Open sesame: Lessons in password-based user authentication

Click the button below to download the full text of the article.

Abstract: The cost of unusable password policies in the wild is well documented. These costs impinge both business and security. The alternative is to move to multi-factor and risk-based authentication, which include software authenticators, hardware tokens, and biometrics. This paper provides an overview of the research in this area and concludes with guidance on how to best leverage password-based authentication. We recommend that designers should only implement efforts backed by empirical evidence, offer solutions to reduce user effort, and use compensating controls to address the underlying limitations of passwords.

Keywords: passwords; biometrics; 2FA; MFA; authentication

Bahman Rashidi is a Senior Cyber Security Researcher and System Architect at Comcast Cable. At Comcast, his responsibilities focus on conducting cyber security research and development in the areas of network security, Internet of Things (IoT) devices, applications of machine learning (ML) in cyber security, privacy and data protection and quantum computing/key distribution. He designs and builds strategic cyber security technologies and tools on the bleeding edge, including building networks, led teams, architected security infrastructure and security solutions.

Vaibhav Garg is the Senior Director of Cybersecurity Research & Public Policy at Comcast Cable. He has a PhD in security informatics from Indiana University and a Master’s in information security from Purdue University. His research lies at the intersection of information security, technology policy and economics. He is the co-author of over 20 peer-reviewed publications and received the best paper award for his paper on the economics of cybercrime at eCrime 2011. He also received ACM Computer and Society’s Outstanding Service award in 2015 for his contributions as editor-in-chief of ACM Computers and Society Newsletter.