Biblio

Filters: Author is Colnago, Jessica  [Clear All Filters]
2019-02-08
Colnago, Jessica, Devlin, Summer, Oates, Maggie, Swoopes, Chelse, Bauer, Lujo, Cranor, Lorrie, Christin, Nicolas.  2018.  "It's Not Actually That Horrible'': Exploring Adoption of Two-Factor Authentication at a University. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. :456:1-456:11.

Despite the additional protection it affords, two-factor authentication (2FA) adoption reportedly remains low. To better understand 2FA adoption and its barriers, we observed the deployment of a 2FA system at Carnegie Mellon University (CMU). We explore user behaviors and opinions around adoption, surrounding a mandatory adoption deadline. Our results show that (a) 2FA adopters found it annoying, but fairly easy to use, and believed it made their accounts more secure; (b) experience with CMU Duo often led to positive perceptions, sometimes translating into 2FA adoption for other accounts; and, (c) the differences between users required to adopt 2FA and those who adopted voluntarily are smaller than expected. We also explore the relationship between different usage patterns and perceived usability, and identify user misconceptions, insecure practices, and design issues. We conclude with recommendations for large-scale 2FA deployments to maximize adoption, focusing on implementation design, use of adoption mandates, and strategic messaging.

2018-05-09
Ur, Blase, Alfieri, Felicia, Aung, Maung, Bauer, Lujo, Christin, Nicolas, Colnago, Jessica, Cranor, Lorrie Faith, Dixon, Henry, Emami Naeini, Pardis, Habib, Hana et al..  2017.  Design and Evaluation of a Data-Driven Password Meter. Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. :3775–3786.
Despite their ubiquity, many password meters provide inaccurate strength estimates. Furthermore, they do not explain to users what is wrong with their password or how to improve it. We describe the development and evaluation of a data-driven password meter that provides accurate strength measurement and actionable, detailed feedback to users. This meter combines neural networks and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about the user's password. We describe the meter's iterative development and final design. We detail the security and usability impact of the meter's design dimensions, examined through a 4,509-participant online study. Under the more common password-composition policy we tested, we found that the data-driven meter with detailed feedback led users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator.