Usability engineering for code-based multi-factor authentication
Roy, Graeme Stuart
The increase in the use of online banking and other alternative banking channels has led to improved flexibility for customers but also an increase in the amount of fraud across these channels. The industry recommendation for banks and other financial institutions is to use multi-factor customer authentication to reduce the risk of identity theft and fraud for those choosing to use such banking channels. There are few multi-factor authentication solutions available for banks to use that offer a convenient security procedure across all banking channels. The CodeSure card presented in this research is such a device offering a convenient, multi-channel, two-factor code-based security solution based on the ubiquitous Chip-and-PIN bank card. In order for the CodeSure card to find acceptance as a usable security solution, it must be shown to be easy to use and it must also be easy for customers to understand what they are being asked to do, and how they can achieve it. This need for a usability study forms the basis of the research reported here. The CodeSure card is also shown to play a role in combating identity theft. With the growing popularity of online channels, this research also looks at the threat of phishing and malware, and awareness of users about these threats. Many banks have ceased the use of email as a means to communicate with their customers as a result of the phishing threat, and an investigation into using the CodeSure card's reverse (sender) authentication mode is explored as a potential solution in regaining trust in the email channel and reintroducing it as a means for the bank to communicate with its customers. In the 8 experiments presented in this study the CodeSure card was rated acceptably high in terms of mean usability. Overall, the research reported here is offered in support of the thesis that a usable security solution predicated on code-based multi-factor authentication will result in tangible improvements to actual security levels in banking and eCommerce services, and that the CodeSure card as described here can form the basis of such a usable security solution.