User-Centered Design for Security - UMD - July 2015

Public Audience

PI(s): Jen Golbeck and Adam J. Aviv
Researchers: Yehuda Katz,  Zahra Ashktorab, Dane Fichter, Jeanne Luning-Prak, Devon Budzitowski, Ryan Kelly, Mathew Sommers, Ethan Genco, Didar Alan, Kyle Hawkins, Cody Vernon

HARD PROBLEM(S) ADDRESSED

Human Behavior; Metrics

PROJECT OVERVIEW

Our goal is to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. When humans are involved in security systems in any way, usability is important. A system that is designed around natural human memory, attention, and cognitive abilities will be easy to use and lead people toward acting in secure ways; systems that force users into inherently difficult tasks lead to people circumventing security guidelines or protocols in order to get their tasks done efficiently.

In the first year of this project and continuing into year two, we are undertaking several efforts in the usable security space; in particular in the space of understanding the security and usabily of text and graphical passwords. The concrete results of this research effort is the development of new classes (PI Golbeck), the sponsor of capstone projects (PI Aviv), the presentation and publication of papers (PI Golbeck and PI Aviv), and numerous service opportunities that bring awareness to usable security issues to a wider audience.

Here, we detail our research efforts in the previous year for the following topic areas, which are all related to the hard problem of Human Behavior and Metrics:

• Improving Password Memorability
• Measuring Cueing Language in User Graphical Password Selection
• Understanding, Measuring and Applying User Perceptions of Security and Usability
• Privacy Conscious URL Sharing

We also outline how this research effort continues in Year 2.  One theme that persists is the focus on usable security issues related to mobile devices. Clearly, as mobile devices, such as smartphones, tablets, etc., continue to proliferate as the primary computer for many individuals, understanding the usability and security impact remain a primary focus for this research effort. 

Improving Password Memorability: This project is based around designing mechanisms to help people remember passwords more effectively. Password resets are a point of insecurity, so the more often people can remember passwords, the more reduced this risk point becomes.  We have designed an experiment to test how well memorization techniques can be applied to passwords.

The core idea behind this work is that if people use a password enough, it will eventually become part of their long-term memory. There are various "schedules" that people use to memorize other things, like words for standardized tests such as the GRE or SAT.  We are testing whether prompting people to recall a password on such a schedule can improve long term recall of the password.

In Year 1, we designed and deployed a pilot test of this experiment. After that success, we revised the protocol and replaced a web-based interface with email reminders.

This year, we ran a first round of experiments in a web-based environment and in an app (discussed below). Our initial web-based results showed subjects frequently resetting their passwords in both conditions. Interviews with subjects revealed that this was because the number of passwords we asked them to create and remember (six, three for each condition) was too difficult to keep track of. Thus, we have simplified the experiment, asking users to create only two passwords - one for each conditinon (control and reminder-prompted). 

In year 1, we had been developing an iPhone app called CrainTrain, which we developed, that is a generic tool for helping with memorization. This year we adapted that. Initial experiments showed unreliable results because our first version of the app showed users their passwords when they could not remember them. Since this is not a secure option for real password systems, we have changed the app to require users to enter the password and not have the option to see the correct password if the answer is incorrect. We plan to use this revised app for our experiments going forward. 

The app (Figure 1) will prompt people to recall their password on a schedule with decreasing frequency  and to compare their accuracy rates with that for passwords where they were not prompted over time to help with memorization. Success with this experiment would suggest techniques for improving the rate at which people remember important password, minimizing resets and the associated risks.

Figure 1: The CrainTrain screen where users enter a prompt ("What is your password") and answer (the actual password)

Measuring Cueing Language in User Graphical Password Selection. When users are asked to select passwords, they are asked to select a "strong" password, but how effective is this language as compared to other language choices, such as "unique"  or "secure" or other visual or textual indicators that could be use prior to selecting a password? Current efforts in this domain are developing an empirical research methodology that can test hypotheses regarding user queuing and their eventual password selection, focusing first on graphical passwords and later extending to text based passwords. The results of this research will lead to the better design of security procedures, which could "nudge" users towards more secure choices.

At the end of Year 1, with efforts from research students Jeanne Lunig-Prak and Devon Budzitowski, we have developed a pilot study to be run on Amazon Mechanical Turk.  The survey requires participants to select an initial graphical password which they will be then cued that that choice was insufficient in some way. A participate selects again after the cue, and the difference between these choices, and a later test of recall, informs us of how well the cueing works for different cue.  This research effort will continue into Year 2. 

Figure 2: A sample cue from pilot study on improving password choice

Understanding, Measuring, and Applying User Perceptions of Security and Usability. This research focuses on using empirical studies (surveys) to understand perceptions of security and usability in visual systems. Current research has focused on the graphical password system used by Android, and a large dataset of pair-wise preferences has been collected. The next phase of the research is to apply what we have learned to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. The research goal is to design systems where users' perceptions of security match some known metric of security, thus inducing security by design.

This research effort has led to the publication and presentation of research at the 2014 Annual Computer Security Applications Conference (ACSAC’14). The research effort of Dane Fichter, an undergraduate student at Swarthmore College, led to the design of a large on-line survey where users chose between two graphical passwords to indicate a security preference. The findings of this research are that more spatial features, such as left vs. right shifting had little effect on perceptions, while more complex features, such as crosses, had a much large effect.  

Following this research, we conducted two studies to better understand perceptions. Jeanne Luning-Prak, a summer high school intern during the summer of 2014, designed and launched a survey to have participants self-report their Android password patterns. The survey is ongoing, and over 750 individuals have completed the survey. Interesting, preliminary findings show that, in contrast to perceptions, users select patterns where shifting and shapes play a much larger roll. We hope to correlate this information with various demographic data collected during the survey as well as inquiries regarding privacy perceptions of mobile devices, generally.  

Research student Devon Budzitowski (Fall’15) followed up on the study to see if the number of contact points in the grid (3x3 vs. 4x4) change the perceptions of security. We have conducted an in-person survey where participants both choose graphical passwords of their own and try and guess other participants passwords. The study conducted with both 3x3 and 4x4 grid sizes provides a nice comparison point to understand both what participants are choosing for them selves, and what they believe others might choose.  

Based on these efforts. We have submitted a paper to ACSAC'15 that measures the impact of grid size on user choice based on the in-person lab study and the on-line self-reported data. We have also submitted two posters (which were accepted) to SOUPS'15: one poster focusing on differences in grid size and one on observed differences in the collection methodology.

As a new effort in this domain, a student capstone team at USNA has been investigating if the keyboard layout on mobile devices impacts password choice as well as the efficiency of password entry. Capstone students Cody Vernon, Ryan Kelly,  Matthew Sommers, Ethan Genco, Didar Alam, and Kyle Hawkins have spent much of the Fall’14 and Spring’15 developing new keyboards for mobile devices that adjust the layout and provide user input during password selection. We have also developed a pilot study to measure the performance of the new keyboard, and this research will continue into Year 2. A poster is currently being prepared about this research effort to be presented at SOUPS’15. 

Figure 3: A sample password entry keyboard which more promenantly displays special symbols and numbers to encourage their use (left); A sample telepathwords keyboard (center); and an alternative layout using wheales (right).

Finally, continuing the efforts from Y1, high school intern student has developed a new application to help users select patterns that are less guessable. We intend to release a stand alone application into the Android marketplace that would aid users in selecting more secure patterns, and those users can optionally report the patterns they choose (and some other statistics) for analysis. The application has both a meter based on ranking patterns on guessability, using data collected in the surveys noted above, and also a telepath-words like system where based on each selected contact point, a recommendation for next contact points are provided. 

Figure 4: A sample instruction of the Lines Less Traveled application which will help users select more secure applications. 

SERVICE

Program Co-Chair service by Adam Aviv. 8th Workshop on Cyber Security Evaluation and Test (CSET’15).

Wireless Security Track Chair for IEEE VTC Fall 2015 service by Adam Aviv. IEEE Vehical Technoligy Conference.

Invited Talk at IEEE Intelligence and Security Informatics Conferences May 2015. 

Invited Talk at University of Maryland Baltimore County on “Human Factors in Mobile Device Authentication.” Jan 16, 2015.

Invited Talk at Carnegie Melon University on “Measuring Visual Perceptions of Security: Case study of Android’s Graphical Password” Jul 2, 2014.

Coursera MOOC  "Usable Security" offered once in 2014, once in 2015. A total of 55,000 students registered for this course

Keynote Presentation  by Jennifer Golbeck, "Privacy and Social Media", presented at Howard County Gifted Middle School Expo, May 29, 2015

Keynote Presentation by Jennifer Golbeck, "Data Analytics and Security" presented at Ingram Micro Vantage Kansas City, February 18, 2015.

Keynote Presentation by Jennifer Golbeck, "Toward Usable Security", presented at National Cyber Security Awareness Month, ATS, Inc.

PUBLICATIONS

Papers published in Year 1

• Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. Adam J. Aviv and Dane Fichter. Procedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014.
   
• Measuring Privacy Disclosures in URL Query Strings. Andrew G. West and Adam J. Aviv. Internet Computing, IEEE, 18(6): 52-59, 2014.

• On the Privacy Concerns of URL Query Strings . Andrew G. West and Adam J. Aviv. Workshop on Web 2.0 Security and Privacy. May, 2014.

• A Self-Report Survey of Android Unlock Passwords. Jeanne Luning-Prak and Adam J. Aviv. Poster presentation at ACSAC 2014.

 Papers submitted for publication

• SoK: Humans in security Systems. J. Golbeck, M. Mazurek, and C. Mayhorn. Submitted to IEEE Security & Privacy.

• Is Bigger Better? Comparing User Generated Passwords on 3x3 vs 4x4 Grid Sizes for Android's Pattern Unlock. Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. Submitted to Anual Aplied Computer Security Conference (ACSAC)

Accepted Posters

• Do Bigger Grid Sizes Mean Better Passwords? 3x3 vs. 4x4 Grid Sizes for Android Unlock Patterns. Devon Budzitowski, Adam J. Aviv, and Ravi Kuber. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.

• Comparisons of Data Collection Methods for Android Graphical Pattern Unlock. Adam J. Aviv and Jeanne Luning-Prak.  Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.

• Alternative Keyboard Layouts for Improved Password Entry and Creation on Mobile Devices. Ethan Genco, Ryan Kelley, Cody Vernon and Adam J. Aviv.  Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.