Forcing Johnny to login safely

We present the results of the first long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70% detection rates, which is significantly better than the results received by the typical login ceremony and with passive defense indicators [in: CHI'06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM, New York, 2006, pp. 601-610; Computers & Security 28(1,2) (2009), 63-71; in: SP'07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, 2007, pp. 51-65]. We also found that combining login bookmarks with interactive images and 'non-working' buttons/links achieved the best detection rates (82%) and overall resistance rates (93%). We also present WAPP (Web Application Phishing-Protection), an effective server-side solution which combines the login bookmark and the interactive custom image indicators. WAPP provides two-factor and two-sided authentication.