User-Centered Design for Security - UMD - April 2016
Public Audience
PI(s): Jen Golbeck and Adam J. Aviv
Researchers: Yehuda Katz, Zahra Ashktorab, Dane Fichter, Jeanne Luning-Prak, Devon Budzitowski, Ryan Kelly, Mathew Sommers, Ethan Genco, Didar Alan, Kyle Hawkins, Cody Vernon, Justin Maguire, John Davin, Susanna Heidt, Jacob Brown, Hunter Lamp, Thomas Armistead, Alexander Huang
HARD PROBLEM(S) ADDRESSED
Human Behavior; Metrics
PROJECT OVERVIEW
Our goal is to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. When humans are involved in security systems in any way, usability is important. A system that is designed around natural human memory, attention, and cognitive abilities will be easy to use and lead people toward acting in secure ways; systems that force users into inherently difficult tasks lead to people circumventing security guidelines or protocols in order to get their tasks done efficiently.
In the first year of this project and continuing into year two, we are undertaking several efforts in the usable security space; in particular in the space of understanding the security and usabily of text and graphical passwords. The concrete results of this research effort is the development of new classes (PI Golbeck), the sponsor of capstone projects (PI Aviv), the presentation and publication of papers (PI Golbeck and PI Aviv), and numerous service opportunities that bring awareness to usable security issues to a wider audience.
Here, we detail our research efforts in the previous year for the following topic areas, which are all related to the hard problem of Human Behavior and Metrics:
- Improving Password Memorability
- Measuring Cueing Language in User Graphical Password Selection
- Understanding, Measuring and Applying User Perceptions of Security and Usability
- Privacy Conscious URL Sharing
We also outline how this research effort continues. One theme that persists is the focus on usable security issues related to mobile devices. Clearly, as mobile devices, such as smartphones, tablets, etc., continue to proliferate as the primary computer for many individuals, understanding the usability and security impact remain a primary focus for this research effort.
UPDATES SINCE LAST REPORT: Since the last report, we had a paper accepted at the journal Future Internet on privacy understanding. We have also launched a new version of our password memorability study.
Since the last report, we are happy to report that we have two new accepted publications one at the Usable Security Workshop (USEC) and one at the iConference, and we have presented a paper at the Annual Security Applications Conference (ACSAC). Further updates include the expansion of the research in aiding users in selecting graphical passwords and developing new methods for measuring the vulnerability of passwords to shoulder surfing.
----------------------------------------------------
Improving Password Memorability: This project is based around designing mechanisms to help people remember passwords more effectively. Password resets are a point of insecurity, so the more often people can remember passwords, the more reduced this risk point becomes. We have designed an experiment to test how well memorization techniques can be applied to passwords.
The core idea behind this work is that if people use a password enough, it will eventually become part of their long-term memory. There are various "schedules" that people use to memorize other things, like words for standardized tests such as the GRE or SAT. We are testing whether prompting people to recall a password on such a schedule can improve long term recall of the password.
In Year 1, we designed and deployed a pilot test of this experiment. After that success, we revised the protocol and replaced a web-based interface with email reminders.
This year, we ran a first round of experiments in a web-based environment and in an app (discussed below). Our initial web-based results showed subjects frequently resetting their passwords in both conditions. Interviews with subjects revealed that this was because the number of passwords we asked them to create and remember (six, three for each condition) was too difficult to keep track of. Thus, we have simplified the experiment, asking users to create only two passwords - one for each conditinon (control and reminder-prompted).
In year 1, we had been developing an iPhone app called CrainTrain, which we developed, that is a generic tool for helping with memorization. This year we adapted that. Initial experiments showed unreliable results because our first version of the app showed users their passwords when they could not remember them. Since this is not a secure option for real password systems, we have changed the app to require users to enter the password and not have the option to see the correct password if the answer is incorrect. We plan to use this revised app for our experiments going forward.
The app (Figure 1) will prompt people to recall their password on a schedule with decreasing frequency and to compare their accuracy rates with that for passwords where they were not prompted over time to help with memorization. Success with this experiment would suggest techniques for improving the rate at which people remember important password, minimizing resets and the associated risks.
Figure 1: The CrainTrain screen where users enter a prompt ("What is your password") and answer (the actual password)
Since our last report, we have released a new version of the app, improved based on feedback from our pilot studies, and are collecting what we expect will be a final round of data for eventual publication.
Measuring Cueing Language in User Graphical Password Selection. When users are asked to select passwords, they are asked to select a "strong" password, but how effective is this language as compared to other language choices, such as "unique" or "secure" or other visual or textual indicators that could be use prior to selecting a password? Current efforts in this domain are developing an empirical research methodology that can test hypotheses regarding user queuing and their eventual password selection, focusing first on graphical passwords and later extending to text based passwords. The results of this research will lead to the better design of security procedures, which could "nudge" users towards more secure choices.
At the end of Year 1, with efforts from research students Jeanne Lunig-Prak and Devon Budzitowski, we have developed a pilot study to be run on Amazon Mechanical Turk. The survey requires participants to select an initial graphical password which they will be then cued that that choice was insufficient in some way. A participate selects again after the cue, and the difference between these choices, and a later test of recall, informs us of how well the cueing works for different cue. This research effort will continue into Year 2.
Figure 2: A sample cue from pilot study on improving password choice
Understanding, Measuring, and Applying User Perceptions of Security and Usability. This research focuses on using empirical studies (surveys) to understand perceptions of security and usability in visual systems. Current research has focused on the graphical password system used by Android, and a large dataset of pair-wise preferences has been collected. The next phase of the research is to apply what we have learned to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. The research goal is to design systems where users' perceptions of security match some known metric of security, thus inducing security by design.
This research effort has led to the publication and presentation of research at the 2014 Annual Computer Security Applications Conference (ACSAC’14). The research effort of Dane Fichter, an undergraduate student at Swarthmore College, led to the design of a large on-line survey where users chose between two graphical passwords to indicate a security preference. The findings of this research are that more spatial features, such as left vs. right shifting had little effect on perceptions, while more complex features, such as crosses, had a much large effect.
Following this research, we conducted two studies to better understand perceptions. Jeanne Luning-Prak, a summer high school intern during the summer of 2014, designed and launched a survey to have participants self-report their Android password patterns. The survey has been completed with over 750 individual respondants. Based on these results for 3x3 patterns, we have published a paper with USNA research student Devon Budzitowski (Spring’15) that asked the quwestion, do bigger grid sizes increase security?
In that research project, we conducted multiple in-person surveys where participants both choose graphical passwords of their own and try and guess other participants passwords for grid sizes of 3x3 and 4x4. We found that there were some differences in terms of security, using the Partial Guessablity metric, overall, the strength of most 4x4 patterns is not significantly beteter than 3x3 patterns and not much better than a 3 digit PIN. Based on these efforts, we submitted and presented an accepted paper at ACSAC'15, and we presented posters at SOUPS (based on both the self-reporting data and the in-person patterns).
Using both the self-reported data and the in-lab 3x3 data, we conducted a comprehensive analytic comparisons of the collection methods and the demographics that affect graphical passwords of users. Interestingly, we did find that within gender and handedness, there is some differences, namely, women participants tend to right shift their patterns. However, in support of our prior work, we don't find major differences between patterns collect in-lab and those collected online via self-reporting. We submitted a paper on this topic and were accepted for publication at USEC'16.
User Perception of Data Sharing and Privacy
Since our last report, we have completed a paper on user perception and understanding of privacy issues related to personal information sharing in apps. In the paper which we just published in Future Internet, we focused on Facebook apps and set out to understand how concerned users are about privacy and how well-informed they are about what personal data apps can access. We found that initially, subjects were generally under-informed about what data apps could access from their profiles. After viewing additional information about these permissions, subjects' concern about privacy on Facebook increased. Subjects' understanding of what data apps were able to access increased, although even after receiving explicit information on the topic, many subjects still did not fully understand the extent to which apps could access their data.
Projects Winding Up
In the Spring of 2016, Aviv has recruited two new undergraduate researcher students to work on related projects in the area of aiding users in selecting graphical passwords and designing methodologies to measure the security of mobile authenitcation systems against shoulder surfing attacks.
Continuing the efforts from Y1 and Y2, Sussanna Heidt will build upon Jeanne Luning-Prak's (the high school intern student) in developing a new application to help users select patterns that are less guessable. We intend to release a stand alone application into the Android marketplace that would aid users in selecting more secure patterns, and those users can optionally report the patterns they choose (and some other statistics) for analysis. The application has both a meter based on ranking patterns on guessability, using data collected in the surveys noted above, and also a telepath-words like system where based on each selected contact point, a recommendation for next contact points are provided.
Figure 3: A sample instruction of the Lines Less Traveled application which will help users select more secure applications.
Undergradaute student John Davin will spearhead a new project on measuring the strength of authentication systems to shoulder surfing attacks. To do this, we will develop a new methodology that can properly measure this vulnerability. The method will include performing a series of recordings of a users authenticating on mobile device from multiple camera angles and multiple authentication system (e.g., PIN, pattern, password). We will then recruit participants to perform as attackes and attempt to measure how succesful those attacks are under various conditions of the test. We expect this project to continue in Year 3 of this project.
Figure 4: Sample videos for measuring shoulder surfing from multiple angles.
Finally, a captsone project spear heading by a group of four midshipman at usna will be investigating a new metric for on-line attacks of graphical patterns. They will be building a lego-robot that can interact with a smatphone touchscreen and enter graphical passwords. By programming this robot to enter patterns in a particular order, we can use the amount of time (in an online setting) to determine the relative strength of breaking into a device in an automated way. Prior work considers only offline attacks, this will enable metrics in online attacks.
Projects Winding Down
An effort during the last quater by student capstone team at USNA has been investigating if the keyboard layout on mobile devices impacts password choice as well as the efficiency of password entry. Capstone students Cody Vernon, Ryan Kelly, Matthew Sommers, Ethan Genco, Didar Alam, and Kyle Hawkins have spent much of the Fall’14 and Spring’15 developing new keyboards for mobile devices that adjust the layout and provide user input during password selection. We completed a pilot study to measure the performance of the new keyboard, and we have presetned a poster on this research effort to be presented at SOUPS’15.
Figure 5: A sample password entry keyboard which more promenantly displays special symbols and numbers to encourage their use (left); A sample telepathwords keyboard (center); and an alternative layout using wheales (right).
SERVICE
"Security and Social Engineering" Time Warner Security Summit (Keynote) Santa Monica, CA (Jen Golbeck)
"Data Analytics of Security", Ingram Micro Vantage Denver (Keynote), Denver, CO (Jen Golbeck)
"Human Side of Security", Ingram Micro Vantage Kansas City, Kansas City, MO (Jen Golbeck)
Program Committee Member, Adam Aviv, Privacy Enahcing Technology Symposium (PETS'16)
Workshop and Tutorrial Chair, Adam Aviv, at Symposium on Usable Security and Privacy (SOUPS'16)
Invited Talk by Adam Aviv at Carnegie Mellon University (Feb. 2016)
Invited Talk by Adam Aviv at the DC-Area Privacy and Security Meeting (Nov. 2015)
Program Committee Member by Adam Aviv for Usable Security Worksop (USEC'16)
Program Committee Member by Adam Aviv for Symposium on Access control Models and Technologies (SACMAT'16)
Program Committee Member by Adam Aviv for Privacy Enhancing Technology Symposium (PETS'15, PETS'16)
Program Co-Chair service by Adam Aviv, 8th Workshop on Cyber Security Evaluation and Test (CSET’15).
Wireless Security Track Chair for IEEE VTC Fall 2015 service by Adam Aviv. IEEE Vehical Technology Conference.
Invited Talk at IEEE Intelligence and Security Informatics Conferences May 2015.
Invited Talk by Adam Aviv at University of Maryland Baltimore County on “Human Factors in Mobile Device Authentication.” Jan 16, 2015.
Invited Talk by Adam Aviv at Carnegie Melon University on “Measuring Visual Perceptions of Security: Case study of Android’s Graphical Password” Jul 2, 2014.
Coursera MOOC, Jennifer Golbeck, "Usable Security" offered once in 2014, once in 2015. A total of 55,000 students registered for this course
Keynote Presentation by Jennifer Golbeck, "Privacy and Social Media", presented at Howard County Gifted Middle School Expo, May 29, 2015
Keynote Presentation by Jennifer Golbeck, "Data Analytics and Security" presented at Ingram Micro Vantage Kansas City, February 18, 2015.
Keynote Presentation by Jennifer Golbeck, "Toward Usable Security", presented at National Cyber Security Awareness Month, ATS, Inc.
PUBLICATIONS
Papers/Workshops/Posters published in Year 3
- Analyzing the Impact of Collection Methods and Demographics for Android's Pattern Unlock. Adam J. Aviv, Justin Maguire, and Jeanne Luning-Prack. In the proceedings of the Worskhopt on Usable Security (USEC). 2016
- Developing and Evaluating a Gestural and Tactile Mobile Interface to Support User Authentication. Abdullah Ali, Adam J. Aviv, and Ravi Kuber. To apear at the iConference. 2016
- User Perception of Facebook App Data Access: A Comparison of Methods and Privacy Concerns. Jennifer Golbeck, Matthew Louis Mauriello.Future Internet, 8(2), 9. 2016.
Papers/Workshop/Posters published in Year 2
- Is Bigger Better? Comparing User Generated Passwords on 3x3 vs 4x4 Grid Sizes for Android's Pattern Unlock. Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. In the proceedings of Anual Aplied Computer Security Conference (ACSAC). 2015
-
Do Bigger Grid Sizes Mean Better Passwords? 3x3 vs. 4x4 Grid Sizes for Android Unlock Patterns. Devon Budzitowski, Adam J. Aviv, and Ravi Kuber. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
-
Comparisons of Data Collection Methods for Android Graphical Pattern Unlock. Adam J. Aviv and Jeanne Luning-Prak. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
-
Alternative Keyboard Layouts for Improved Password Entry and Creation on Mobile Devices. Ethan Genco, Ryan Kelley, Cody Vernon and Adam J. Aviv. Poster to be presented at Symposium on Usable Security and Privacy (SOUPS). 2015.
Papers/Workshops/Posters published in Year 1
- Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. Adam J. Aviv and Dane Fichter. Procedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014.
- Measuring Privacy Disclosures in URL Query Strings. Andrew G. West and Adam J. Aviv. Internet Computing, IEEE, 18(6): 52-59, 2014.
-
On the Privacy Concerns of URL Query Strings . Andrew G. West and Adam J. Aviv. Workshop on Web 2.0 Security and Privacy. May, 2014.
- A Self-Report Survey of Android Unlock Passwords. Jeanne Luning-Prak and Adam J. Aviv. Poster presentation at ACSAC 2014.
Papers submitted for Publication
- SoK: Humans in Security Systems. J. Golbeck, M. Mazurek, and C. Mayhorn. Submitted to IEEE Security & Privacy.