Security online seeks to authenticate the identity of users to protect valuable resources. When you authenticate, you prove (to some level of satisfaction) that you are who you say you are.

(Authorization is a partner to authentication, but not the same. Once authenticated, a user may be authorized for some actions and not for others. Authorization, to provide robust protection, should not be all-or-nothing once the hurdle of authentication has been cleared.)

A current hot method to improve security online is to require users, in addition to providing a login ID and password, to correctly select an image chosen ahead of time as part of authentication.

This “image authorization” is not the same as captcha-like methods that require a user to enter a set of numbers and/or letters displayed in a manner that makes it difficult for automated web crawlers to analyze and enter.

As it turns out, the increase in security provided by image authorization is wishful thinking.

Not because, if followed, such an extra step wouldn’t increase security.

But because people give away the store — lock, stock, login ID and password — even when presented with a loudly yelling security notice.

Last month, the results of a study on security were presented to the IEEE (pdf), an engineering professional association. The study, conducted jointly by researchers from Harvard University and the Massachusetts Institute of Technology, puts forward the following conclusions (my comments labeled):

  • Users will enter their passwords even when HTTPS indicators are absent.
    Comment: most users don’t know to look for HTTPS, nor that it means a secure connection that cannot be eavesdropped on.

  • Users will enter their passwords even if their site-authentication images are absent.
    Comment: most users have a hard enough time juggling login IDs and passwords. Likely the absence of site-authentication images is a relief, rather than a red flag.

  • Site-authentication images may cause users to disregard other important security indicators.
    Comment: most users don’t understand authentication. They trust that if something can be recognized as security-related, they’re safe.

  • Role playing has a significant negative effect on the security vigilance of study participants.
    Comment: most users guard their own information better than somebody else’s.

The moral: better user education.

Caution: Never give out your login ID and password to another person.

Nobody will guard your login ID and password as well as you do — and you likely need to do a better job at watching for security red flags online.

[cehwiedel also writes at]

Be Sociable, Share!