Forcing johnny to login safely: long-term user study of forcing and training login mechanisms

Authors:
Amir Herzberg;Ronen Margulies
Affiliations:
Dept. of Computer Science, Bar Ilan University;Dept. of Computer Science, Bar Ilan University
Venue:
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Year:
2011

Citing 9
Cited 0

Why phishing works

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Passpet: convenient password management and phishing protection

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
The Emperor's New Security Indicators

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Beamauth: two-factor web authentication with a bookmark

Proceedings of the 14th ACM conference on Computer and communications security
You've been warned: an empirical study of the effectiveness of web browser phishing warnings

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Security and identification indicators for browsers against spoofing and phishing attacks

ACM Transactions on Internet Technology (TOIT)
It's not what you know, but who you know: a social approach to last-resort authentication

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Conditioned-safe ceremonies and a user study of an application to web authentication

Proceedings of the 5th Symposium on Usable Privacy and Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present the results of the first long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70% detection rates, which is significantly better than passive indicators' results [15, 8, 12]. We also found that login bookmarks, when used together with 'non-working' links, doubled the prevention rates of reaching spoofed login pages in the first place. Combining these mechanism provides effective prevention and detection of phishing attacks, and when several images are displayed in the login page, the best detection rates (82%) and overall resistance rates (93%) are achieved. We also introduce the notion of negative training functions, which train users not to take dangerous actions by experiencing failure when taking them.