Pawel Krawczyk, profile picture
Uploaded byPawel Krawczyk
PPTX, PDF73 views

Authenticity and usability

The document discusses issues surrounding password usability and security, criticizing existing practices like blocking password managers and limiting character entry. It suggests improvements such as using simple text fields and adopting more secure authentication methods like fingerprints and U2F. It emphasizes the importance of conducting usability studies and understanding user behavior related to authentication errors.

Embed presentation

Download to read offline
Authenticity and Usability Pawel Krawczyk, Immusec.com
My Secure Banking Password 1st, 11th, 14th character?
Definition of the problem --->
“A Crypto-Nerd’s Imagination” Type 1st, 5th and 14th characters of your password Oh, obviously these will be 4, o and k Inspired by Xkcd.com
My Usable Banking Password <-- A real world human response strategy
My Usable Banking Password
My Usable Banking Password
My Usable Banking Password
My Usable Banking Password Credit: www.whatsmypass.com
What could be done better ● Do not block the password managers ○ Use a simple login/password text fields ○ Do not actively block text paste ○ Avoid “chosen characters” password entry ○ Never limit maximum password length ● Choose a more secure authentication methods ○ Fingerprint ○ U2F (Universal Two-Factor) ○ Avoid SMS passwords
How to get it right? ● Always run usability study on your authentication schemes ● Run controlled experiment with live users ● Note authentication error rates ● Understand user back-out strategies from authentication errors Questions? pkrawczyk@immusec.com https://immusec.com 0 7879 180015 https://www.linkedin.com/in/pawelkrawczyk/

More Related Content

DOCX
My labsplus logon instructions
bychellc14
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
OlgerHoxha_Thesis_Final
byOlger Hoxha, CISSP CISM
 
PPTX
The strategies of password
byMohammedAlhamoodi
 
PDF
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
byIJERD Editor
 
PPTX
When will passwords die? Research challenges and opportunities in user authen...
byShujun Li
 
PDF
UX of Passwords | Refresh Seattle | Claire Carlson
byTheNextUX
 
ODP
Secure Password Management, Informal, @WalmartLabs
byKarl Mueller
 
My labsplus logon instructions
bychellc14
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
OlgerHoxha_Thesis_Final
byOlger Hoxha, CISSP CISM
 
The strategies of password
byMohammedAlhamoodi
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
byIJERD Editor
 
When will passwords die? Research challenges and opportunities in user authen...
byShujun Li
 
UX of Passwords | Refresh Seattle | Claire Carlson
byTheNextUX
 
Secure Password Management, Informal, @WalmartLabs
byKarl Mueller
 

Similar to Authenticity and usability

PPT
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
byJason Hong
 
PPTX
Typical Vulnerabilities of E-Banking Systems
byPositive Hack Days
 
PDF
Passwords: Security vs Usability
byPer Thorsheim
 
PPT
Electronic Authentication, More Than Just a Password
byNicholas Davis
 
PDF
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
PDF
M-Pass: Web Authentication Protocol
byIJERD Editor
 
PDF
Secure the experience, experience security
byRan Liron
 
PDF
Authetication ppt
byPranav Doshi
 
PDF
Graphical Password Authentication using Images Sequence
byIRJET Journal
 
PPTX
Improving Password Based Security
byRare Input
 
PPSX
Usable Security: When Security Meets Usability
byShujun Li
 
PPT
Electronic authentication more than just a password
byNicholas Davis
 
PPT
Electronic Authentication More Than Just A Password
byNicholas Davis
 
PPTX
Password cracking and brute force
byvishalgohel12195
 
PDF
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
bySBA Research
 
PPTX
Infor_Security_Authentication_User .pptx
byhomecooking511
 
PPTX
computer security authorization Authentication.pptx
byRajendraKumarVerma10
 
DOCX
Vshantaram
bysparsh dwivedi
 
PPTX
Behavioral biometrics mechanism for delaying password obsolescence
byElaine Wooton
 
PDF
W make107
byGreg in SD
 
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
byJason Hong
 
Typical Vulnerabilities of E-Banking Systems
byPositive Hack Days
 
Passwords: Security vs Usability
byPer Thorsheim
 
Electronic Authentication, More Than Just a Password
byNicholas Davis
 
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
M-Pass: Web Authentication Protocol
byIJERD Editor
 
Secure the experience, experience security
byRan Liron
 
Authetication ppt
byPranav Doshi
 
Graphical Password Authentication using Images Sequence
byIRJET Journal
 
Improving Password Based Security
byRare Input
 
Usable Security: When Security Meets Usability
byShujun Li
 
Electronic authentication more than just a password
byNicholas Davis
 
Electronic Authentication More Than Just A Password
byNicholas Davis
 
Password cracking and brute force
byvishalgohel12195
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
bySBA Research
 
Infor_Security_Authentication_User .pptx
byhomecooking511
 
computer security authorization Authentication.pptx
byRajendraKumarVerma10
 
Vshantaram
bysparsh dwivedi
 
Behavioral biometrics mechanism for delaying password obsolescence
byElaine Wooton
 
W make107
byGreg in SD
 

More from Pawel Krawczyk

PPTX
Top DevOps Security Failures
byPawel Krawczyk
 
ODP
Reading Geek Night 2019
byPawel Krawczyk
 
ODP
Effective DevSecOps
byPawel Krawczyk
 
PPTX
Unicode the hero or villain
byPawel Krawczyk
 
ODP
Get rid of TLS certificates - using IPSec for large scale cloud protection
byPawel Krawczyk
 
PPTX
Presentation from CyberGov.pl 2015
byPawel Krawczyk
 
PDF
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
byPawel Krawczyk
 
PDF
Leszek Miś "Czy twoj WAF to potrafi"
byPawel Krawczyk
 
PPTX
Paweł Krawczyk - Ekonomia bezpieczeństwa
byPawel Krawczyk
 
PPTX
Are electronic signature assumptions realistic
byPawel Krawczyk
 
PPTX
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
PPTX
Filtrowanie sieci - Panoptykon
byPawel Krawczyk
 
PPTX
Pragmatic view on Electronic Signature directive 1999 93
byPawel Krawczyk
 
PPTX
Why care about application security
byPawel Krawczyk
 
PPT
Source Code Scanners
byPawel Krawczyk
 
PDF
Krawczyk Ekonomia Bezpieczenstwa 2
byPawel Krawczyk
 
PDF
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
byPawel Krawczyk
 
ODP
Kryptografia i mechanizmy bezpieczenstwa
byPawel Krawczyk
 
ODP
Zaufanie W Systemach Informatycznych
byPawel Krawczyk
 
PPT
Real Life Information Security
byPawel Krawczyk
 
Top DevOps Security Failures
byPawel Krawczyk
 
Reading Geek Night 2019
byPawel Krawczyk
 
Effective DevSecOps
byPawel Krawczyk
 
Unicode the hero or villain
byPawel Krawczyk
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
byPawel Krawczyk
 
Presentation from CyberGov.pl 2015
byPawel Krawczyk
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
byPawel Krawczyk
 
Leszek Miś "Czy twoj WAF to potrafi"
byPawel Krawczyk
 
Paweł Krawczyk - Ekonomia bezpieczeństwa
byPawel Krawczyk
 
Are electronic signature assumptions realistic
byPawel Krawczyk
 
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
Filtrowanie sieci - Panoptykon
byPawel Krawczyk
 
Pragmatic view on Electronic Signature directive 1999 93
byPawel Krawczyk
 
Why care about application security
byPawel Krawczyk
 
Source Code Scanners
byPawel Krawczyk
 
Krawczyk Ekonomia Bezpieczenstwa 2
byPawel Krawczyk
 
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
byPawel Krawczyk
 
Kryptografia i mechanizmy bezpieczenstwa
byPawel Krawczyk
 
Zaufanie W Systemach Informatycznych
byPawel Krawczyk
 
Real Life Information Security
byPawel Krawczyk
 

Recently uploaded

PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 

Authenticity and usability

  • 1.
    Authenticity and Usability PawelKrawczyk, Immusec.com
  • 3.
    My Secure BankingPassword 1st, 11th, 14th character?
  • 4.
    Definition of theproblem --->
  • 5.
    “A Crypto-Nerd’s Imagination” Type1st, 5th and 14th characters of your password Oh, obviously these will be 4, o and k Inspired by Xkcd.com
  • 6.
    My Usable BankingPassword <-- A real world human response strategy
  • 7.
  • 8.
  • 9.
  • 10.
    My Usable BankingPassword Credit: www.whatsmypass.com
  • 11.
    What could bedone better ● Do not block the password managers ○ Use a simple login/password text fields ○ Do not actively block text paste ○ Avoid “chosen characters” password entry ○ Never limit maximum password length ● Choose a more secure authentication methods ○ Fingerprint ○ U2F (Universal Two-Factor) ○ Avoid SMS passwords
  • 12.
    How to getit right? ● Always run usability study on your authentication schemes ● Run controlled experiment with live users ● Note authentication error rates ● Understand user back-out strategies from authentication errors Questions? pkrawczyk@immusec.com https://immusec.com 0 7879 180015 https://www.linkedin.com/in/pawelkrawczyk/