Security and Usability of a Personalized User Authentication Paradigm:   Insights from a Longitudinal Study with Three Healthcare Organizations

Argyris Constantinides; Marios Belk; Christos Fidas; Roy Beumers; David Vidal; Wanting Huang; Juliana Bowles; Thais Webber; Agastya Silvina; Andreas Pitsillides

doi:10.1145/3564610

Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare Organizations

Argyris Constantinides, Marios Belk, Christos Fidas, Roy Beumers, David Vidal, Wanting Huang, Juliana Bowles, Thais Webber, Agastya Silvina, Andreas Pitsillides

Research output: Contribution to journal › Article › peer-review

Abstract

This article proposes a user-adaptable and personalized authentication paradigm for healthcare organizations, which anticipates to seamlessly reflect patients' episodic and autobiographical memories to graphical and textual passwords aiming to improve the security strength of user-selected passwords and provide a positive user experience. We report on a longitudinal study that spanned over 3 years in which three public European healthcare organizations participated to design and evaluate the aforementioned paradigm. Three studies were conducted (n = 169) with different stakeholders: (1) a verification study aiming to identify existing authentication practices of the three healthcare organizations with diverse stakeholders (n = 9), (2) a patient-centric feasibility study during which users interacted with the proposed authentication system (n = 68), and (3) a human guessing attack study focusing on vulnerabilities among people sharing common experiences within location-aware images used for graphical passwords (n = 92). Results revealed that the suggested paradigm scored high with regard to users' likeability, perceived security, usability, and trust, but more importantly it assists the creation of more secure passwords. On the downside, the suggested paradigm introduces password guessing vulnerabilities by individuals sharing common experiences with the end users. Findings are expected to scaffold the design of more patient-centric knowledge-based authentication mechanisms within today's dynamic computation realms.

Original language	English
Article number	2
Pages (from-to)	1-40
Journal	ACM Transactions on Computing for Healthcare
Volume	4
Issue number	1
DOIs	https://doi.org/10.1145/3564610
Publication status	Published - 27 Feb 2023

Bibliographical note

Funding Information:
This research was partially supported by the EU Horizon 2020 grant 826278, “Securing Medical Data in Smart Patient-Centric Healthcare Systems” (Serums), and the Research and Innovation Foundation (Project DiversePass: COMPLEMENTARY/0916/0182).

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.

Keywords

Additional Key Words and PhrasesKnowledge-based user authentication
feasibility user study
graphical passwords
human guessing attack study
security
usability

Access to Document

10.1145/3564610

3564610
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.
Final published version, 4.92 MB

Cite this

Constantinides, A., Belk, M., Fidas, C., Beumers, R., Vidal, D., Huang, W., Bowles, J., Webber, T., Silvina, A., & Pitsillides, A. (2023). Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare Organizations. ACM Transactions on Computing for Healthcare, 4(1), 1-40. Article 2. https://doi.org/10.1145/3564610

@article{97359b1a588d4302bb300ef9d9b87749,

title = "Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare Organizations",

abstract = "This article proposes a user-adaptable and personalized authentication paradigm for healthcare organizations, which anticipates to seamlessly reflect patients' episodic and autobiographical memories to graphical and textual passwords aiming to improve the security strength of user-selected passwords and provide a positive user experience. We report on a longitudinal study that spanned over 3 years in which three public European healthcare organizations participated to design and evaluate the aforementioned paradigm. Three studies were conducted (n = 169) with different stakeholders: (1) a verification study aiming to identify existing authentication practices of the three healthcare organizations with diverse stakeholders (n = 9), (2) a patient-centric feasibility study during which users interacted with the proposed authentication system (n = 68), and (3) a human guessing attack study focusing on vulnerabilities among people sharing common experiences within location-aware images used for graphical passwords (n = 92). Results revealed that the suggested paradigm scored high with regard to users' likeability, perceived security, usability, and trust, but more importantly it assists the creation of more secure passwords. On the downside, the suggested paradigm introduces password guessing vulnerabilities by individuals sharing common experiences with the end users. Findings are expected to scaffold the design of more patient-centric knowledge-based authentication mechanisms within today's dynamic computation realms.",

keywords = "Additional Key Words and PhrasesKnowledge-based user authentication, feasibility user study, graphical passwords, human guessing attack study, security, usability",

author = "Argyris Constantinides and Marios Belk and Christos Fidas and Roy Beumers and David Vidal and Wanting Huang and Juliana Bowles and Thais Webber and Agastya Silvina and Andreas Pitsillides",

note = "Funding Information: This research was partially supported by the EU Horizon 2020 grant 826278, “Securing Medical Data in Smart Patient-Centric Healthcare Systems” (Serums), and the Research and Innovation Foundation (Project DiversePass: COMPLEMENTARY/0916/0182). Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.",

year = "2023",

month = feb,

day = "27",

doi = "10.1145/3564610",

language = "English",

volume = "4",

pages = "1--40",

number = "1",

}

Constantinides, A, Belk, M, Fidas, C, Beumers, R, Vidal, D, Huang, W, Bowles, J, Webber, T, Silvina, A & Pitsillides, A 2023, 'Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare Organizations', ACM Transactions on Computing for Healthcare, vol. 4, no. 1, 2, pp. 1-40. https://doi.org/10.1145/3564610

TY - JOUR

T1 - Security and Usability of a Personalized User Authentication Paradigm

T2 - Insights from a Longitudinal Study with Three Healthcare Organizations

AU - Constantinides, Argyris

AU - Belk, Marios

AU - Fidas, Christos

AU - Beumers, Roy

AU - Vidal, David

AU - Huang, Wanting

AU - Bowles, Juliana

AU - Webber, Thais

AU - Silvina, Agastya

AU - Pitsillides, Andreas

N1 - Funding Information: This research was partially supported by the EU Horizon 2020 grant 826278, “Securing Medical Data in Smart Patient-Centric Healthcare Systems” (Serums), and the Research and Innovation Foundation (Project DiversePass: COMPLEMENTARY/0916/0182). Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.

PY - 2023/2/27

Y1 - 2023/2/27

N2 - This article proposes a user-adaptable and personalized authentication paradigm for healthcare organizations, which anticipates to seamlessly reflect patients' episodic and autobiographical memories to graphical and textual passwords aiming to improve the security strength of user-selected passwords and provide a positive user experience. We report on a longitudinal study that spanned over 3 years in which three public European healthcare organizations participated to design and evaluate the aforementioned paradigm. Three studies were conducted (n = 169) with different stakeholders: (1) a verification study aiming to identify existing authentication practices of the three healthcare organizations with diverse stakeholders (n = 9), (2) a patient-centric feasibility study during which users interacted with the proposed authentication system (n = 68), and (3) a human guessing attack study focusing on vulnerabilities among people sharing common experiences within location-aware images used for graphical passwords (n = 92). Results revealed that the suggested paradigm scored high with regard to users' likeability, perceived security, usability, and trust, but more importantly it assists the creation of more secure passwords. On the downside, the suggested paradigm introduces password guessing vulnerabilities by individuals sharing common experiences with the end users. Findings are expected to scaffold the design of more patient-centric knowledge-based authentication mechanisms within today's dynamic computation realms.

AB - This article proposes a user-adaptable and personalized authentication paradigm for healthcare organizations, which anticipates to seamlessly reflect patients' episodic and autobiographical memories to graphical and textual passwords aiming to improve the security strength of user-selected passwords and provide a positive user experience. We report on a longitudinal study that spanned over 3 years in which three public European healthcare organizations participated to design and evaluate the aforementioned paradigm. Three studies were conducted (n = 169) with different stakeholders: (1) a verification study aiming to identify existing authentication practices of the three healthcare organizations with diverse stakeholders (n = 9), (2) a patient-centric feasibility study during which users interacted with the proposed authentication system (n = 68), and (3) a human guessing attack study focusing on vulnerabilities among people sharing common experiences within location-aware images used for graphical passwords (n = 92). Results revealed that the suggested paradigm scored high with regard to users' likeability, perceived security, usability, and trust, but more importantly it assists the creation of more secure passwords. On the downside, the suggested paradigm introduces password guessing vulnerabilities by individuals sharing common experiences with the end users. Findings are expected to scaffold the design of more patient-centric knowledge-based authentication mechanisms within today's dynamic computation realms.

KW - Additional Key Words and PhrasesKnowledge-based user authentication

KW - feasibility user study

KW - graphical passwords

KW - human guessing attack study

KW - security

KW - usability

UR - http://www.scopus.com/inward/record.url?scp=85150980656&partnerID=8YFLogxK

U2 - 10.1145/3564610

DO - 10.1145/3564610

M3 - Article

AN - SCOPUS:85150980656

SN - 2691-1957

VL - 4

SP - 1

EP - 40

JO - ACM Transactions on Computing for Healthcare

JF - ACM Transactions on Computing for Healthcare

IS - 1

M1 - 2

ER -