WAY 2017 Workshop Program

Wednesday, July 12, 2017

7:30 am–9:00 am

Continental Breakfast

9:00 am–9:15 am

Intro and Welcome

Workshop Co-Chair: Elizabeth Stobert, ETH Zurich

9:15 am–10:30 am

Keynote Address

Helping Users Make Better Passwords Through Data-Driven Methods

Blase Ur, University of Chicago

Despite decades of research into developing security advice and interfaces, users still struggle to make passwords. This talk will survey our work using data-driven methods to help users make better passwords. I will first describe how we modeled password-guessing attacks and subsequently investigated whether users' perceptions of password security match reality. Afterwards, I will present our design and evaluation of a user-centered, data-driven password meter. Using neural networks, we created a fast, compact, and accurate model of password guessing. We augmented this approach with carefully combined heuristics to construct a password meter that explains to users what is wrong with their password or how to improve it. Through a large-scale online study, we found that such a meter leads users to create much more secure passwords without significantly impacting memorability.

Blaise Ur, University of Chicago

Blase Ur is Neubauer Family Assistant Professor of Computer Science at the University of Chicago, where he and his students are the Security, Usability, and Privacy Education & Research group (SUPERgroup). His recent work focuses on data-driven methods to help users make better security and privacy decisions, in addition to improving the usability of complex computer systems. He received best paper awards at CHI 2017, USENIX Security 2016, and UbiComp 2014, as well as honorable mentions at CHI 2016 and CHI 2012. He holds a Ph.D. and an M.S. from Carnegie Mellon University, as well as an A.B. from Harvard University.

10:30 am–11:00 am

Break with Refreshments

11:00 am–12:30 pm

Usable Authentication

Session Chair: Kent Seamons, Brigham Young University

"I want my money back!" Limiting Online Password-Guessing Financially

Maximilian Golla, Daniel V. Bailey, and Markus Dürmuth, Ruhr-University Bochum

Available Media

Online password guessing attacks are a serious threat to the integrity of online accounts. A common defense is rate-limiting, either by slowing down or blocking connections, or by requiring CAPTCHAs to be solved. Either of these options has serious drawbacks, facilitating denial of service attacks, being circumventable by proxies and CAPTCHA solving services, and offering bad usability to the legitimate user. Furthermore, guessing attacks are becoming increasingly easier, fueled by recent data breaches containing several hundred million credentials from famous websites. In this work-in-progress report, we propose an opt-in deposit-based approach to rate-limiting that tackles online guessing attacks. By demanding a small deposit for each login attempt, which is immediately refunded after a successful sign in, online guessing attackers face high costs for repeated unsuccessful logins. We provide an initial analysis of suitable payment systems and reasonable deposit values for real-world implementations and discuss security and usability implications of the system.

Smartwatches Locking Methods: A Comparative Study

Toan Nguyen and Nasir Memon, New York University

Available Media

Smartwatches are rapidly emerging to be the next generation of personal devices from the smartphone era due to their novel form factor and broad applications. However, their emergence also poses new challenges to securing user information. An important challenge is preventing unauthorized access to private information stored on the watch, for which a locking method is typically used. Due to smartwatches' limited display, the performance of locking methods offered on smartwatches may su er from the fat- finger problem and is currently unknown. In this paper, we present the first study to evaluate different locking methods for smartwatches. We contribute to the ongoing research trend in authentication for smartwatches with a reference benchmark and interesting insights for future work.

Key-bored to Tears: The Usability Cost of Character Authentication on Mobile Devices

Ann-Marie Horcher, Nova Southeastern University

Walking into traffic, off the beaten path, or colliding with people – distracted walking is on the rise as people struggle with touchscreen interactions designed for workstation instead of mobile devices. The keyboard is a well-known mental model for soliciting input for authentication. Mental models familiar to the user reduce the cognitive effort required to understand the desired interaction with the security interface. Though the cognitive effort to understand the interface may be conserved, there is also cognitive effort expended to use the keyboard-style interface. The reality of the actual cognitive effort required is documented by the rise in pedestrian accidents involving smartphone usage. Measures of the effort required for smartphone authentication using human performance modelling show how security design choices can significantly impact usability on the mobile platform, and calls into question current common practices. Strong passwords on a mobile device demand more cognitive effort than is safe at any speed.

You Want Me To Do What? A Design Study of Two-Factor Authentication Messages

Elissa M. Redmiles, Everest Liu, and Michelle L. Mazurek, University of Maryland

Available Media

Security messages that ask users to adopt new behaviors can be a crucial aspect of users' security decision-making. Prior work has focused extensively on how to design warning messages to discourage insecure practices. In this work, we instead examine how to design motivating security messages to encourage adoption, taking two-factor authentication (2FA) as a case study. To this end, we conduct an interview and participatory design study with 12 demographically diverse participants. Participants both critiqued existing 2FA messages and designed new ones. Drawing from the results of these interviews, we extract preliminary design options for authentication tool messages, which we plan to validate in future work.

12:30 pm–2:00 pm

Lunch (on your own)

2:00 pm–3:30 pm

Distributed Authentication

Session Chair: Heather Crawford, Florida Institute of Technology

On the Design of Distributed Adaptive Authentication Systems

Patricia Arias-Cabarcos, University Carlos III of Madrid; Christian Krupitzer, University of Mannheim

Available Media

Adaptive authentication allows a system to dynamically select the best mechanism for authenticating a user depending on contextual factors, such as location, proximity to devices, and other attributes. Current systems in the literature are built to demonstrate feasibility and basic usability improvements in specific scenarios, but none of them follows a methodological approach for system design, neglecting the huge body of research on adaptation. In this position paper, we posit the necessity to apply such a structured modelling procedure and show its potential bene fits to achieve better and more usable designs. We discuss the modelling steps to be followed, identify key challenges to be addressed, and present an initial reference architecture for adaptive distributed authentication.

Touchscreen Biometrics Across Multiple Devices

Tuan Ngyuen and Jonathan Voris, New York Institute of Technology

Available Media

As the cost of mobile devices decreases, it is becoming increasingly common for users to own more than one. The presence of multiple pieces of mobile technology complicates the question of how to secure them. Utilizing different authentication solutions on different devices may create usability challenges, while using the same authentication technique on more than one device raises the possibility of a compromise of one device affecting the others. Behavioral biometrics, which model the manner in which users interact with their devices, are an appealing option for a single authentication mechanism solution which is capable of working across different devices. Whether or not a user's behavioral features are specific to a particular device is an open question, however. Intuitively, a user's behavior should be independent of what device they are using. In practice, however, this behavior may be impacted by device hardware and software characteristics such as form factor and virtual keyboard layout.

This paper presents an initial investigation into whether or not biometric touchscreen profiles (i.e., trained classification models which can be utilized to authenticate users to their devices) can be applied across more than one mobile device. We conduct a preliminary IRB-approved investigation in which 10 users were asked to perform 3 common tasks on 3 different mobile devices: reading, typing, and playing a game. We then applied the well-known Support Vector Machine (SVM) learning algorithm to touchscreen features collected during each task. The results of this small-scale study indicate that user behavior is consistent for gameplay and reading across di erent types of mobile hardware, but different for typing. This provides preliminary evidence that it is possible to apply behavior-based authentication across multiple devices in some, but not all, contexts.

Modeling Aggregate Security with User Agents that Employ Password Memorization Techniques

Christopher Novak, Department of Computer Science, Dartmouth College; Jim Blythe, Information Sciences Institute, University of Southern California; Ross Koppel, Department of Sociology, University of Pennsylvania; Vijay Kothari and Sean Smith, Department of Computer Science, Dartmouth College

Available Media

We discuss our ongoing work with an agent-based password simulation which models how site-enforced password requirements affect aggregate security when people interact with multiple authentication systems. We model two password memorization techniques: passphrase generation and spaced repetition. Our simulation suggests system-generated passphrases lead to lower aggregate security across services that enforce even moderate password requirements. Furthermore, allowing users to expand their password length over time via spaced repetition increases aggregate security.

Augmenting Centralized Password Management with Application-Specific Passwords

Trevor Smith, Brigham Young University; Scott Ruoti, MIT Lincoln Laboratory; Kent Seamons, Brigham Young University

Available Media

Password authentication is the most prevalent form of authentication; however, passwords have numerous usability issues. For example, due to the large number and high complexity required of passwords, users frequently reuse and choose weak passwords. One way to address these problems is to centralize password management by using a password manager or single sign-on. While this centralizing approach can improve a user's security, it also magnifies the damage caused by a compromise of the user's master password. In this paper, we describe a new approach to enhance centralized password management using application-specific passwords. This approach prevents the compromise of a master password from immediately compromising all associated applications and instead, requires the attacker to conduct further online attacks against individual applications. We detail ve possible system designs for application-specific passwords and describe our plans for user studies to test the acceptance and usability of this approach.

3:30 pm–4:00 pm

Break with Refreshments

4:00 pm–5:30 pm

Cognition and Passwords

Session Chair: Elizabeth Stobert, ETH Zurich

A Gamified Approach to Improve Users’ Memorability of Fall-back Authentication

Nicholas Micallef and Nalin Asanka Gamagedara Arachchilage, Australian Centre for Cyber Security, University of New South Wales

Available Media

Security questions are one of the techniques used in fall-back authentication to retrieve forgotten passwords. This paper proposes a game design which aims to improve usability of system-generated security questions. In our game design, we adapted the popular picture-based "4 Pics 1 word" mobile game. This game asks users to pick the word that relates the given pictures. We selected this game because of its use of pictures and cues, in which, psychology research has found to be important to help with memorability. The proposed game design focuses on encoding information to users' longterm memory and to aide memorability by using the following memory retrieval skills: (a) graphical cues - by using images in each challenge; (b) verbal cues - by using verbal descriptions as hints; (c) spatial cues - by keeping same order of pictures; (d) interactivity - engaging nature of the game through the use of persuasive technology principles.

Panel: On Developing Authentication Solutions for Healthcare Settings

Vijay Kothari, Dartmouth College (Moderator); Ross Koppel, University of Pennsylvania; Shirang Mare, University of Washington; Scott Rudkin, University of California Irvine; Harold Thimbleby, Swansea University

Available Media

The healthcare setting has a mix of unique authentication constraints and difficulties. This panel explores healthcare's special challenges, makes proposals, and offers solutions; and we off er a framework for conceptualizing the unique authentication difficulties in hospitals and medical facilities. Panelists represent a wide range of experiences and viewpoints, including a computer scientist who has focused on developing usable authentication solutions for healthcare and other settings, a chief medical information officer, and experts on medical workflow and healthcare information technology.

5:30 pm–5:40 pm

Workshop Close