User-Centered Design for Security - UMD - October 2015
Public Audience
PI(s): Jen Golbeck and Adam J. Aviv
Researchers: Yehuda Katz, Zahra Ashktorab, Dane Fichter, Jeanne Luning-Prak, Devon Budzitowski, Ryan Kelly, Mathew Sommers, Ethan Genco, Didar Alan, Kyle Hawkins, Cody Vernon, Justin Maguire, John Davin
HARD PROBLEM(S) ADDRESSED
Human Behavior; Metrics
PROJECT OVERVIEW
Our goal is to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. When humans are involved in security systems in any way, usability is important. A system that is designed around natural human memory, attention, and cognitive abilities will be easy to use and lead people toward acting in secure ways; systems that force users into inherently difficult tasks lead to people circumventing security guidelines or protocols in order to get their tasks done efficiently.
In the first year of this project and continuing into year two, we are undertaking several efforts in the usable security space; in particular in the space of understanding the security and usabily of text and graphical passwords. The concrete results of this research effort is the development of new classes (PI Golbeck), the sponsor of capstone projects (PI Aviv), the presentation and publication of papers (PI Golbeck and PI Aviv), and numerous service opportunities that bring awareness to usable security issues to a wider audience.
Here, we detail our research efforts in the previous year for the following topic areas, which are all related to the hard problem of Human Behavior and Metrics:
- Improving Password Memorability
- Measuring Cueing Language in User Graphical Password Selection
- Understanding, Measuring and Applying User Perceptions of Security and Usability
- Privacy Conscious URL Sharing
We also outline how this research effort continues in Year 2. One theme that persists is the focus on usable security issues related to mobile devices. Clearly, as mobile devices, such as smartphones, tablets, etc., continue to proliferate as the primary computer for many individuals, understanding the usability and security impact remain a primary focus for this research effort.
UPDATES SINCE LAST REPORT: Since the last report, we are happy to report that we have one new accepted publication at the Anual Security Applications Conference (ACSAC) on the space of cueing language focusing on graphical passwords. The paper reports the results of measuring the grid size difference (3x3 vs. 4x4) for pattern unlock graphical password system used on Android devices. The findings are that increasing the grid size has minimal effects on the guessability despite there being ever more available patterns. Thus, in the end, human factors (a hard problem we are addressing) are effecting an increase in security. The paper reference is included below.
Further updates include: additional papers have been submitted for review at conference on haptic feedback in graphical passwords, additional comitte service and outreach, and more invited talks and presentations. Finally, additional efforts are underway to advance new directions for the Spring semester by recruiting new undergraduate students into the project.
----------------------------------------------------
Improving Password Memorability: This project is based around designing mechanisms to help people remember passwords more effectively. Password resets are a point of insecurity, so the more often people can remember passwords, the more reduced this risk point becomes. We have designed an experiment to test how well memorization techniques can be applied to passwords.
The core idea behind this work is that if people use a password enough, it will eventually become part of their long-term memory. There are various "schedules" that people use to memorize other things, like words for standardized tests such as the GRE or SAT. We are testing whether prompting people to recall a password on such a schedule can improve long term recall of the password.
In Year 1, we designed and deployed a pilot test of this experiment. After that success, we revised the protocol and replaced a web-based interface with email reminders.
This year, we ran a first round of experiments in a web-based environment and in an app (discussed below). Our initial web-based results showed subjects frequently resetting their passwords in both conditions. Interviews with subjects revealed that this was because the number of passwords we asked them to create and remember (six, three for each condition) was too difficult to keep track of. Thus, we have simplified the experiment, asking users to create only two passwords - one for each conditinon (control and reminder-prompted).
In year 1, we had been developing an iPhone app called CrainTrain, which we developed, that is a generic tool for helping with memorization. This year we adapted that. Initial experiments showed unreliable results because our first version of the app showed users their passwords when they could not remember them. Since this is not a secure option for real password systems, we have changed the app to require users to enter the password and not have the option to see the correct password if the answer is incorrect. We plan to use this revised app for our experiments going forward.
The app (Figure 1) will prompt people to recall their password on a schedule with decreasing frequency and to compare their accuracy rates with that for passwords where they were not prompted over time to help with memorization. Success with this experiment would suggest techniques for improving the rate at which people remember important password, minimizing resets and the associated risks.
Figure 1: The CrainTrain screen where users enter a prompt ("What is your password") and answer (the actual password)
Measuring Cueing Language in User Graphical Password Selection. When users are asked to select passwords, they are asked to select a "strong" password, but how effective is this language as compared to other language choices, such as "unique" or "secure" or other visual or textual indicators that could be use prior to selecting a password? Current efforts in this domain are developing an empirical research methodology that can test hypotheses regarding user queuing and their eventual password selection, focusing first on graphical passwords and later extending to text based passwords. The results of this research will lead to the better design of security procedures, which could "nudge" users towards more secure choices.
At the end of Year 1, with efforts from research students Jeanne Lunig-Prak and Devon Budzitowski, we have developed a pilot study to be run on Amazon Mechanical Turk. The survey requires participants to select an initial graphical password which they will be then cued that that choice was insufficient in some way. A participate selects again after the cue, and the difference between these choices, and a later test of recall, informs us of how well the cueing works for different cue. This research effort will continue into Year 2.
Figure 2: A sample cue from pilot study on improving password choice
Understanding, Measuring, and Applying User Perceptions of Security and Usability. This research focuses on using empirical studies (surveys) to understand perceptions of security and usability in visual systems. Current research has focused on the graphical password system used by Android, and a large dataset of pair-wise preferences has been collected. The next phase of the research is to apply what we have learned to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. The research goal is to design systems where users' perceptions of security match some known metric of security, thus inducing security by design.
This research effort has led to the publication and presentation of research at the 2014 Annual Computer Security Applications Conference (ACSAC’14). The research effort of Dane Fichter, an undergraduate student at Swarthmore College, led to the design of a large on-line survey where users chose between two graphical passwords to indicate a security preference. The findings of this research are that more spatial features, such as left vs. right shifting had little effect on perceptions, while more complex features, such as crosses, had a much large effect.
Following this research, we conducted two studies to better understand perceptions. Jeanne Luning-Prak, a summer high school intern during the summer of 2014, designed and launched a survey to have participants self-report their Android password patterns. The survey is ongoing, and over 750 individuals have completed the survey. Interesting, preliminary findings show that, in contrast to perceptions, users select patterns where shifting and shapes play a much larger roll. We hope to correlate this information with various demographic data collected during the survey as well as inquiries regarding privacy perceptions of mobile devices, generally.
Research student Devon Budzitowski (Fall’15) followed up on the study to see if the number of contact points in the grid (3x3 vs. 4x4) change the perceptions of security. We have conducted an in-person survey where participants both choose graphical passwords of their own and try and guess other participants passwords. The study conducted with both 3x3 and 4x4 grid sizes provides a nice comparison point to understand both what participants are choosing for them selves, and what they believe others might choose.
Based on these efforts. We have submitted a paper to ACSAC'15 that measures the impact of grid size on user choice based on the in-person lab study and the on-line self-reported data. We have also submitted two posters (which were accepted) to SOUPS'15: one poster focusing on differences in grid size and one on observed differences in the collection methodology.
As a new effort in this domain, a student capstone team at USNA has been investigating if the keyboard layout on mobile devices impacts password choice as well as the efficiency of password entry. Capstone students Cody Vernon, Ryan Kelly, Matthew Sommers, Ethan Genco, Didar Alam, and Kyle Hawkins have spent much of the Fall’14 and Spring’15 developing new keyboards for mobile devices that adjust the layout and provide user input during password selection. We have also developed a pilot study to measure the performance of the new keyboard, and this research will continue into Year 2. A poster is currently being prepared about this research effort to be presented at SOUPS’15.
Figure 3: A sample password entry keyboard which more promenantly displays special symbols and numbers to encourage their use (left); A sample telepathwords keyboard (center); and an alternative layout using wheales (right).
Finally, continuing the efforts from Y1, high school intern student has developed a new application to help users select patterns that are less guessable. We intend to release a stand alone application into the Android marketplace that would aid users in selecting more secure patterns, and those users can optionally report the patterns they choose (and some other statistics) for analysis. The application has both a meter based on ranking patterns on guessability, using data collected in the surveys noted above, and also a telepath-words like system where based on each selected contact point, a recommendation for next contact points are provided.
Figure 4: A sample instruction of the Lines Less Traveled application which will help users select more secure applications.
SERVICE
Invited Talk by Adam Aviv at the DC-Area Privacy and Security Meeting (Nov. 2015)
Program Comittee Member by Adam Aviv for Usable Security Worksop (USEC'16)
Program Comittee Member by Adam Aviv for Symposium on Access control Models and Technologies (SACMAT'16)
Program Comitte Member by Adam Aviv fo Privacy Enhancing Technology Symposium (PETS'15, PETS'16)
Program Co-Chair service by Adam Aviv. 8th Workshop on Cyber Security Evaluation and Test (CSET’15).
Wireless Security Track Chair for IEEE VTC Fall 2015 service by Adam Aviv. IEEE Vehical Technoligy Conference.
Invited Talk at IEEE Intelligence and Security Informatics Conferences May 2015.
Invited Talk by Adam Aviv at University of Maryland Baltimore County on “Human Factors in Mobile Device Authentication.” Jan 16, 2015.
Invited Talk by Adam Aviv at Carnegie Melon University on “Measuring Visual Perceptions of Security: Case study of Android’s Graphical Password” Jul 2, 2014.
Coursera MOOC "Usable Security" offered once in 2014, once in 2015. A total of 55,000 students registered for this course
Keynote Presentation by Jennifer Golbeck, "Privacy and Social Media", presented at Howard County Gifted Middle School Expo, May 29, 2015
Keynote Presentation by Jennifer Golbeck, "Data Analytics and Security" presented at Ingram Micro Vantage Kansas City, February 18, 2015.
Keynote Presentation by Jennifer Golbeck, "Toward Usable Security", presented at National Cyber Security Awareness Month, ATS, Inc.
PUBLICATIONS
Papers/Workshop/Posters published (or to apear) in Year 2
- Is Bigger Better? Comparing User Generated Passwords on 3x3 vs 4x4 Grid Sizes for Android's Pattern Unlock. Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. Submitted to Anual Aplied Computer Security Conference (ACSAC)
-
Do Bigger Grid Sizes Mean Better Passwords? 3x3 vs. 4x4 Grid Sizes for Android Unlock Patterns. Devon Budzitowski, Adam J. Aviv, and Ravi Kuber. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
-
Comparisons of Data Collection Methods for Android Graphical Pattern Unlock. Adam J. Aviv and Jeanne Luning-Prak. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
-
Alternative Keyboard Layouts for Improved Password Entry and Creation on Mobile Devices. Ethan Genco, Ryan Kelley, Cody Vernon and Adam J. Aviv. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
Papers/Workshops/Posters published in Year 1
- Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. Adam J. Aviv and Dane Fichter. Procedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014.
- Measuring Privacy Disclosures in URL Query Strings. Andrew G. West and Adam J. Aviv. Internet Computing, IEEE, 18(6): 52-59, 2014.
-
On the Privacy Concerns of URL Query Strings . Andrew G. West and Adam J. Aviv. Workshop on Web 2.0 Security and Privacy. May, 2014.
- A Self-Report Survey of Android Unlock Passwords. Jeanne Luning-Prak and Adam J. Aviv. Poster presentation at ACSAC 2014.
Papers submitted for Publication
- SoK: Humans in security Systems. J. Golbeck, M. Mazurek, and C. Mayhorn. Submitted to IEEE Security & Privacy.
-
Developing and Evaluating a Gestural and Tactile Mobile Interface to Support User Authentication. Abdullah Ali, Adam J. Aviv, and Ravi Kuber. Submitted to the iConference.