The Quest to Replace Passwords Revisited – Rating Authentication Schemes

Abstract

Six years ago Bonneau et al. (2012) proposed a framework to comparatively evaluate authentication schemes. They applied their framework to 35 different authentication schemes to identify alternatives to the ubiquitous text password. However, in their work no sole authentication scheme proved to be suitable for every application scenario, hence the quest to replace passwords has not yet been solved. This paper revisits the rating process and describes the application of an extended version of the original framework to an additional 40 authentication schemes identified in a literature review. All schemes were rated in terms of 25 objective features assigned to the three main criteria usability, deployability, and security. The rating process and results are presented along with a discussion of the benefits and pitfalls of the rating process. Our goal thereby is not to claim victory over text passwords, but to help decision makers in identifying suitable authentication schemes for their specific application scenario. The results were also made publicly available in an authentication choice support system named ACCESS to foster the further extension of the knowledge base and future development of the rating process.