NIST studies authentication events
'Password fatigue' is a growing issue
26 March, 2014
category: Corporate, Digital ID, Government
The National Institute of Standards and Technology surveyed 25 employees to better understand user authentication events, both in the real world and digital ones. The two-part study had employees first record all their authentication events over a 24-hour period. Employees could also choose to include their personal authentication events. The second part of the study conducted interviews with the participants regarding authentication.
The study was designed to answer the following questions:
- Where does authentication fit into the daily activities people carry out?
- What characteristics of authentication may interfere with the primary activity that authentication is supposed to enable? What are the friction points?
- How do people add up the cumulative costs of authenticating multiple times each day, and how do they balance them against their own perceived security needs?
- How do people perceive the costs of performing security tasks — particularly authentication tasks — in comparison with the benefits of performing those tasks?
Some participants had trouble figuring out what “authenticating” meant. One participant erroneously recorded unlocking his car with his remote key fob as an authentication event. Conversely, some participants did not record showing their ID badge to a guard before entering the NIST campus.
Study participants recorded an average of 23 authentication events each during the study period. Since many participants did not record authentication events outside of work, that number most likely is higher. Interviews revealed that participants were frustrated by the number of authentication tasks they had to perform every day – especially those they had to perform repeatedly, such as unlocking work computers that auto-locked after 15 minutes.
Participants found that it took a lot of effort to manage passwords for multiple resources, especially since those passwords were often governed by different policies.
Coping strategies included synchronizing passwords across multiple IT resources; employing password creation scheme; keeping password notes in a secure place; and employing password vaults or managers. Some employees reported avoiding “extra” activities — doing additional work from home — because the authenticating seemed a greater hassle than the potential benefit.
NIST participants are not unique in being impacted by authentication. “Password fatigue” is a common problem and expecting users to simply adapt to an excessive authentication workload is not realistic.
The goal is to make authentication more usable but this will take time. Additional research is needed on how authentication affects users and the habits they develop to cope with those effects.
Until then, organizations can take steps to reduce the burden of authentication on their employees, and other users of these systems, which will improve both security and productivity.
Users expressed some authentication preference during the study:
- Users prefer single sign-on (SSO) authentication;
- Standardizing password policies throughout the organization, which will make authentication elements easier for users to manage.
- Encouraging authentication coping mechanisms such as the use of password manager or vault applications on computers and mobile electronic devices.
The 166-page NIST report can be downloaded here.