Poster: The MVP web-based framework for user studies in authentication

Despite the ubiquity of password systems, knowledge-based authentication remains an important and active research area. Many current systems have low security, and even then users often devise insecure coping strategies in order to compensate for memorability and usability problems. Alternative authentication systems, including various graphical password schemes, have received considerable attention in response. We have conducted a systematic review of the literature on graphical passwords [2], and found no consistency in the usability and security evaluation of different schemes. The situation is similar for text passwords, rendering fair comparison between schemes nearly impossible. In our earlier authentication research, we have used both controlled lab studies and more extensive field studies. Lab studies can reduce the number of confounding variables and show whether more extensive studies are justifiable. However, the tasks of creating and logging in are typically in the foreground, whereas in real-life these are secondary tasks that receive little attention. Issues surrounding memorability and memory interference are also difficult to evaluate in a lab setting. Our lab studies used a typical approach involving a simple structure with repeated tasks. Field studies present more complex challenges. In this paper, we present MVP (Multiple Versatile Passwords), a new framework for conducting user studies of authentication schemes thst can easily be deployed in both lab and field environments. It addresses ecological validity issues by using real websites with real content, making authentication a secondary task. MVP differs from systems such as OpenID [1] or single sign-on; its goal is specifically to serve as an instrumented platform for testing and comparing multiple authentication schemes.