Cybersecurity research and development has mainly focused on technical solutions to increase security. However, the greatest weakness of many systems is the user. [ Interactions: Feature (May + June) ]
Usable Authentication Guidelines:
Instead of viewing users as the inevitable weak point in the authentication process, we propose that authentication interfaces be designed to take advantage of users’ natural abilities. This approach requires that we understand how interactions with authentication interfaces can be improved and what human capabilities can be exploited. We are currently developing a list of guidelines designers can follow to produce usable authentication. [ Still, Cain, & Schuster, in press; Journal of Information and Computer Security]
We depend on authentication methods to protect our valuables from impersonators. These methods need to be able to, at minimum, prevent casual attackers with limited resources from gaining access to our valuables.
Rapid Serial Visual Presentation (RSVP) Method for Graphical Authentication
The RSVP authentication method is especially suited for multi-touch mobile devices. This method presents degraded pictures of everyday objects in a temporal stream. Considering all the other authentication methods employ a spatial visual search, our method is unique (i.e., searching across time versus space). A temporal method of presentation is used to decreases login times down to 14 seconds and to allow login with a simple touch of the screen. By degrading the images, over-the-shoulder attackers are prevented from easily capturing the passcode. This study shows that all participants could successfully login at least once when allowed up to three attempts. After becoming familiar with the RSVP authentication method, participants took on the role of an attacker. Notably, no one was able to identify the passcode. The RSVP method offers a memorable, usable, quick, and secure alternative for authentication on multi-touch mobile devices. [ Cain & Still, 2016 ]
Incognito: Shoulder-Surfing Resistant Selection Method
We offer Incognito, a new selection method, which is resistant to casual shoulder-surfing attacks during graphical authentication. The users controlled Incognito with either a mouse or eye tracker. We examined its usability by measuring effectiveness, performance, and satisfaction in contrast with a conventional approach. Our results suggest Incognito is a viable selection technique within public spaces. [Still & Bell, in progress ]
Are biometrics the simple solution?
You might be thinking. Why not just use biometrics to replace password based authentication systems? This is a bad idea for two reasons. First, all systems get hacked (see hackers took 5.6 million fingerprints). And, our biometric information isn't easily updatable. Second, biometric information might reveal personal health information (e.g., current health status or other genetic based insights).
Increasing Policy Compliance through Re-Design:
Contextualizing Mnemonic Phrase Passwords
We introduce a strategy for developing strong passwords that embed contextual cues within mnemonic phrase passwords. Using this strategy participants were able to create strong passwords and better remember them compared with a traditional mnemonic strategy. [ McEvoy & Still, 2016 ]
Re-designing Permission Requirements to Encourage BYOD Policy Adherence
Many corporations and organizations support a Bring Your Own Device (BYOD) policy, which allows employees to use their personal smartphones for work-related purposes. Access to proprietary company data and information from an employee’s smartphone raises serious privacy and security concerns. Companies are vulnerable to data breaches if employees are unable to discern which applications are safe to install. Situating privacy requirements ought to encourage safer application install decisions and decrease risker ones. This study examines the use of context-relevant warning messages, which alert employees to be cautious when the company’s BYOD policy may be violated. We also explore the impact of presenting permission requirements before and after making the install decision. In situations when it was safe to install an application, warning messages presented before the install decision drastically encouraged installations compared to when there were no warnings. Interestingly, the opposite pattern was found when warning messages were presented after the decision. Overall, better privacy and security decisions will be made if permission requirements are displayed with relevant warning messages. In addition, safe installations will be encouraged through the placement of these meaningful warnings on the description page of a mobile application before a user has decided to install it. [ Lee & Still, 2015 ]