IT Security What users think about logging in without a password

Logging into an online shop without a password, using only the fingerprint? In this situation, it’s not surprising that users have the impression that their biometric data is transmitted to the website.

Many users consider passwords extremely burdening. An authentication protocol for websites, called WebAuthn, could render them obsolete. Users can use it to log on to a service such as a social network or an online shopping platform with their smartphone or computer. The process is quick and easy when using biometric data such as fingerprint or face recognition, which are often already stored to unlock the device. “It is not surprising that this can create the impression that the biometric data is transmitted to the website to which you want to log in, similar to a password. But this is a misconception,” says Leona Lassak from Ruhr-Universität Bochum (RUB).

A team from RUB, the Max Planck Institute for Security and Privacy (MPI-SP) in Bochum and the University of Chicago has been tackling these and other misconceptions. In several online studies, they let 414 users try out the new WebAuthn sign-in and asked them about their first impressions and concerns regarding its security, usability, and privacy.

Leona Lassak from the Horst Görtz Institute for IT Security at RUB and Dr. Maximilian Golla from the MPI-SP, together with Annika Hildebrandt and Professor Blase Ur from the University of Chicago, will publish the results at the USENIX Security conference on 11 August 2021. The paper has been available online since 21 June 2021.

How WebAuthn works

WebAuthn is part of the new FIDO2 standard, which aims at making passwords obsolete. Currently, when users want to log in to a service, they just enter a username and password. In the future, users could instead authenticate themselves simply by using their device. To ensure that a random person who finds a lost smartphone won’t be able to sign in to all kinds of services, users have to confirm the login process with their smartphone PIN or biometrics. Some services such as the American eBay or Microsoft already offer the WebAuthn login.

Leona Lassak explains the problem: “For the user it seems like they are logging in to the online service with their fingerprint. In fact, their fingerprint only unlocks a so-called cryptographic key, which is stored on the user’s device and is then used for the actual login.”

Confusion among first-time users

Nearly 70 per cent of respondents were unsure or mistakenly believed that their biometric data would be shared with the website they were trying to sign in. “It is important to address these misunderstandings, as they jeopardise people’s willingness to use the new secure sign-in,” says Annika Hildebrandt, an author from the University of Chicago.

Another problem arises in case the fingerprint sensor doesn’t work. In fact, it is possible to enter the smartphone PIN alternatively. However, since the user interface doesn’t make this option very clear, 60 per cent of users thought they would lose access to their account in this case. The researchers also asked whether participants would feel their accounts were safe if their smartphone was stolen. 93 per cent of respondents felt sufficiently protected due to their biometrics but were unaware that an attacker could also gain access to their accounts by guessing the smartphone PIN.

Addressing misconceptions

The researchers let seven focus groups develop texts and graphics which aim to prevent these misconceptions and communicate the complicated functionality of WebAuthn. Based on these texts, the researchers implemented six notifications and compared them in an online study.

“Most effective in addressing misconceptions, is to communicate explicitly that the fingerprint and face data is never transmitted to the website,” explains Annika Hildebrandt. It was less effective to highlight the disadvantages of passwords or to mention the trustworthy companies that helped to develop the WebAuthn standard.

Increasing adoption

Despite all misunderstandings and concerns, participants rated the biometric login higher than traditional passwords, as they were particularly impressed by its speed and ease of use. In the future, the researchers intend to further increase the acceptance of WebAuthn to make its advantages accessible to all users.

Funding

The project was partially funded by the SecHuman research training group of the State of North Rhine-Westphalia and the German Research Foundation in the Cluster of Excellence 2092 Cyber Security in the Age of Large-Scale Attackers (CASA).

Original publication

Leona Lassak, Annika Hildebrandt, Maximilian Golla, Blase Ur: “It’s stored, hopefully, on an encrypted server”: Mitigating users’ misconceptions about FIDO2 biometric WebAuthn, 30th USENIX Security Symposium, 2021, Virtual Conference, Download Preprint

Press contact

Leona Lassak
Mobile Security Research Group
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Email: leona.lassak@rub.de

Dr. Maximilian Golla
Max Planck Institute for Security and Privacy
Germany
Phone: +49 234 32 28667
Email: maximilian.golla@csp.mpg.de

Download high-resolution images
The selected images are downloaded as a ZIP file. The captions and image credits are available in the HTML file after unzipping.
Conditions of use
The images are free to use for members of the press, provided the relevant copyright notice is included. The images may be used solely for press coverage of Ruhr-Universität Bochum that relates solely to the contents of the article that includes the link for the image download. By downloading the images, you receive a simple right of use for one-time reporting. Saving the images for other purposes or further processing of the images that goes beyond adapting them to the respective layout requires an extended right of use. Should you therefore wish to use the photos in any other way, please contact redaktion@ruhr-uni-bochum.de

Published

Tuesday
22 June 2021
9:14 am

By

Julia Weiler (jwe)

Translated by

Donata Zuber

Share