CENISSS CWA eAuthentication Part 3 eID User Interface

1
CEN/ISSS CWA eAuthentication Part 3eID User
Interface

• Alan Leibert
• The ALCO Group
• www.alco.eu.com

2
What is the Problem?

• Users do what they are told
• Users all have university degrees in computing
• Users are willing to submit to any security test
  in any circumstance
• Users do not mind how long transactions take

3
What is the Problem?

• If users do not like a service, they will not use
  it
• If users do not use it, then the provision of
  service will be a failure, regardless of cost and
  complexity
• One failing service will set back the whole
  programme for a long time, trust is difficult to
  re-build

4
What Users Want

• Ease of use
• Consistency of operation
• Tailored operation
• Access anytime, anywhere
• Access to a wide range of services
• Privacy and security
• Knowledge of costs and implications
• Security to match the requirement, sufficient but
  not overkill
• Trust in the service

5
Users and Security

• How is trust generated?
• Is the terminal secure?
• Is the network secure?
• Is the application secure?
• Will my private information be held in the
  terminal for later use?
• Will the application share my data with others?
• How is privacy assured?
• Terminal design
• Screen interaction
• Application design

6
Users and Security

• How is security made acceptable?
• Appropriate use of security
• Use of smartcards
• Use of PINs one or many
• Use of biometrics appropriately
• Intelligent dialogue with the user
• Allowance for mistakes
• Short transaction times
• eAuthentication Part 3 User Requirements
• A critical part of the eID discussion

7
General Requirements

• Inclusivity
• Special needs
• Language differences
• Cultural differences
• Enjoyable experience
• Intuitive operation
• User controlled
• e.g. use of short cuts once familiar
• Acceptance or rejection
• At user option
• Non-intrusive

8
General Requirements

• Consistency of operation
• Interface
• Interactions
• Similar to prior experience
• Natural
• Terminology
• Symbols and pictograms
• Error handling
• Restarting or cancelling transactions

9
Using a Smartcard

• When to take it out of your pocket
• When to place it into or onto a terminal
• How to place it
• How to authenticate yourself
• What you can do
• Keeping control
• Signing something
• Ensuring cost transparency
• When to remove the card

10
Managing a Smartcard

• Being issued with a card
• Modifying the contents of a card
• Loading/removing applications
• Using the card in a high value/high risk
  circumstance

11
User Requirements in an eID System

• Starting off
• Providing the card
• Identification
• Who do you claim to be
• Card held data or data accessed by the card
• Application selection
• Authentication
• Biometrics
• PINs
• Passwords

12
User Requirements in an eID System

• Authorisation
• entitlements
• The environment
• Re-Authentication
• Transaction processing
• Dialogue
• Data entry
• Signing data
• Transaction completion

13
Other Issues

• Informed consent
• Implications
• Keeping the user informed
• Unambiguous dialogue
• Consumer protection
• Location of terminal and user
• Where is the transaction being processed?
• Where is the effect of the transaction being
  felt?
• The user must be aware

14
The Bottom Line

• This is a user driven environment
• Technologists can design and build all sorts of
  clever systems, but if the user does not use it,
  the scheme will fail
• There are always trade-offs and compromises. The
  security designer must be aware of them and act
  accordingly

15
Thank you