Long-Term User Study of Forcing and Training Login Mechanisms Against Phishing

We present the results of the first long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70% detection rates, which is significantly better than passive indicators’ results [16, 9, 13]. We also found that login bookmarks, when used together with ‘non-working’ links, doubled the prevention rates of reaching spoofed login pages in the first place. Combining these mechanism provides effective prevention and detection of phishing attacks, and when several images are displayed in the login page, the best detection rates (82%) and overall resistance rates (93%) are achieved. We also introduce the notion of negative training functions, which train users not to take dangerous actions by experiencing failure when taking them. We also present WAPP (Web Application Phishing-Protection), an effective server-side solution which combines the login bookmark and the interactive custom image indicators and provides two-factor and twosided authentication.