THE END USER PLAYS A VITAL ROLE IN ACHIEVING SYSTEM SECURITY. If a security system is designed to accommodate the average user’s needs and limitations, it is more likely that the system will succeed. Bear in mind that computer users are primarily goal directed and engaged in carrying out some task—and that maintaining security is usually not an integral part of that task. Hence, security systems are sometimes seen as an intrusion to be dealt with as quickly as possible so that users can continue with their primary task. Jonathan Grudin^[1] found that humans would subvert any technology that did not directly benefit them in a group-based technological environment. This finding appears to apply to authentication mechanisms too: people often work around these mechanisms, which are put there explicitly to protect them, because they do not fully understand the benefits that will accrue from observation of security guidelines. Of course, security mechanisms do benefit end users, but they sometimes have a limited understanding of the whole security arena and do not have an insight into the benefits of taking the time to behave securely.

Password-based authentication is currently the most common authentication mechanism, but passwords are notoriously weak, mostly because of human information-processing limitations. People have too many passwords and PINs to remember, so they resort invariably to choosing easily remembered weak ...