User Perception and Performance of Authentication Procedures

Abstract: There is no doubt that security mechanisms, such as authentication, are required in Information and Communication Technology, but they come at a price: Users need to spend additional time and effort to authenticate themselves. With this in mind, user perception of authentication is an important factor for successful use of authentication solutions. If users perceive an authentication procedure as time-consuming and difficult, they might ignore or try to bypass it. Therefore, user-perceived Quality of Experience (QoE) should be investigated. QoE is a challenging area as it, in this case, covers network performance and security as well as Human Computer Interaction and user experience. Throughout this work, authentication performance is investigated, starting with a framework for evaluating security architectures and authentication solutions in general. Criteria for user-friendliness, security and simplicity are described and the evaluation methods span from theoretical to practical, and qualitative to quantitative methods. The latter two aspects are investigated by a study of user experience of web authentication with OpenID using the EAP-SIM authentication method. The user experiments resulted in several user models of QoE. One particular user model for QoE, the exponential relationship between QoE and network level performance, was then used in further experiments on performance evaluation of OpenID authentication using EAP-SIM. The latter was done to determine the decisive factors for QoE of the authentication method in use. The results from these experiments show that the combination of OpenID and EAP-SIM for authentication over a secure tunnel is not appropriate to use over networks with high delays. The latter implies the need for improvements of the authentication procedure of OpenID using EAP-SIM, which should be addressed in the future. The user model of QoE obtained in this study will even help to quantify the performance aspects of future authentication procedures.