Costs and benefits of authentication advice

Authentication security advice is given with the goal of guiding users and organisations towards secure actions and practices. In this paper, we demonstrate that security advice can be ambiguous, contradictory and at times may not even have any clear benefits. We expand on current work by defining a formal approach to identifying costs of security advice and instigate a user study to identify the costs that apply to a large range of authentication advice. We also apply a simple framework for analysing the authentication related security benefits of advice. This allows us to identify costs and benefits for all classes of security advice.