USEC 2017 Workshop - NDSS Symposium
SUNDAY, FEBRUARY 26
8:00 am – 7:00 pmRegistration
8:30 am – 9:30 amKeynote:  Thomas Gross
9:30 am – 10:00 amCoffee Break
10:00 am – 12:00 pmPresentations: Authentication

 

Chair: Sonia Chiasson

12:00 pm – 1:00 pmLunch
1:00 pm – 2:00 pmKeynote: Aaron Elkins
2:00 pm – 2:15 pmCoffee Break
2:15 pm – 3:15 pmPresentations: Perceptions

 

Chair: Jean Camp

3:15 pm – 4:00 pmPanel – Decision Making

 

Chair: Jean Camp

4:00 pm – 4:30 pmCoffee Break
4:30 pm – 6:00 pmPresentations: Security & Privacy

 

Chair: Thomas Gross

USEC 2017 Workshop Proceedings Front Matter

Authentication

Learning system-assigned passwords (up to 56 bits) in a single registration session with the methods of cognitive psychology

System-assigned random passwords offer security guarantees against guessing attacks but suffer from poor memorability. In this work, we review the cognitive psychology literature and identify two training methods appropriate to aid users in memorizing system-assigned passwords. The method of loci exploits users    spatial and visual memory, while the link method helps users by creating a chain of memory cues. We developed techniques to automatically take a given random password and generate training aids (videos) based on each of these methods. The results of a memorability study showed that both methods were significantly better than a control condition (no training) and that the method of loci had a login success rate of 86%, a high value for any recall-based study with system-assigned passwords. With a registration time of 160 seconds and a median login time of 9 seconds, this method holds promise as a direction to addressing the usability-security trade-off in user authentication. We further extend this idea to help users memorize long system-assigned random passwords that offer almost crypto-level security and conduct a second memorability study. The results of this study demonstrated that with the help of a password hint, 81% of participants were able to recall the password after a week. This indicates that the method of loci can be leveraged to help users memorize cryptographically-strong secret in just one session, and thus offers a more viable alternative to the spaced repetition technique, which involves dozens of sessions of user training.

S M Taiabul Haque, Mahdi Nasrullah Al-Ameen, Matthew Wright and Shannon Scielzo

EmojiAuth: Quantifying the Security of Emoji-based Authentication

Mobile devices, such as smartphones and tablets, frequently store confidential data, yet implementing a secure device unlock functionality is non-trivial due to restricted input methods. Graphical knowledge-based schemes have been widely used on smartphones and are generally well adapted to the touchscreen interface on small screens. Recently, graphical password schemes based on emoji have been proposed. They offer potential benefits due to the familiarity of users with emoji and the ease of expressing memorable stories. However, it is well-known from other graphical schemes that user-selected authentication secrets can substantially limit the resulting entropy of the authentication secret. In this work, we study the entropy of user-selected secrets for one exemplary instantiation of emoji-based authentication.We analyzed an implementation using 20 emoji displayed in random order on a grid, where a user selects passcodes of length 4 without further restrictions. We conducted an online user study with 795 participants, using the collected passcodes to determine the resistance to guessing based on several guessing strategies, thus estimating the selection bias. We evaluated Markov model-based guessing strategies based on the selected sequence of emoji, on its position in the grid, and combined models taking into account both features. While we find selection bias based on both the emoji as well as the position, the measured bias is lower than for similar schemes. Depending on the model, we can recover up to 7% at 100 guessing attempts, and up to 11% of the passcodes at 1 000 guessing attempts. (For comparison, previous work on the graphical Android Unlock pattern scheme (CCS 2013) recovered around 18% at 100 and 50% at 1 000 guessing attempts, despite a theoretical keyspace of more than double the size for the Android scheme.) These results demonstrate some potential for a usable and relatively secure scheme and show that the size of the theoretical keyspace is a bad predictor for the realistic guessability of passcodes.

Maximilian Golla, Dennis Deterring and Markus Dürmuth

Password Creation in the Presence of Blacklists

Attackers often target common passwords in guessing attacks, leading some website administrators to make common passwords ineligible for use on their sites. While past research has shown that adding such blacklists to a password policy generally makes resulting passwords harder to guess, it is important to understand whether users go on to create significantly stronger passwords, or ones that are only marginally better. In this paper, we investigate how users change the composition and strength of their passwords after a blacklisted password attempt. Additionally, we analyze differences in sentiment toward password creation based on whether a user created a blacklisted password. Our examination utilizes data collected from a previous online study evaluating various design features of a password meter through a password creation task. We analyzed 2,280 password creation sessions and found that participants who reused even a modified version of a blacklisted attempt during the task ultimately created significantly weaker passwords than those who did not attempt to use a blacklisted password. Our results also indicate that text feedback provided by a password meter mitigated this effect.

Hana Habib, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin and Lorrie Cranor

Seamless and Secure VR: Adapting and Evaluating Established Authentication Systems for Virtual Reality

Virtual reality (VR) headsets are enabling a wide range of new opportunities for the user. For example, in the near future users may be able to visit virtual shopping malls and virtually join international conferences. These and many other scenarios pose new questions with regards to privacy and security, in particular authentication of users within the virtual environment. As a first step towards seamless VR authentication, this paper investigates the direct transfer of well-established concepts (PIN, Android unlock patterns) into VR. In a pilot study (N = 5) and a lab study (N = 25), we adapted existing mechanisms and evaluated their usability and security for VR. The results indicate that both PINs and patterns are well suited for authentication in VR. We found that the usability of both methods matched the performance known from the physical world. In addition, the private visual channel makes authentication harder to observe, indicating that authentication in VR using traditional concepts already achieves a good balance in the trade-off between usability and security. The paper contributes to a better understanding of authentication within VR environments, by providing the first investigation of established authentication methods within VR, and presents the base layer for the design of future authentication schemes, which are used in VR environments only.

Ceenu George, Mohamed Khamis, Emanuel von Zezschwitz, Henri Schmidt, Marinus Burger, Florian Alt and Heinrich Hußmann


Perceptions

I Don’t Use Apple Pay Because It’s Less Secure…: Perception of Security and Usability in Mobile Tap-and-Pay

This paper reports on why people use, not use, or have stopped using mobile tap-and-pay in stores. The results of our online survey with 349 Apple Pay and 511 Android Pay participants suggest that the top reason for using mobile tap-andpay is usability. Surprisingly, for nonusers of Apple Pay, security was their biggest concern. A common security misconception we found among the nonusers (who stated security as their biggest concern) was that they felt storing card information on their phones is less secure than physically carrying cards inside their wallets. Our security knowledge questions revealed that such participants lack knowledge about the security mechanisms being used to protect card information. We also found a positive correlation between the participants    familiarity with security of mobile tap-and-pay and their adoption rate, suggesting that the participants who are more knowledgeable of the security protections in place are more likely to be using the technology.

Jun Ho Huh, Saurabh Verma, Swathi Sri V Rayala, Rakesh Bobba, Konstantin Beznosov and Hyoungshick Kim

(Work in Progress) Is this a privacy incident? Using News Exemplars to Study End User Perceptions of Privacy Incidents

A clear and efficient process for responding to privacy incidents is widely viewed as necessary for a strong privacy program. In addition, analysis of privacy incidents is advocated to understand risk trends. Both incident response and analysis require an actionable definition of privacy incident, which is challenging to derive given that privacy attitudes vary by culture and context, resulting in variation in incident manifestation. We present a first study of end user understanding of the term    privacy incident    with 482 Amazon Mechanical Turk users. Our study uses a variety of news exemplars, many of which concern the privacy-related concepts of data collection, storage, and usage. We find that although participants appear to closely tie sensitive data collection and usage to privacy, they often conflate privacy and security and are more inclined than privacy law to view perceived or anticipated privacy issues as grounds for an incident. Our study suggests that there is some degree of schism between end user conceptions of privacy and the views of industry and government.

Pradeep Kumar Murukannaiah, Jessica Staddon, Heather Lipford and Bart Knijnenburg

(Work in Progress) An Insight into the Authentication Performance and Security Perception of Older Users

Older users (aged 55 and over) are generally thought to have limited knowledge in online security; additionally, their declining cognitive and perceptive abilities can further expose them to digital attacks. Despite these risks and the growing older population, little has been studied about older users    security performance, perception, and behavior. We begin to address this gap with this preliminary study. First, we studied older users    ability to memorize passwords through a multisession user study with seven participants at a local retirement community. For this study, we leveraged a recently-proposed graphical authentication scheme that offers multiple cues (visual, verbal, spatial) to memorize system-assigned random passwords. To tailor this password scheme to an older population, we build on prior work in cognitive psychology that has been done to understand older users    needs. Second, we conducted a survey to further learn about their security perceptions and practices. Based on what we have learned and the challenges that we have faced during our study, we offer guidelines for other researchers interested in designing new systems and conducting usability study with older population, and we also outline the future work for our ongoing research.

Sovantharith Seng, Sadia Ahmed, Mahdi Nasrullah Al-Ameen and Matthew Wright


Security & Privacy

Be Prepared:  How US Government Experts Think About Cybersecurity

Online security experiences, perceptions, and behaviors are key to understanding users security practices. Users express that they are concerned about online security, but they also express frustration in navigating the often confusing and mentally taxing cybersecurity world. This paper examines the differences in cybersecurity perception and behavior between cybersecurity experts in the US Government as contrasted with non-experts. The experts represent a very select group within United States Government Agencies who are directly responsible for cybersecurity guidance for the Federal Government. We used a semi-structured interview protocol to collect data from 23 experts and 21 non-experts. Interview questions addressed experiences, beliefs, and behaviors with respect to online security. Qualitative data techniques were used to code and analyze the data identifying themes related to the similarities and differences in expert and non-expert perceptions of and experiences with cybersecurity. The experts as a group don   t trust, develop plans and are proactive in their approach to online security and see security as a personal challenge rather than a risky and potentially disrupting experience. In contrast, our non-experts trust too much, don   t develop plans, and experience security with anxiety and fear.

Mary Theofanos, Brian Stanton, Susanne Furman, Sandra Prettyman and Simson Garfinkel

Exploring Design Directions for Wearable Privacy

We explore how privacy preferences can be communicated towards disruptive cameras in privacy-sensitive spaces such as public beaches, where users are constrained in what technology they can carry and use. In order to get an informed consent between photographers and bystanders, we designed three conceptual privacy-mediating technologies: a smartphone app, a privacy-bracelet and a clothing-based approach. We then conducted 20 qualitative interviews to study peoples    privacy feelings towards disruptive cameras at a beach and in a cafe and their attitudes towards our approaches. We found that there is high demand for such tools irrespective of location and that a dedicated privacy device was preferred by most of the participants

Katharina Krombholz, Adrian Dabrowski, Matthew Smith and Edgar Weippl

“Don’t Break My Heart!”:  User Security Strategies for Online Dating (Short Paper)

Online dating sites require users to reveal information about themselves to find potential matches, yet users must also be wary of potential security and privacy threats. We conducted semi-structured interviews with 10 participants to better understand the various methods they employ to maintain their personal security and privacy while arranging to meet strangers in person. Specifically, we asked questions about how they validate the legitimacy of potential partners, how they safeguard their online information, and their overall experiences with dating sites. We found out that though users are familiar with most of the traits exhibited by scammers, they do not have sufficient security measures to protect themselves from being scammed. Users also have no principled means of balancing the need to share information with their need to stay safe. Our results suggest that better security and privacy mechanisms are needed to improve the online dating experience.

Borke Obada-Obieh, Sonia Chiasson and Anil Somayaji

(Work in Progress) User-Tailored Privacy by Design

The    privacy by design    philosophy addresses privacy aspects early in the design and development of an information system. While privacy by design solutions often provide considerable advantages over    post hoc    privacy solutions, they are usually not customized to the needs of individual users. Further, research shows that users differ substantially in their privacy management strategies. Thus, how can we support such broad privacy needs in a comprehensive and user-centered way? This paper presents the idea of user-tailored privacy by design, a design methodology that combines multiple privacy features into a single intelligent user interface. We discuss how this methodology moves beyond the    one-size-fits-all    approach of existing privacy by design solutions and the narrow focus on information disclosure of existing user-tailored privacy solutions. We illustrate our approach through an implementation of usertailored privacy by design within Facebook based on six privacy management profiles that were discovered in recent work, and subsequently extend this idea to the context of the Total Learning Architecture (TLA), which is a next generation learning platform that uses pervasive user monitoring to provide highly adaptive learning recommendations.

Daricia Wilkinson, Saadhika Sivakumar, David Cherry, Bart P. Knijnenburg, Elaine Raybourn, Pamela Wisniewski and Henry Sloan