Patterns
- Active Warnings
- Attractive Options
- Complete Delete
- Conveying Threats & Consequences
- Create a Security Lexicon
- Create Keys When Needed
- Delayed Unrecoverable Action
- Detailed Notifications About Security
- Direct Access to UI Components
- Disable by Default
- Disable of Services
- Disclose Significant Deviations
- Distinguish Between Run and Open
- Distinguish Internal Senders
- Distinguish Security Levels
- Email-Based Identification and Authentication
- Explicit Item Delete
- Explicit User Audit
- Failing Safely
- General Notifications About Security
- Immediate Notifications
- Immediate Options
- Indirect Access to UI Components
- Informative Dialogues
- Install Before Execute
- Key Continuity Management
- Levels of Severity
- Leverage Existing Identification
- Localization of Specific Areas
- Migrate and Backup Keys
- Noticeable Contextual Indicators
- Providing Recommendations
- Quick Description of UI Components
- Redundant Notifications
- Reset to Installation
- Restricted Areas Notification
- Security Features Used by the System
- Security Features Used by the User
- Send S/MIME-Signed Email
- Separating Content
- Sequential Access to UI Components
- Suggestive Dialogues
- System’s Security Tasks
- The Absence of Indicators
- Track Received Keys
- Track Recipients
- Warn When Unsafe
Patterns are based on scientific sources.
Usable Security Pattern - Leverage Existing Identification
Luigi Lo Iacono, Peter Nehren
January 18, 2016
Leverage Existing Identification
| Name | Leverage Existing Identification |
| Sources | (Garfinkel, 2005), (Cooper, 2004), (Norman, 1983) |
| Synonyms | None |
| Context | Digital identification systems based on biometrics and public key infrastructure (PKI) are easier to deploy when the technology affirms a pre-existing relationship, rather than having a relationship created for the purpose of using the identification system. |
| Problem | How to deploy identification systems (such as client-side PKI, tokens, or biometrics) preferably? |
| Solution | Use existing identification schemes, rather than trying to create new ones. |
| Examples | Zurko (Zuro, 2005) reports that there are 100 million Lotus Notes client licenses currently deployed; the US Department of Defense has successfully deployed its PKI to more than 2 million employees, contractors, and active duty personnel. In both of these cases, PKI technology was used to certify identities that had been established through other channels; that is, it extended a pre-existing local identity determination into the digital domain. MIT’s certificate authority issues personal certificates to individuals who know their Kerberos username, Kerberos password, and MIT ID number (see graphic).  Source: (Garfinkel, 2005) |
| Implementation | Organizations issue certificates to their own employees. Banks in Europe send transaction authorization numbers (TANs; essentially one-time passwords) to many customers with their monthly statements, leveraging the existing authentication provided by the postal system. |
| Consequences | It is easier to deploy the strong systems because all users understand what kinds of security guarantees are provided. Inevitable errors can be corrected using the tools already present in the existing identification systems. |
| Dependencies | None |
| Relationships | [Email-Based Identification and Authentication] |
| Principles | None |
| Guidelines | None |
| Check lists | None |
| Use cases | None |
| Tags | Leverage Existing Identification, Email-Based Identification and Authentication, Authentication, Conformity of Usability |
| Log history | [01/18/2016]: Added to repository |
References
Cooper, A., 2004. The inmates are running the asylum: Why high-tech products drive us crazy and how to restore the sanity, 2nd ed. ed. Que, Indianapolis, IN.
Garfinkel, S.L., 2005. Design principles and patterns for computer systems that are simultaneously secure and usable (PhD thesis). Massachusetts Institute of Technology.
Norman, D.A., 1983. Design rules based on analyses of human error. Commun. ACM 26, 254–258. doi:10.1145/2163.358092
Zuro, M.E., 2005. Lotus notes/domino: Embedding security in collaborative applications, in: Cranor, L., Garfinkel, S. (Eds.), Security and Usability. O’Reilly.