- مبلغ: ۸۶,۰۰۰ تومان
- مبلغ: ۹۱,۰۰۰ تومان
Authentication is a major research topic in the information security field. Much has been written about assessing entity (user) authentication methods, but there is a lack of literature concerning the evaluation of financial transaction authentication in online banking. Entity authentication methods have been systematized by quantifying their qualitative aspects, but there is no evaluation mechanism which also places the additional characteristics of transaction authentication in a user-centric context. Based on an existing mechanism which quantifies accessibility, memorability, security and vulnerability characteristics in entity authentication methods, we propose feasibility as an additional dimension which quantifies aspects related to the secure usability of transaction authentication methods. We also propose the use of this evaluation mechanism by multiple raters to reduce personal bias. Four implemented and eight proposed authentication methods for online banking were evaluated by seven experts. The results indicate that the mechanism can be applied on a wide range of authentication methods, since it is able to evaluate methods based on different information schemes. However, care must be taken that evaluations are performed by multiple experts, due to the amount of subjectivity inherent in the mechanism and in the different opinions of the raters.
11. Concluding remarks
We expanded Renaud’s quantifying mechanism to accommodate aspects related to transaction authentication in online banking in a user-centric context. Several used and proposed transaction authentication methods for online banking were evaluated using the original four dimensions and our expansion by seven raters. The inclusion of an additional dimension changed the ranks of 5 out of the 12 evaluated authentication methods. There is a large amount of subjectivity involved when applying Renaud’s mechanism and our expansion. For almost a third of the asked questions did the (independent) raters come to an unanimous answer. This does not make the mechanism worthless, but it is advised that evaluations are performed by multiple raters, since it would be unwise to consider the opinion of a single expert as the truth. The methods which have a good overall fit in both the original and the expanded mechanism include Bank Scan VNA, Weigold Scan VNA and Weigold USB VNA, closely followed by Weigold Entry ENA. The first three concern one implemented and three proposed authentication methods which use a Customer Verified Transaction Set Authentication information scheme, while the fourth uses Entered Single Transaction Authentication. This suggests that either information scheme can be applied to design an authentication method which can satisfy many aspects. Trusted bank devices have a very good overall fit within the dimensions of the mechanism. User-owned mobile devices have a worse fit for online banking authentication purposes, except for the implemented Bank SMS VA. That this authentication method ranks so high is possibly due to personal bias among the raters who actually use this method in daily life, considering that the proposed Weigold SMS VNA is mostly the same but ranks much lower. When this outlier is ignored, it can be said that authentication methods which rely on user-owned devices tend to have an overall worse fit compared to those which rely on bank-issued devices.