Be alert, be alarmed!

Phishing attacks, which are a combination of social engineering and man-in-the-middle attacks, are aimed at obtaining sensitive information like login identities and passwords from unsuspecting users. A phishing attack normally starts by sending email asking people to log on to a fake Web site masquerading as a genuine Web site that requires login and authentication.

There are always people who will fall victim to such emails, and they will not notice the fake Web site despite using TLS (Transport Layer Security). Technically, the fake Web site has been correctly authenticated. Semantically speaking, this is a case of false positive, i.e. the client has incorrectly authenticated the server. The problem is not due to weak cryptographic authentication mechanisms, but to poor usability of the overall authentication solution, of which TLS is only a small part.

Pharming attacks trick users into logging into the attacker's website by poisoning the DNS (Domain Name Server) cache on the client platform or local broadband router, so that the domain name of the genuine online bank corresponds to the IP address of the attacker's server in the poisoned DNS cache. With a poisoned DNS, the browser will connect to the attacker's server even though the customer manually types the correct domain name of the bank.

Usability in CHI (Human-Computer Interaction) is normally understood as the simplicity and clarity with which the interaction with a computer program or a web site is designed.

Despite technical aspects, identity management systems need to provide adequate usability and should have a simple and intuitive interface. The system should not only be designed to satisfy service provider requirements but also should consider user requirements, otherwise it will lead to inconvenience and poor usability for users when managing their identities. With poor usability and a poor user interface with regards to security, the system will have poor security.

For example, to avoid the tedious task of remembering difficult passwords, users usually behave less securely by using redundant and weak passwords. This bad password habit represents a threat to identity management systems. The traditional requirement that passwords should be difficult to guess and should be different for different services puts a considerable mental burden on users.

Various studies show that people use heuristic strategies to reduce the mental load. Unfortunately, these strategies also make passwords vulnerable to attack. A typical strategy consists of reusing a small number of passwords for all the services a user accesses. This means that the number of passwords is constant while the number of services increases. To protect the service with the highest risk, users often reserve a single password for that service. Users tend to reuse the same password, or variations of the same password for all low risk services.

This practice reflects that users will bypass or ignore good security practice when faced with frustrating tasks. This represents a serious threat to the security of user authentication, making systems vulnerable to all variants of password cracking attacks.

It is strongly argued that any identity management solution that is not user-centric by definition will have limited usability. In general, since poor usability leads to poor security, User Centric Identity Management systems will improve security by improving the usability and solving the scalability problem from the user perspective. These systems will not only provide adequate usability but will also enhance user privacy by giving the control back to the users to manage their identities.