will have different levels of security requirements reflecting different threat models; designers must understand these requirements and design a solution specific to these requirements. Designers

of authentication systems to be incorporated in consumer-facing products often must produce a solution that not only provides a given security level but that also does not

undermine a high usability standard associated with the product brand. Different organizations will have different authentication needs; a single design solution will

not work for all. In designing an authentication system for an organization, system designers often rely on the guidance of security experts. Although system designers can often

find security guidance on how to design an authentication system, this guidance may not always be applicable. For example, designers may be subject to regulatory requirements or usability constraints that preclude security solutions recommended by experts. In other cases, available security guidance may be incomplete, abstract, or incompatible with available resources. Security guidance for system designers should produce recommendations relevant for different scenarios; these recommendations

should be both comprehensive and concrete. In this thesis, I provide practical guidance for system designers tasked with designing an organizational password policy. This guidance is comprehensive, flexible to implementation requirements, concrete, and evaluated in experimental user studies considering both security and usability dimensions. Using a combination of machine-learning and statistical modeling methods, I explore techniques for expanding guidance available to system designers in the area of text feedback for password creation meters. I also provide design recommendations for applications that incorporate

public-key fingerprint comparison, using user studies that evaluate the effective security of solutions providing varying levels of usability.

Thesis statement: The objective of this thesis is to provide practical, concrete, and actionable guidance for designing authentication systems that include textbased passwords or public-key fingerprint verification, for systems subject to

practical, real-world constraints and requirements. This guidance provides design recommendations sensitive to systems with different targeted security levels, organizational implementation requirements, and human usability constraints.