Authentication Friction

dictionary-term

[ 1 Alternative Forms ] [ 2 Definition ] [ 2.1 Sample Sentences ] [ 2.2 Conceptual Diagram ] [ 3 Related Terms ] [ 4 Bibliography ] [ 5 See Also ]

Alternative Forms

Authentication Burden
Friction

Definition

The Authentication Friction is the total cost (time, effort, money) required on the part of a user to authenticate to a service.

Authentication Friction is a component of what Beautement et al., 2008 call the user’s Compliance Budget. This model states that the primary goal of the user is to accomplish business tasks with the service. Any friction point that interferes with this primary goal is a cost that consumes the user’s Compliance Budget, until the threshold where the user’s cost/benefit perception becomes negative. At this point, the user may change behavior, e.g. opt for a less secure configuration, subscribe to an alternative service, etc.

Friction points comprise:

Memory effort to remind passwords,
License cost and usage of a password management solution,
Manipulations of a physical token or authentication application (incl. typing in PIN, biometric procedure, copying or remembering OTP, etc.)
CAPTCHAs or similar questions,
Biometric procedures (touch, speak, look, type, etc.),
Thinking through complex or unclear authentication processes,
Authentication reset procedures (incl. password reset),
Waiting time,
etc.

Note - Authentication Friction comes from a metaphorical usage of the term friction from the physical sciences. Friction designates the force of resistance of sliding (or rolling) solid objects on fixed solid objects. The analogy is that the user is the sliding object, and the service is the fixed object. The sliding object/user needs to advance some distance against the force of resistance of the fixed object/authentication process to gain access to the service. The adequacy of this analogy is debatable because the coefficient of friction, in physics, is μ=F/L, where F is the ratio of friction and L the load. Thus, the sliding object’s load is really a key variable whereas, when considering authentication, it is rather the load of the authentication process on the user that is of primary interest. (Encyclopedia Britannica, Friction, accessed 8 March 2022)

Sample Sentences

Bob was using the Acme online service. By default, MFA was enabled. But the second factor was a real pain from a user experience’s perspective: you had to memorize a 6 digit code and type it in to get a new code, then append that code to your password… So Bob disabled the MFA feature in his profile configuration. Eve, the infamous hacker, seized this opportunity to compromise Bob’s account. All of this could have been avoided if the authentication friction of this service had been lower.

Conceptual Diagram

Friction
Friction Point
User Experience

Bibliography

Page:
Beautement et al., 2008 (Bibliography) — Beautement, A., Sasse, M.A., Wonham, M., 2008. The Compliance Budget: Managing Security Behaviour in Organisations, in: Proceedings of the 2008 Workshop on New Security Paradigms - NSPW ’08. Presented at the 2008 workshop, ACM Press, Lake Tahoe, California, USA, p. 47. https://doi.org/10.1145/1595676.1595684
Page:
Manteigueiro et al., 2020 (Bibliography) — Manteigueiro, J., Crocker, P., Barrico, C., 2020. Identity Management and Access Control for the GNSS Community within a European Research Infrastructure, in: 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC). Presented at the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), IEEE, Madrid, Spain, pp. 1616–1621.
Page:
NIST IR 7983, 2014 (Bibliography) — Steves, M., Chisnell, D., Sasse, A., Krol, K., Theofanos, M., Wald, H., 2014. NIST IR 7983: Report: Authentication Diary Study (No. NIST IR 7983). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.IR.7983
Page:
Shah et al., 2015 (Bibliography) — Shah, Y., Choyi, V., Schmidt, A.U., Subramanian, L., 2015. Multi-factor Authentication as a Service. Presented at the 2015 3rd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering, pp. 144–150. https://doi.org/DOI 10.1109/MobileCloud.2015.35