Cybersecurity research and development has mainly focused on technical solutions to increase security. However, the greatest weakness of many systems is the user. [ Interactions: Feature (May + June) ]
Usable Authentication Guidelines:
Instead of viewing users as the inevitable weak point in the authentication process, we propose that authentication interfaces be designed to take advantage of users’ natural abilities. This approach requires that we understand how interactions with authentication interfaces can be improved and what human capabilities can be exploited. This work has resulted in a working graphical authentication prototype (Cain & Still, in press) and an associated provisional patent. To begin bridging the gap between research and practice, we have consolidated the recognized usability issues into a list of authentication design guidelines (Still, Cain, & Schuster, 2017). In addition, we have started to explore the over-the-shoulder-attack vector from a behavioral perspective (e.g., Cain, Werner, & Still, 2017; Cain, Chiu, Santiago, & Still, 2016), which is a recognized weakness of next-gen graphical authentication.
We depend on authentication methods to protect our valuables from impersonators. These methods need to be able to, at minimum, prevent casual attackers with limited resources from gaining access to our valuables.
Rapid Serial Visual Presentation (RSVP) Method for Graphical Authentication
The RSVP authentication method is especially suited for multi-touch mobile devices. This method presents degraded pictures of everyday objects in a temporal stream. Considering all the other authentication methods employ a spatial visual search, our method is unique (i.e., searching across time versus space). A temporal method of presentation is used to decreases login times down to 14 seconds and to allow login with a simple touch of the screen. By degrading the images, over-the-shoulder attackers are prevented from easily capturing the passcode. This study shows that all participants could successfully login at least once when allowed up to three attempts. After becoming familiar with the RSVP authentication method, participants took on the role of an attacker. Notably, no one was able to identify the passcode. The RSVP method offers a memorable, usable, quick, and secure alternative for authentication on multi-touch mobile devices. [ Cain & Still, 2016 ; Cain & Still, 2017]
Incognito: Shoulder-Surfing Resistant Selection Method
Authentication methods need to, at minimum, prevent casual attackers with limited resources from gaining access to our private information. Although, Personal Identification Numbers (PIN) have been ubiquitously implemented to validate a user's identity, it is surprisingly easy for PINs to be stolen by casual shoulder-surfing attackers. We offer Incognito, a selection technique, which is resistant to casual shoulder-surfing and extendable to emerging graphical authentication methods. This was achieved by employing indirect interactions and masking standard cursor feedback. We show this selection technique effectively prevents casual shoulder-surfing attacks. The users controlled Incognito with either a mouse or eye tracker. We examined its usability by measuring effectiveness, performance, and user satisfaction in contrast with a conventional PIN approach. Our results show marginal login performance differences between the conventional method and Incognito with mouse-based interactions, but not for eye tracker based interactions. Incognito shows promise as a viable selection technique within public spaces. [ Still & Bell, in press]
Are biometrics the simple solution?
You might be thinking. Why not just use biometrics to replace password based authentication systems? This is a bad idea for two reasons. First, all systems get hacked (see hackers took 5.6 million fingerprints). And, our biometric information isn't easily updatable. Second, biometric information might reveal personal health information (e.g., current health status or other genetic based insights).
Increasing Policy Compliance through Re-Design:
Contextualizing Mnemonic Phrase Passwords
We introduce a strategy for developing strong passwords that embed contextual cues within mnemonic phrase passwords. Using this strategy participants were able to create strong passwords and better remember them compared with a traditional mnemonic strategy. [ McEvoy & Still, 2016 ]
Re-designing Permission Requirements to Encourage BYOD Policy Adherence
Many corporations and organizations support a Bring Your Own Device (BYOD) policy, which allows employees to use their personal smartphones for work-related purposes. Access to proprietary company data and information from an employee’s smartphone raises serious privacy and security concerns. Companies are vulnerable to data breaches if employees are unable to discern which applications are safe to install. Situating privacy requirements ought to encourage safer application install decisions and decrease risker ones. This study examines the use of context-relevant warning messages, which alert employees to be cautious when the company’s BYOD policy may be violated. We also explore the impact of presenting permission requirements before and after making the install decision. In situations when it was safe to install an application, warning messages presented before the install decision drastically encouraged installations compared to when there were no warnings. Interestingly, the opposite pattern was found when warning messages were presented after the decision. Overall, better privacy and security decisions will be made if permission requirements are displayed with relevant warning messages. In addition, safe installations will be encouraged through the placement of these meaningful warnings on the description page of a mobile application before a user has decided to install it. [ Lee & Still, 2015 ]