The Authentication Game

The balancing act between security and usability is hard to achieve. Inevitably, compromises are made either by system designers or wily users who find ways to circumvent complex rules and processes. But researchers from the University of Pretoria in South Africa have been conducting research and designed a new approach to authentication.

Gamification uses the constructs and tools game designers employ in solving non-game problems. By providing motivation to users to follow particular rules - in much the same way as players accumulate points or other rewards in games - researchers Christien Kroeze and Martin S Olivier posit that it's possible to motivate users to follow security procedures.

Kroeze and Olivier say, "It is difficult for security experts to understand users, and for users to understand security policies. This results in users being treated as the weakest link, and inadequate technologies exist to unite the two fields".

They point to research that demonstrated experts could configure a system in five minutes while the users took an average in excess of two hours. As a result, the researchers suggest that security experts may favour security over usability and they choose to protect the system’s resources at the expense of the user’s experience.

As part of their research, Kroeze and Olivier reviewed the work of many other scholars and found that, for users, security is often a secondary goal behind completing their assigned work and that the feedback they received with regards to security was not connected to their work.

They also pointed to the weaknesses associated with text-based passwords. Although they are easy to implement, they lead to practices such as password re-use and recording passwords in unsecure ways such as notes.

"Guidelines given to users on password creation often confuse the matter more. They suggest that passwords should be memorable, but not easy to guess; they should be as long as possible, but should never be reused; they should contain as many special characters as possible, but still be meaningful to the user. Randomly generated passwords that are assigned to users are the most secure, but also the hardest to remember".

Read more: How gamification drives business objectives

Part of the key to addressing these issues, according to Kroeze and Olivier, is the need to make security meaningful to users and provide them with feedback. This is where they see gamification can offer benefits.

Interestingly, they note that the rewards provided through gamification to users don’t need to have value in the physical world. They point to World of Warcraft as an example.

"Players of the online role playing game World of Warcraft (Wow) will complete numerous “raids”, at the risk of complete failure (which happens 50% of the time) and an uneven distribution of rewards in the form of treasure. These raids are also repetitive and perhaps even tedious. But players pay subscription to be able to do this repetitive work, because the feedback is instant, making players feel productive".

It's the need to show progress and productivity that Kroeze and Olivier say is important. They point to the password strength indicator many sites now employ when users are setting passwords. This provides a visual cue that lets the user know when they have achieved a satisfactory outcome when it comes to password strength.

A substantial part of the research paper reviews existing literature regarding game design and how to influence player behaviour. Using this research, Kroeze and Olivier suggest a game based on the use of graphical passwords as these have been found by some researchers to be more memorable for users.

Part of the basis for their game design comes from the game Pokemon. As players accumulate points, their Pokemon characters gain more abilities and change form. Players have a strong ability to remember the 646 different Pokemon names and their images as the names and images are related.

Kroeze and Olivier suggest that a computer-generated name associated with an image would be memorable to users but extremely robust against a dictionary attack.

Kroeze and Olivier conclude that gamification has a place in improving user. They intend to do further work that will focus on developing a game that does not rely on text-based passwords as a basis.

You can read the full paper here.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags World of Warcraft (Wow)gamificationresearchsecuritypasswordsauthentication

More about CSOEnex TestLabOlivier

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts