Transparent password policies: A case study of investigating end-user situational awareness

Transparent password policies are utilized by organizations in an effort to ease the end-user (e.g. customer) from the burden of configuring authentication settings while maintaining a high level of security. However, authentication transparency can challenge security and usability and can impact the awareness of the end-users with regards to the protection level that is realistically achieved. For authentication transparency to be effective, the triptych security – usability – situational awareness should be considered when designing relevant security solutions / products. Although various efforts have been made in the literature, the usability aspects of the password selection process are not well understood or addressed in the context of end-user situational awareness. This research work specifies three security and usability-related strategies that represent the organizations’, the end users’ and the attackers’ objectives with regards to password construction. Understanding each actor’s perspective can greatly assist in increasing situational awareness with regards to the authentication controls usage and effectiveness. Furthermore, a case study is presented to evaluate if, and in what way, transparent password policies, that isolate users’ involvement can affect the perspective of the end-user with regards to the