{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T02:53:41Z","timestamp":1768445621771,"version":"3.49.0"},"reference-count":89,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2017,10,9]],"date-time":"2017-10-09T00:00:00Z","timestamp":1507507200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,10,9]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>Despite the widespread use of authentication schemes and the rapid emergence of novel authentication schemes, a general set of domain-specific guidelines has not yet been developed. This paper aims to present and explain a list of human-centered guidelines for developing usable authentication schemes.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The guidelines stem from research findings within the fields of psychology, human\u2013computer interaction and information\/computer science.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Instead of viewing users as the inevitable weak point in the authentication process, this study proposes that authentication interfaces be designed to take advantage of users\u2019 natural abilities. This approach requires that one understands how interactions with authentication interfaces can be improved and what human capabilities can be exploited. A list of six guidelines that designers ought to consider when developing a new usable authentication scheme has been presented.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>This consolidated list of usable authentication guidelines provides system developers with immediate access to common design issues impacting usability. These guidelines ought to assist designers in producing more secure products in fewer costly development cycles.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>Cybersecurity research and development has mainly focused on technical solutions to increase security. However, the greatest weakness of many systems is the user. It is argued that authentication schemes with poor usability are inherently insecure, as users will inadvertently weaken the security in their efforts to use the system. The study proposes that designers need to consider the human factors that impact end-user behavior. Development from this perspective will address the greatest weakness in most security systems by increasing end-user compliance.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-04-2016-0034","type":"journal-article","created":{"date-parts":[[2017,8,21]],"date-time":"2017-08-21T19:14:54Z","timestamp":1503342894000},"page":"437-453","source":"Crossref","is-referenced-by-count":22,"title":["Human-centered authentication guidelines"],"prefix":"10.1108","volume":"25","author":[{"given":"Jeremiah D.","family":"Still","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ashley","family":"Cain","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Schuster","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020120605004093600_B25a","first-page":"25","article-title":"What\u2019s the deal with privacy apps? A comprehensive exploration of user perception and usability","year":"2015"},{"issue":"5","key":"key2020120605004093600_ref001","doi-asserted-by":"crossref","first-page":"654","DOI":"10.1136\/jnnp.50.5.654-a","article-title":"Oxford psychology series, No. 11. Working memory","volume":"50","year":"1987","journal-title":"Journal of Neurology, Neurosurgery, & Psychiatry"},{"issue":"504","key":"key2020120605004093600_ref002","first-page":"556","article-title":"Working memory","volume":"255","year":"1992","journal-title":"Science"},{"key":"key2020120605004093600_ref003","article-title":"Productive security: a scalable methodology for analyzing employee security behaviors","volume-title":"Symposium on Usable Privacy and Security (SOUPS)","year":"2016"},{"key":"key2020120605004093600_ref004","first-page":"73","article-title":"Employee rule breakers, excuse makers and security champions: mapping the risk perceptions and emotions that drive security behaviors","year":"2015"},{"issue":"4","key":"key2020120605004093600_ref005","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2333112.2333114","article-title":"Graphical passwords: learning from the first twelve years","volume":"44","year":"2012","journal-title":"ACM Computing Surveys"},{"key":"key2020120605004093600_ref006","first-page":"199","article-title":"Security and usability: the case of the user authentication methods","year":"2006"},{"key":"key2020120605004093600_ref007","first-page":"3","article-title":"A rapid serial visual presentation method for graphical-authentication","volume-title":"Advances in Human Factors Cybersecurity","year":"2016"},{"issue":"6","key":"key2020120605004093600_ref008","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1080\/10658980601051318","article-title":"Password security: an empirical investigation into ecommerce passwords and their crack times","volume":"15","year":"2006","journal-title":"Information Systems Security"},{"key":"key2020120605004093600_B78b","article-title":"A reference model of information assurance & security","year":"2013"},{"key":"key2020120605004093600_ref009","first-page":"1","article-title":"A usability study and critique of two password managers","volume":"6","year":"2006","journal-title":"Usenix Security"},{"issue":"1","key":"key2020120605004093600_ref010","first-page":"1","article-title":"Metatheory of storage capacity limits","volume":"24","year":"2001","journal-title":"Behavioral and Brain Sciences"},{"key":"key2020120605004093600_ref011","first-page":"1","article-title":"Aligning usability and security: a usability study of Polaris","year":"2006"},{"key":"key2020120605004093600_ref012","first-page":"151","article-title":"I\u2019m stuck!\u201d: a Contextual inquiry of people with visual impairments in authentication","volume-title":"Eleventh Symposium on Usable Privacy and Security (SOUPS 2015","year":"2015"},{"key":"key2020120605004093600_ref013","first-page":"100","article-title":"Cultural mobilities: diversity and agency in urban computing","year":"2007"},{"key":"key2020120605004093600_ref014","first-page":"2379","article-title":"Does my password go up to eleven? The impact of password meters on password selection","year":"2013"},{"key":"key2020120605004093600_ref015","first-page":"1137","article-title":"Graphical password: comprehensive study of the usability features of the recognition base graphical password methods","year":"2008"},{"key":"key2020120605004093600_ref016","article-title":"Why do they do what they do? A study of what motivates users to (not) follow computer security advice","volume-title":"Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)","year":"2016"},{"key":"key2020120605004093600_ref017","article-title":"Do or do not, there is no try: user engagement may not improve security outcomes","volume-title":"Symposium on Usable Privacy and Security (SOUPS)","year":"2016"},{"issue":"2","key":"key2020120605004093600_ref018","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1109\/MSP.2010.204","article-title":"Secure and inclusive authentication with a talking mobile one-time-password client","volume":"9","year":"2011","journal-title":"IEEE Security & Privacy Magazine"},{"issue":"4","key":"key2020120605004093600_ref019","doi-asserted-by":"crossref","first-page":"274","DOI":"10.1016\/j.cose.2005.04.003","article-title":"Why users cannot use security","volume":"24","year":"2005","journal-title":"Computers & Security"},{"key":"key2020120605004093600_B25b","doi-asserted-by":"crossref","unstructured":"Garfinkel, S. (2015), \u201cDe-identification of personally identifiable information\u201d, National Institute of Science and Technology, Technical Report NIST IR 8053, available at: http:\/\/dx.doi.org\/10.6028\/NIST.IR.8053","DOI":"10.6028\/NIST.IR.8053"},{"key":"key2020120605004093600_ref020","unstructured":"GCHQ and CPNI (2015), \u201cSimplifying your approach: password guidance\u201d, available at: www.gov.uk\/government\/uploads\/system\/uploads\/attachment_data\/file\/458857\/Password_guidance_-_simplifying_your_approach.pdf"},{"issue":"3","key":"key2020120605004093600_ref021","doi-asserted-by":"crossref","first-page":"256","DOI":"10.1016\/j.intcom.2011.03.007","article-title":"Using and managing multiple passwords: a week to a view","volume":"23","year":"2011","journal-title":"Interacting with Computers"},{"key":"key2020120605004093600_ref022","first-page":"2647","article-title":"Using personal examples to improve risk communication for security & privacy decisions","year":"2014"},{"key":"key2020120605004093600_ref023","first-page":"213","article-title":"It\u2019s a hard lock life: a field study of smartphone (un) locking behavior and risk perception","volume-title":"Symposium On Usable Privacy and Security (SOUPS 2014)","year":"2014"},{"key":"key2020120605004093600_ref024","first-page":"245","article-title":"Developing usable CAPTCHAs for blind users","year":"2007"},{"key":"key2020120605004093600_ref025","first-page":"87","article-title":"Cognitive engineering","volume-title":"User Centered System Design: New Perpectives on Human-Computer Interaction","year":"1986"},{"key":"key2020120605004093600_ref026","first-page":"177","article-title":"Assessing the usability of end-user security software","year":"2010","journal-title":"Trust, Privacy and Security in Digital Business"},{"key":"key2020120605004093600_B48a","unstructured":"Jargon (2016), \u201cOxford English dictionary online\u201d, (2nd ed.), available at: https:\/\/en.oxforddictionaries.com\/definition\/jargon"},{"issue":"8","key":"key2020120605004093600_ref027","doi-asserted-by":"crossref","first-page":"675","DOI":"10.1016\/S0167-4048(03)00006-3","article-title":"Security and human computer interfaces","volume":"22","year":"2003","journal-title":"Computers & Security"},{"key":"key2020120605004093600_ref028","first-page":"39","article-title":"My data just goes everywhere: user mental models of the internet and implications for privacy and security","year":"2015"},{"key":"key2020120605004093600_ref029","first-page":"2619","article-title":"Self-reported password sharing strategies","year":"2011"},{"key":"key2020120605004093600_ref030","first-page":"190","article-title":"Developing an extension to an existing tactile authentication mechanism to support non-visual interaction","year":"2012"},{"key":"key2020120605004093600_ref031","doi-asserted-by":"crossref","first-page":"179","DOI":"10.4018\/978-1-60566-036-3.ch011","article-title":"Security configuration for nonexperts: a case study in wireless network configuration","volume-title":"Social and Human Elements of Information Security: Emerging Trends and Countermeasures","year":"2009"},{"key":"key2020120605004093600_ref032","first-page":"2267","article-title":"The SoundsRight CAPTCHA: an improved approach to audio human interaction proofs for blind users","year":"2012"},{"issue":"2","key":"key2020120605004093600_ref033","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1057\/ejis.2009.11","article-title":"Threat or coping appraisal: determinants of SMB executives\u2019 decision to adopt anti-malware software","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"key":"key2020120605004093600_B78a","first-page":"1","article-title":"Information systems security: a comprehensive model","year":"1991"},{"key":"key2020120605004093600_ref034","first-page":"295","article-title":"Contextualizing mnemonic phrase passwords","volume-title":"Advances in Human Factors Cybersecurity","year":"2016"},{"issue":"3","key":"key2020120605004093600_ref035","doi-asserted-by":"crossref","first-page":"263","DOI":"10.1006\/ijhc.1998.0243","article-title":"A review of user-interface design guidelines for public information kiosk systems","volume":"50","year":"1999","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2020120605004093600_ref036","first-page":"227","article-title":"Biometric authentication\u2014security and usability","volume-title":"Advanced Communications and Multimedia Security","year":"2002"},{"issue":"3","key":"key2020120605004093600_ref037","first-page":"39","article-title":"Universal design for individual differences","volume":"58","year":"2000","journal-title":"Educational Leadership"},{"issue":"1","key":"key2020120605004093600_ref038","doi-asserted-by":"crossref","first-page":"113","DOI":"10.2307\/1423627","article-title":"The picture superiority effect: support for the distinctiveness model","volume":"112","year":"1999","journal-title":"The American Journal of Psychology"},{"key":"key2020120605004093600_ref039","first-page":"217","article-title":"Transparent queries: investigation users\u2019 mental models of search engines","year":"2001"},{"key":"key2020120605004093600_ref040","first-page":"323","article-title":"Age-related performance issues for PIN and face-based authentication systems","year":"2013"},{"key":"key2020120605004093600_ref041","volume-title":"The Psychology of Everyday Things","year":"1988"},{"key":"key2020120605004093600_ref042","first-page":"1","volume-title":"Attention to Action","year":"1986"},{"key":"key2020120605004093600_ref043","unstructured":"NPR (2015), \u201cBiometrics may ditch the password, but not the hackers\u201d, available at: www.npr.org\/sections\/alltechconsidered\/2015\/04\/23\/401466507\/biometrics-may-ditch-the-password-but-not-the-hackers (accessed 4 April 2016)."},{"issue":"3","key":"key2020120605004093600_ref044","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1016\/j.giq.2011.02.002","article-title":"Accessibility of US federal government home pages: Section 508 compliance and site accessibility statements","volume":"28","year":"2011","journal-title":"Government Information Quarterly"},{"issue":"1","key":"key2020120605004093600_ref045","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1037\/0022-3514.46.1.69","article-title":"The effects of involvement on responses to argument quantity and quality: central and peripheral routes to persuasion","volume":"46","year":"1984","journal-title":"Journal of Personality and Social Psychology"},{"key":"key2020120605004093600_ref046","first-page":"1","article-title":"Designing acceptable user registration processes for e-services","year":"2012"},{"key":"key2020120605004093600_ref047","unstructured":"Poulsen, K. (2000), \u201cMitnick to lawmakers: people, phones, and weakest links\u201d, available at: www.politechbot.com\/p-00969.html (accessed 4 April 2016)."},{"key":"key2020120605004093600_ref048","first-page":"53","article-title":"It\u2019s too complicated, so I turned it off! Expectations, perceptions, and misconceptions of personal firewalls","year":"2010"},{"issue":"9","key":"key2020120605004093600_ref049","doi-asserted-by":"crossref","first-page":"1204","DOI":"10.1016\/j.ress.2006.08.008","article-title":"A process for supporting risk-aware web authentication mechanism choice","volume":"92","year":"2007","journal-title":"Reliability Engineering & System Safety"},{"issue":"3","key":"key2020120605004093600_ref050","doi-asserted-by":"crossref","first-page":"349","DOI":"10.1037\/0033-2909.100.3.349","article-title":"On looking into the black box: prospects and limits in the search for mental models","volume":"100","year":"1986","journal-title":"Psychological Bulletin"},{"issue":"3","key":"key2020120605004093600_ref051","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1023\/A:1011902718709","article-title":"Transforming the \u2018weakest link\u2019\u2014A human\/computer interaction approach to usable and effective security","volume":"19","year":"2001","journal-title":"BT Technology Journal"},{"key":"key2020120605004093600_ref052","first-page":"2903","article-title":"A spoonful of sugar? The impact of guidance and feedback on password-creation behavior","year":"2015"},{"key":"key2020120605004093600_ref053","first-page":"2657","article-title":"My religious aunt asked why i was trying to sell her Viagra: experiences with account hijacking","year":"2014"},{"issue":"2","key":"key2020120605004093600_ref054","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1037\/0033-295X.84.2.127","article-title":"Controlled and automatic human information processing: II: perceptual learning, automatic attending and a general theory","volume":"84","year":"1977","journal-title":"Psychological Review"},{"issue":"5","key":"key2020120605004093600_ref055","doi-asserted-by":"crossref","first-page":"84","DOI":"10.1145\/332833.332843","article-title":"Universal usability","volume":"43","year":"2000","journal-title":"Communications of the ACM"},{"key":"key2020120605004093600_ref056","volume-title":"Designing the User Interface: Strategies for Effective Human-Computer Interaction","year":"2010"},{"issue":"3","key":"key2020120605004093600_ref057","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1109\/MSECP.2003.1203228","article-title":"Humans in the loop: human-computer interaction and security","volume":"1","year":"2003","journal-title":"IEEE Security & Privacy Magazine"},{"key":"key2020120605004093600_ref058","first-page":"109","article-title":"Useable security: interface design strategies for improving security","year":"2006"},{"issue":"3","key":"key2020120605004093600_ref059","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1145\/2899383","article-title":"Cybersecurity needs you!","volume":"23","year":"2016","journal-title":"ACM Interactions"},{"issue":"9","key":"key2020120605004093600_ref060","doi-asserted-by":"crossref","first-page":"561","DOI":"10.1016\/j.ijhcs.2010.03.003","article-title":"Examining working memory load and congruency effects on affordances and conventions","volume":"68","year":"2010","journal-title":"International Journal of Human-Computer Studies"},{"issue":"3","key":"key2020120605004093600_ref061","doi-asserted-by":"crossref","first-page":"285","DOI":"10.1016\/j.destud.2012.11.005","article-title":"Cognitively describing and designing affordances","volume":"34","year":"2013","journal-title":"Design Studies"},{"key":"key2020120605004093600_ref062","first-page":"1","article-title":"Graphical passwords: a survey","year":"2005"},{"key":"key2020120605004093600_ref063","unstructured":"Take This Lollipop (2017), available at: www.takethislollipop.com\/ (accessed 12 April 2016)."},{"issue":"2","key":"key2020120605004093600_ref064","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MSP.2011.30","article-title":"Guest editors\u2019 introduction: shouldn\u2019t all security be usable?","volume":"9","year":"2011","journal-title":"IEEE Security & Privacy Magazine"},{"issue":"5","key":"key2020120605004093600_ref065","doi-asserted-by":"crossref","first-page":"352","DOI":"10.1037\/h0020071","article-title":"Encoding specificity and retrieval processes in episodic memory","volume":"80","year":"1973","journal-title":"Psychological Review"},{"key":"key2020120605004093600_ref066","article-title":"Do users\u2019 perceptions of password security match reality?","year":"2016"},{"key":"key2020120605004093600_ref067","unstructured":"Verizon Data (2013), \u201cData breach investigation report\u201d, available at: www.verizonenterprise.com\/resources\/reports\/rp_data-breach-investigations-report-2013_en_xg.pdf (accessed 14 April 2016)."},{"key":"key2020120605004093600_ref068","first-page":"75","article-title":"Position: the user is the enemy","year":"2008"},{"key":"key2020120605004093600_ref069","first-page":"1189","article-title":"Cheque mates: participatory design of digital payments with eighty somethings","year":"2012"},{"key":"key2020120605004093600_ref070","first-page":"3231","article-title":"Designing for-and with-vulnerable people","volume-title":"CHI\u201913 Extended Abstracts on Human Factors in Computing Systems","year":"2013"},{"key":"key2020120605004093600_ref071","article-title":"Aging futures: towards an inclusive cognitive interaction design","year":"2007"},{"key":"key2020120605004093600_ref072","first-page":"1403","article-title":"SwiPIN \u2013 Fast and secure PIN-entry on smartphones","volume-title":"Proceedings of the Computer-Human Interaction (CHI) Conference","year":"2015"},{"key":"key2020120605004093600_ref073","article-title":"Understanding password choices: how frequently entered passwords are re-used across websites","volume-title":"Symposium on Usable Privacy and Security (SOUPS)","year":"2016"},{"key":"key2020120605004093600_ref074","first-page":"754","article-title":"Password entry times for recognition-based graphical passwords","volume-title":"Proceedings of the Human Factors and Ergonomics Society Conference","year":"2016"},{"key":"key2020120605004093600_ref075","first-page":"173","article-title":"Guidelines for designing augmented reality games","volume-title":"Proceedings of the 2008 Conference on Future Play: Research, Play, Share","year":"2008"},{"key":"key2020120605004093600_ref076","first-page":"1","article-title":"Why Johnny can\u2019t encrypt: a usability evaluation of PGP 5.0","volume-title":"Proceedings of the 8th conference on USENIX Security Symposium","year":"1999"},{"issue":"3","key":"key2020120605004093600_ref077","doi-asserted-by":"crossref","first-page":"449","DOI":"10.1518\/001872008X288394","article-title":"Multiple resources and mental workload","volume":"50","year":"2008","journal-title":"Human Factors: The Journal of the Human Factors and Ergonomics Society"},{"issue":"1","key":"key2020120605004093600_ref078","doi-asserted-by":"crossref","first-page":"218","DOI":"10.1177\/154193120404800147","article-title":"Traffic and flight guidance depiction on a synthetic vision system display: the effects of clutter on performance and visual attention allocation","volume":"48","year":"2004","journal-title":"Proceedings of the Human Factors and Ergonomics Society Annual Meeting"},{"key":"key2020120605004093600_ref079","first-page":"177","article-title":"Design and evaluation of a shoulder-surfing resistant graphical password scheme","volume-title":"AVI\u201906, Proceedings of the Working Conference on Advanced Visual Interfaces","year":"2006"},{"key":"key2020120605004093600_ref080","first-page":"367","article-title":"A protection motivation theory approach to home wireless security","volume-title":"ICIS 2005 Proceedings","year":"2005"},{"issue":"3\/4","key":"key2020120605004093600_ref081","first-page":"180","article-title":"Am I really at risk? Determinants of online users\u2019 intentions to use strong passwords","volume":"8","year":"2009","journal-title":"Journal of Internet Commerce"},{"key":"key2020120605004093600_ref082","first-page":"442","article-title":"Security for diversity: studying the effects of verbal and imagery processes on user authentication mechanisms","volume-title":"Human-Computer Interaction\u2013INTERACT 2013","year":"2013"},{"key":"key2020120605004093600_ref083","doi-asserted-by":"crossref","first-page":"67","DOI":"10.28945\/503","article-title":"Evaluation of the human impact of password authentication practices on information security","volume":"7","year":"2004","journal-title":"Informing Science: International Journal of an Emerging Transdiscipline"},{"key":"key2020120605004093600_ref084","unstructured":"McCullagh, D. (2000), \u201cKevin Mitnick testifies before congress\u201d, Politech, available at: www.politechbot.com\/p-00969.html (accessed 25 April 2016)."}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2016-0034\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-04-2016-0034\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:50Z","timestamp":1753406570000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/4\/437-453\/201087"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,10,9]]},"references-count":89,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,10,9]]}},"alternative-id":["10.1108\/ICS-04-2016-0034"],"URL":"https:\/\/doi.org\/10.1108\/ics-04-2016-0034","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,10,9]]}}}