by Wim Remes
As I was rolling out a limited pilot group of users in an average-size Single Sign-On (SSO) project something struck me.
For these 10 users, we stood by their side while the application was installed and every user suffered from the same phenomenon, albeit one more than the other.Â Imagine this scenario :
1. User A is working in application B, she has logged on, there is no password save mechanism. She actually types in her password every day, maybe even several times per day (this is why we’re doing SSO after all).
2. The SSO software is installed.Â The computer restarts.
3. User A logs on to the computer and starts application B. When the logon screen is detected, an SSO dialog box pops up that requests her to enter the credentials for application B.
What happens ?
Normally this user would enter her password and go on with her day, but that wasn’t what we saw.Â Some users hesitated for a few seconds, others dug up a paper with passwords from their drawer, some asked their colleagues and some really had to call the service desk for a password reset.Â Each and every one of the users had to guess their user names two or more times !
It didn’t only show us what was wrong with the password policy …
At that particular moment, I was flabbergasted. How could it be that a change in the interface would blank out the memory of almost every user? Obviously, these users don’t just remember username/password combinations; subconciously, they must make a link between graphical elements of an interface and those credentials.Â When these graphical elements drastically change, the connection is lost and the related information is orphaned.
In the past few days I’ve given this a lot of thought.Â Obviously, this is behaviour we have seen from another angle before.Â Phishing e-mails contain graphical elements familiar to the user to invoke trust; rogue websites mimic the graphical layout of their real counterparts to do the same. Heck, Lotus Notes came with a changing on-screen visual when entering the password to counter shoulder-surfing. Interfaces, apart from being a layer to make boring information look pretty, are important parts of the security design of an application.Â It’s something I’ll take with me.
In the least it has proven again that, whatever size the project, you should always try to be as close to the end-user as possible and see how they react or how your solution changes their secure behaviour in a positive or negative way.Â You can learn as much from them as they can learn from you.
I will look into this behaviour further as the project continues and report back if there is more information.