Action Needed! Helping Users Find and Complete the Authentication Ceremony in Signal

Authors: 

Elham Vaziripour, Justin Wu, Mark O'Neill, Daniel Metro, Josh Cockrell, Timothy Moffett, Jordan Whitehead, Nick Bonner, Kent Seamons, and Daniel Zappala, Brigham Young University

Abstract: 

The security guarantees of secure messaging applications are contingent upon users performing an authentication ceremony, which typically involves verifying the fingerprints of encryption keys. However, recent lab studies have shown that users are unable to do this without being told in advance about the ceremony and its importance. A recent study showed that even with this instruction, the time it takes users to find and complete the ceremony is excessively long—about 11 minutes. To remedy these problems, we modified Signal to include prompts for the ceremony and also simplified the ceremony itself. To gauge the effect of these changes, we conducted a between-subject user study involving 30 pairs of participants. Our study methodology includes no user training and only a small performance bonus to encourage the secure behavior. Our results show that users are able to both find and complete the ceremony more quickly in our new version of Signal. Despite these improvements, many users are still unsure or confused about the purpose of the authentication ceremony. We discuss the need for better risk communication and methods to promote trust.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {219435,
author = {Elham Vaziripour and Justin Wu and Mark O{\textquoteright}Neill and Daniel Metro and Josh Cockrell and Timothy Moffett and Jordan Whitehead and Nick Bonner and Kent Seamons and Daniel Zappala},
title = {Action Needed! Helping Users Find and Complete the Authentication Ceremony in Signal},
booktitle = {Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018)},
year = {2018},
isbn = {978-1-931971-45-4},
address = {Baltimore, MD},
pages = {47--62},
url = {https://www.usenix.org/conference/soups2018/presentation/vaziripour},
publisher = {{USENIX} Association},
}