The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, SSP, 12
Authors propose 25 criteria covering usability, deployability, and security according to which web-authentication schemes should be evaluated and compared to one another. They go on evaluating 35 schemes according to their proposed criteria and show that no scheme comes close to providing all desired benefits that legacy passwords already provide. The schemes they have evaluated include password managers, proxy, federated, graphical, cognitive, paper tokens, visual crypto, hardware tokens, phone-based, biometric, and recovery.
The 25 criteria are:
[usability] memorywise effortless, scalable for users, nothing to carry, physically effortless, easy to learn, efficient to use, infrequent errors, easy recovery,
[deployability] accessible, negligible cost per user, server-compatible, browser compatible, mature, non-proprietary,
[security] resilient to physical observation, targeted impersonation, throttled guessing, unthrottled guessing, internal observation, leaks from other verifiers, phishing, theft, no trusted third party, require explicit consent, and unlinkable.
Continuous authentication according to the authors seem to be promising.
Citation (ACM Ref): Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP '12). IEEE Computer Society, Washington, DC, USA, 553-567. DOI=10.1109/SP.2012.44 http://dx.doi.org/10.1109/SP.2012.44
The 25 criteria are:
[usability] memorywise effortless, scalable for users, nothing to carry, physically effortless, easy to learn, efficient to use, infrequent errors, easy recovery,
[deployability] accessible, negligible cost per user, server-compatible, browser compatible, mature, non-proprietary,
[security] resilient to physical observation, targeted impersonation, throttled guessing, unthrottled guessing, internal observation, leaks from other verifiers, phishing, theft, no trusted third party, require explicit consent, and unlinkable.
Continuous authentication according to the authors seem to be promising.
Citation (ACM Ref): Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP '12). IEEE Computer Society, Washington, DC, USA, 553-567. DOI=10.1109/SP.2012.44 http://dx.doi.org/10.1109/SP.2012.44