Authentication security advice is given with the goal of guiding users and organisations towards secure actions and practices. In this paper, we demonstrate that security advice can be ambiguous, contradictory and at times may not even have any clear benefits. We expand on current work by defining a formal approach to identifying costs of security advice and instigate a user study to identify the costs that apply to a large range of authentication advice. We also apply a simple framework for analysing the authentication related security benefits of advice. This allows us to identify costs and benefits for all classes of security advice.

翻译：认证安全建议旨在引导用户和组织采取安全行动和实践。本文证明，安全建议可能模棱两可、相互矛盾，有时甚至缺乏明确收益。我们在现有研究基础上进一步扩展，提出了一种形式化方法来识别安全建议的成本，并开展了一项用户研究，以确定适用于多种认证建议的成本要素。同时，我们应用了一个简单框架来分析建议的认证相关安全收益。这使我们能够识别所有类别安全建议的成本与收益。