*3.2.3 Authentication schemes and methods implemented by the respondents*

Next, the respondents were asked what authentication techniques they had implemented in applications developed by them and the kind of application. Most applications were either web-based or for banking and commerce. A total of 23 out of the 45 survey respondents answered this question. The complete results of this question can be observed in the graphs of **Figures 3** and **4**, which show the implemented authentication schemes and methods and the contexts of the applications that were being developed, respectively.

## *3.2.4 Comparison and selection criteria used by the respondents*

For the last question of the S&I, distinct strategies were applied between the interviewees and the survey respondents. In the case of the former, they were directly asked what criteria they utilized for the comparison and selection of authentication schemes and methods. In the case of the latter, the responses from the interviewees, coupled with the results of the previously performed SLR, were used to generate a list of comparison and selection criteria that respondents were asked to value from 1 to 5. A higher value meant that the respondent gave a higher importance to the criterion. A total of 29 out of the 45 survey respondents answered this question. The complete results of this question can be observed in **Table 5** and

in **Table 6**, which show the responses given by the interviewees and the survey

criteria they would consider. The received answers include the ease of

*Comparison and selection criteria considered by the interviewees.*

*DOI: http://dx.doi.org/10.5772/intechopen.89876*

Finally, survey respondents were asked what other comparison and selection

**Criterion Interviewees that consider the criterion**

Client's requirements 11 Application context 11 Usability-related criteria 9 Security-related criteria 11 Cost-related criteria 8 Other criteria 2

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection*

authentication information recovery, the registration method, and the sensitivity

A second survey was later applied to nine employees of the PSDC. These employees were selected among the most experienced developers of the company, based on their years of experience and positions. The single aim of this survey was to ascertain the importance that the respondents would assign to an application's security and usability based on the target context. The importance was valued in percentages, with the sum of usability and security being 100% for every context.

The obtained values were used afterward as part of the input for the decision

**Category Criterion Value** Usability Ease of use 3.31

Security Importance of security 4.41

Costs Implementation costs 4.07

Others Client's requirements 4.17

*Comparison and selection criteria valued by the survey respondents.*

Ease of learning 3.28 Need of using a device 3.10 Method's reliability 4.10

Costs per user 4.00 Server compatibility 3.69 Need of acquiring licenses 3.86 Available technologies 3.93

Application context 4.41 Norms and legislation 3.90

Resistance to well-known attacks 4.21

respondents, respectively.

**Table 7** presents the results of this survey.

of the information.

**Table 5.**

**3.3 Short survey**

framework.

**Table 6.**

**95**

#### **Figure 3.**

*Authentication schemes and methods implemented by the respondents.*

**Figure 4.** *Contexts of the applications developed by the respondents.*

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection DOI: http://dx.doi.org/10.5772/intechopen.89876*


#### **Table 5.**

*3.2.3 Authentication schemes and methods implemented by the respondents*

tions that were being developed, respectively.

*Computer and Network Security*

**Figure 3.**

**Figure 4.**

**94**

*3.2.4 Comparison and selection criteria used by the respondents*

*Authentication schemes and methods implemented by the respondents.*

*Contexts of the applications developed by the respondents.*

Next, the respondents were asked what authentication techniques they had implemented in applications developed by them and the kind of application. Most applications were either web-based or for banking and commerce. A total of 23 out of the 45 survey respondents answered this question. The complete results of this question can be observed in the graphs of **Figures 3** and **4**, which show the

implemented authentication schemes and methods and the contexts of the applica-

For the last question of the S&I, distinct strategies were applied between the interviewees and the survey respondents. In the case of the former, they were directly asked what criteria they utilized for the comparison and selection of authentication schemes and methods. In the case of the latter, the responses from the interviewees, coupled with the results of the previously performed SLR, were used to generate a list of comparison and selection criteria that respondents were asked to value from 1 to 5. A higher value meant that the respondent gave a higher importance to the criterion. A total of 29 out of the 45 survey respondents answered this question. The complete results of this question can be observed in **Table 5** and

*Comparison and selection criteria considered by the interviewees.*

in **Table 6**, which show the responses given by the interviewees and the survey respondents, respectively.

Finally, survey respondents were asked what other comparison and selection criteria they would consider. The received answers include the ease of authentication information recovery, the registration method, and the sensitivity of the information.

#### **3.3 Short survey**

A second survey was later applied to nine employees of the PSDC. These employees were selected among the most experienced developers of the company, based on their years of experience and positions. The single aim of this survey was to ascertain the importance that the respondents would assign to an application's security and usability based on the target context. The importance was valued in percentages, with the sum of usability and security being 100% for every context. **Table 7** presents the results of this survey.

The obtained values were used afterward as part of the input for the decision framework.


#### **Table 6.**

*Comparison and selection criteria valued by the survey respondents.*


criterion, **Table 9** shows the usability-related criteria, their importance values, and

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection*

(S), usability (U), and costs (C) using the following equations:

*<sup>S</sup>* <sup>¼</sup> <sup>X</sup>

*DOI: http://dx.doi.org/10.5772/intechopen.89876*

*<sup>U</sup>* <sup>¼</sup> <sup>X</sup>

*<sup>C</sup>* <sup>¼</sup> <sup>X</sup>

context (Ct), the SUV is calculated as follows:

*for each criterion of S*

*for each criterion of U*

*for each criterion of C*

Every criterion has two or more importance values between 20 and 100, and the sum of all the weights of the criteria belonging to the same category is 100%. In this manner, when using the framework, a person must select the importance values that best describe their application and then calculate the average values of security

The framework also considers a number of common contexts identified through

the knowledge base. These contexts were given distinct weights based on the importance of security and usability in the context itself. Here, a term known as the security/usability value (SUV) is presented. The knowledge base allowed to ascertain the fact that, generally, the more secure an authentication scheme or method is, it has a lower usability and vice-versa. The SUV is used to denotate this. Based on the calculated average values of S, U, and C, coupled with the selected application

A and B are constants defined based on the importance given to S and U, respectively, in the selected context. A high SUV value thus indicates that more

**Criterion Importance Value Weight**

*AssessmentValue* ∗*CriterionWeight* (1)

*AssessmentValue* ∗*CriterionWeight* (2)

*AssessmentValue* ∗*CriterionWeight* (3)

*SUV* ¼ *A* ∗ *S* þ *B* ∗ ð Þ 100 � *U* (4)

The method necessarily needs to be easy to use 100

It is not necessary for the method to be easy to use 20

A user should not take longer than a day to get used 100

The method preferably needs to be easy to use 60 25%

A user should not take longer than a week to get used 60 25% The time it takes to get used is not relevant 20

The recovery process should be simple 100

The recovery process should be complex 20

It can use both a possession and a biometric device 20

It should never or hardly fail during authentication 100

It does not need to use a device 100 It can use a possession or biometric device 60 10%

30% It should not fail occasionally during authentication 75 It can fail occasionally during authentication 45 It does not matter how often it fails 20

10%

their weights.

Ease of use

Ease of learning

recovery

reliability

**Table 9.**

**97**

Authentication information

Need of using a device

Authentication method's

*Criteria considered by the framework.*

#### **Table 7.**

*Importance given to security and usability in distinct contexts by the respondents.*
