WAY 2017 Workshop Program

Despite decades of research into developing security advice and interfaces, users still struggle to make passwords. This talk will survey our work using data-driven methods to help users make better passwords. I will first describe how we modeled password-guessing attacks and subsequently investigated whether users' perceptions of password security match reality. Afterwards, I will present our design and evaluation of a user-centered, data-driven password meter. Using neural networks, we created a fast, compact, and accurate model of password guessing. We augmented this approach with carefully combined heuristics to construct a password meter that explains to users what is wrong with their password or how to improve it. Through a large-scale online study, we found that such a meter leads users to create much more secure passwords without significantly impacting memorability.

Online password guessing attacks are a serious threat to the integrity of online accounts. A common defense is rate-limiting, either by slowing down or blocking connections, or by requiring CAPTCHAs to be solved. Either of these options has serious drawbacks, facilitating denial of service attacks, being circumventable by proxies and CAPTCHA solving services, and offering bad usability to the legitimate user. Furthermore, guessing attacks are becoming increasingly easier, fueled by recent data breaches containing several hundred million credentials from famous websites. In this work-in-progress report, we propose an opt-in deposit-based approach to rate-limiting that tackles online guessing attacks. By demanding a small deposit for each login attempt, which is immediately refunded after a successful sign in, online guessing attackers face high costs for repeated unsuccessful logins. We provide an initial analysis of suitable payment systems and reasonable deposit values for real-world implementations and discuss security and usability implications of the system.

Walking into traffic, off the beaten path, or colliding with people – distracted walking is on the rise as people struggle with touchscreen interactions designed for workstation instead of mobile devices. The keyboard is a well-known mental model for soliciting input for authentication. Mental models familiar to the user reduce the cognitive effort required to understand the desired interaction with the security interface. Though the cognitive effort to understand the interface may be conserved, there is also cognitive effort expended to use the keyboard-style interface. The reality of the actual cognitive effort required is documented by the rise in pedestrian accidents involving smartphone usage. Measures of the effort required for smartphone authentication using human performance modelling show how security design choices can significantly impact usability on the mobile platform, and calls into question current common practices. Strong passwords on a mobile device demand more cognitive effort than is safe at any speed.

Adaptive authentication allows a system to dynamically select the best mechanism for authenticating a user depending on contextual factors, such as location, proximity to devices, and other attributes. Current systems in the literature are built to demonstrate feasibility and basic usability improvements in specific scenarios, but none of them follows a methodological approach for system design, neglecting the huge body of research on adaptation. In this position paper, we posit the necessity to apply such a structured modelling procedure and show its potential benefits to achieve better and more usable designs. We discuss the modelling steps to be followed, identify key challenges to be addressed, and present an initial reference architecture for adaptive distributed authentication.

We discuss our ongoing work with an agent-based password simulation which models how site-enforced password requirements affect aggregate security when people interact with multiple authentication systems. We model two password memorization techniques: passphrase generation and spaced repetition. Our simulation suggests system-generated passphrases lead to lower aggregate security across services that enforce even moderate password requirements. Furthermore, allowing users to expand their password length over time via spaced repetition increases aggregate security.

Security questions are one of the techniques used in fall-back authentication to retrieve forgotten passwords. This paper proposes a game design which aims to improve usability of system-generated security questions. In our game design, we adapted the popular picture-based "4 Pics 1 word" mobile game. This game asks users to pick the word that relates the given pictures. We selected this game because of its use of pictures and cues, in which, psychology research has found to be important to help with memorability. The proposed game design focuses on encoding information to users' longterm memory and to aide memorability by using the following memory retrieval skills: (a) graphical cues - by using images in each challenge; (b) verbal cues - by using verbal descriptions as hints; (c) spatial cues - by keeping same order of pictures; (d) interactivity - engaging nature of the game through the use of persuasive technology principles.