Text-based passwords are the most common form of authentication. However, they are generally considered to be impractical for many reasons. Their complexity makes them hard to use. Users often struggle to manage many different, forgettable passwords. Furthermore, even strong passwords can be compromised through malware and phishing attacks. These factors support the idea of using physical devices or ‘tokens’ , instead of text-based passwords. This could help to achieve the goal of a practical security solution.
Payne et. al investigated factors determining user acceptance and expectations of a token-based authentication scheme that utilizes multiple wearable devices. Twenty semi-structured interviews were conducted lasting between fifteen and thirty-five minutes among a group diverse in age, (20-57), gender, and occupation. During the interview, participants were asked to identify the items they would prefer to carry as tokens and answered questions about the items they chose.
Participants were concerned about the convenience, design and trustworthiness of the tokens. They considered tokens more convenient when they could be used with many services and devices, made logging in quick and easy, and could be integrated into a something they already carry. Participants were comfortable with token designs that were familiar and easy to use, hold, and carry. Particularly, they preferred card-shaped tokens with fewer mechanical parts that fit easily into a pocket, wallet, or purse. Below shows participants perceptions about three types of tokens: Dual-Purpose (e.g. a watch), Practically Convenient (e.g. a keyring), and Flexible (e.g. a sticker).
Participants were concerned about trusting the tokens. They worried they would lose access to their accounts as a result of the tokens not working; tokens running out of battery, or breaking from everyday wear and tear. However, the main obstacle to using tokens as passwords is the participants concern about their security. They worried about who controlled the data, and whether their data could be misused. They also had particular concerns about tokens being lost or stolen.
In order to make the great changes required to transition to next generation passwords, it is important to consider users’ expectations and concerns. Products that are both secure and practical are required to avoid repeating the failures of text-based passwords. Physical passwords should be convenient such as tokens that are attachable to things that people already carry. There must also be guarantees addressing concerns about the risks of the new technology. Service providers and regulators can play an important role in supporting public confidence by reducing the risk of using token-based authentication.
Security tokens must be convenient and their security must be guaranteed before the public will be confident in next-generation passwords.