Authentication references

From Research Questions Task Force

List of References

This page is a collection of relevant references to the Authentication research question. The reference list shouldn't be considered complete or definitive, and is likely to regularly undergo formatting improvement and reorganization to support the review and analysis process.

There may be overlap with the CAPTCHA References list. References here that focus on CAPTCHA will be moved to the CAPTCHA list, as we distinguish Authentication (establishing identity of a person interacting with an application) from CAPTCHA (distinguishing humans from non-humans).

Blind subjects faces database

  • Authors: Poh, N., Blanco-Gonzalo, R., Wong, R. and Sanchez-Reillo, R.,
  • Published: 2016
  • Publication: IET Biometrics, 5(1), pp.20-27.
  • Full text access: Restricted, via IEEE Explore
  • Keywords: mobile computing, authorisation, biometrics (access control), database management systems, face recognition

Abstract: Using your face to unlock a mobile device is not only an appealing security solution, but also a desirable or entertaining feature that is comparable with taking selfies. It is convenient, fast, and does not require much effort. Nevertheless, for users with visual impairments, taking selfies could potentially be a challenging task. In order to study the usability and ensure the inclusion of mobile-based identity authentication technology, the authors have collected the blind-subject face database (BSFDB).

Ensuring that technology is accessible to disabled people is important because they account for about 15% of the world population. The BSFDB contains some 40 individuals with visual disabilities who took selfies with a mock-up mobile device. The database comes with four experimental protocols which are defined by a dichotomy of two controlled covariates, namely, whether or not a subject is guided by audio feedback and whether or not he/she has received explicit instructions to take the selfie. The findings suggest the importance of appropriate design of human computer interaction as well as alternative feedback design based on the audio cue. All the data is available online including more than 70, 000 detected face images of blind and partially blind subjects.

Barriers to Banking-Towards an Inclusive Banking Environment in South Africa

  • Authors: Martinson, E. and Martinson, J.
  • Year: 2016.
  • Publication: Studies in health technology and informatics, 229, p.517.
  • Full text access: Unrestricted, IOS Press
  • Keywords: Banking, Barriers, Universal Design, Accessibility, Private Sector, International Best Practice, End-to-end Customer Experience

Abstract: A recent study in South Africa on the barriers to banking which involved customers in three disability groups namely mobility, hearing and vision has highlighted that currently banking in South Africa is not accessible. Customers with a disability are unable to independently use banking services across a wide range of channels. Exclusion from something as fundamental as managing their own financial affairs raise serious human rights concerns and requires committed action from decision-makers to address this. The fact that solutions to all of the identified barriers have been successfully implemented in banks in other parts of the world for many years emphasize that this is not a technical challenge.

While some solutions require complex or expensive changes such as removing physical access barriers and ensuring that digital channels meet internationally accepted standards of accessibility, there are many simple and low-cost solutions which can be implemented immediately and would make a world of difference to these customers and their experience of banking. One key barrier which emerged in all the focus groups and surveys is attitudinal barriers - staff who are unwilling to assist, impatient, interact with the customer's assistant instead of directly with them and lack basic skills on how to interact with someone who has a disability.

A comprehensive framework of banking was used to identify a wide range of barriers. The barriers were classified as attitudinal, barriers to physical access, digital access barriers, barriers to information, communication barriers and some generic concerns such as safe evacuation during emergencies and alternative authentication. Both the barriers and the solutions where ranked by participants. From a theoretical perspective, the benefit of a customer-centric approach to understanding these barriers and the innovation potential of a Universal Design approach is affirmed by this study.

A Set of Heuristics for Usable Security and User Authentication

  • Authors: Realpe, P.C., Collazos, C.A., Hurtado, J. and Granollers, A.
  • Year: 2016.
  • Publication: Interacción '16 Proceedings of the XVII International Conference on Human Computer Interaction. Article No. 21
  • Full text access: Restricted, ACM Digital Library
  • Keywords:

Abstract: Currently, computer security is one of the most important tasks for supporting critical business process and protecting sensitive information. However, security problems for computer systems include vulnerabilities because they are hard to use and have poor user interfaces due to security constraints. Nowadays, finding a good trade-off between security and usability is a challenge, mainly for user authentication services. In this paper is presented a set of 153 heuristics as a tool to evaluate the grade of achievement in some applications according to security, usability and other characteristics for user authentication (e.g. performance, accessibility, operability and reliability).

The main contribution of this work is to propose a possible standardization of these heuristics by formulating them in interrogative sentences to facilitate the evaluation of usable security and user authentication. Each heuristic is accompanied by comments that facilitate their evaluation.

Leveraging human computation for pure-text Human Interaction Proofs

  • Authors: Kemal Bicakci (TOBB University of Ergonomics and Technology, Ankara), Hakan Ezgi Kiziloz (TOBB University of Ergonomics and Technology, Ankara)
  • Year: 2016
  • Publication: Int. J. Hum.-Comput. Stud. 92, C (August 2016), 44-54. DOI:
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: Even though purely text-based Human Interaction Proofs (HIPs) have desirable usability and accessibility attributes; they could not overcome the security problems yet. Given the fact that fully automated techniques to generate pure-text HIPs securely do not exist, we propose leveraging human computation for this purpose. We design and implement a system called SMARTCHA, which involves a security engine to perform automated proactive checks on the security of human-generated HIPs and a module for combining human computation with automation to increase the number of HIP questions. In our work, we employ HIP operators who generate around 22000 questions in total for SMARTCHA system.

With a user study of 372 participants, we evaluate the usability of SMARTCHA system and observe that users find solving pure-text HIPs of SMARTCHA system significantly more enjoyable than solving reCAPTCHA visual HIPs. HighlightsPure-text HIPs provide desirable usability and accessibility, but not security.We propose using human computation to generate them and reproduce automatically.Our system, SMARTCHA, proactively checks the security of human-generated HIPs.22000 questions were generated, a usability study was held with 372 participants.Usability study shows that solving SMARTCHA HIPs is significantly more enjoyable.

Privacy Concerns and Behaviors of People with Visual Impairments

  • Authors: Tousif Ahmed (Indiana University), Roberto Hoyle (Indiana University), Kay Connelly (Indiana University), David Crandall (Indiana University), Apu Kapadia (Indiana University)
  • Year: 2015.
  • Publication: CHI '15 Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: Various technologies have been developed to help make the world more accessible to visually impaired people, and recent advances in low-cost wearable and mobile computing are likely to drive even more advances. However, the unique privacy and security needs of visually impaired people remain largely unaddressed. We conducted an exploratory user study with 14 visually impaired participants to understand the techniques they currently use for protecting privacy, their remaining privacy concerns,and how new technologies may be able to help.

The interviews explored privacy not only in the physical world (e.g., bystanders overhearing private conversations) and the online world (e.g., determining if a URL is legitimate), but also in the interface between the two (e.g. bystanders `shoulder-surfing' data from screens). The study revealed serious concerns that are not adequately solved by current technology, and suggested new directions for improving the privacy of this significant fraction of the population.

Privacy behaviors of lifeloggers using wearable cameras

  • Authors: Roberto Hoyle, Robert Templeman, Steven Armes, Denise Anthony, David Crandall, and Apu Kapadia
  • Year: 2014
  • Publication: Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '14). 571-582
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: A number of wearable 'lifelogging' camera devices have been released recently, allowing consumers to capture images and other sensor data continuously from a first-person perspective. Unlike traditional cameras that are used deliberately and sporadically, lifelogging devices are always 'on' and automatically capturing images. Such features may challenge users' (and bystanders') expectations about privacy and control of image gathering and dissemination. While lifelogging cameras are growing in popularity, little is known about privacy perceptions of these devices or what kinds of privacy challenges they are likely to create.

To explore how people manage privacy in the context of lifelogging cameras, as well as which kinds of first-person images people consider 'sensitive,' we conducted an in situ user study (N = 36) in which participants wore a lifelogging device for a week, answered questionnaires about the collected images, and participated in an exit interview. Our findings indicate that: 1) some people may prefer to manage privacy through in situ physical control of image collection in order to avoid later burdensome review of all collected images; 2) a combination of factors including time, location, and the objects and people appearing in the photo determines its 'sensitivity;' and 3) people are concerned about the privacy of bystanders, despite reporting almost no opposition or concerns expressed by bystanders over the course of the study.

Accessibility in context: understanding the truly mobile experience of smartphone users with motor impairments

  • Authors: Maia Naftali and Leah Findlater
  • Year: 2014
  • Publication: Proceedings of the 16th international ACM SIGACCESS conference on Computers & accessibility (ASSETS '14). 209-216.
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: Lab-based studies on touchscreen use by people with motor impairments have identified both positive and negative impacts on accessibility. Little work, however, has moved beyond the lab to investigate the truly mobile experiences of users with motor impairments. We conducted two studies to investigate how smartphones are being used on a daily basis, what activities they enable, and what contextual challenges users are encountering.

The first study was a small online survey with 16 respondents. The second study was much more in depth, including an initial interview, two weeks of diary entries, and a 3-hour contextual session that included neighborhood activities. Four expert smartphone users participated in the second study and we used a case study approach for analysis.

Our findings highlight the ways in which smartphones are enabling everyday activities for people with motor impairments, particularly in overcoming physical accessibility challenges in the real world and supporting writing and reading. We also identified important situational impairments, such as the inability to retrieve the phone while in transit, and confirmed many lab-based findings in the real-world setting. We present design implications and directions for future work.

Visual challenges in the everyday lives of blind people

  • Authors: Erin Brady, Meredith Ringel Morris, Yu Zhong, Samuel White, and Jeffrey P. Bigham
  • Year: 2013
  • Publication: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). 2117-2126.
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: The challenges faced by blind people in their everyday lives are not well understood. In this paper, we report on the findings of a large-scale study of the visual questions that blind people would like to have answered. As part of this year-long study, 5,329 blind users asked 40,748 questions about photographs that they took from their iPhones using an application called VizWiz Social.

We present a taxonomy of the types of questions asked, report on a number of features of the questions and accompanying photographs, and discuss how individuals changed how they used VizWiz Social over time. These results improve our understanding of the problems blind people face, and may help motivate new projects more accurately targeted to help blind people live more independently in their everyday lives.

Under the table: tap authentication for smartphones

  • Authors: Diogo Marques (LaSIGE, University of Lisbon, Lisbon, Portugal), Tiago Guerreiro (LaSIGE, University of Lisbon, Lisbon, Portugal), Luís Duarte (LaSIGE, University of Lisbon, Lisbon, Portugal), Luís Carriço (LaSIGE, University of Lisbon, Lisbon, Portugal)
  • Year: 2013
  • Publication: BCS-HCI '13 Proceedings of the 27th International BCS Human Computer Interaction Conference, Article No. 33
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: Current smartphone authentication methods are known to be susceptible to even rudimentary attacks based on observation. In this paper, we propose an approach to authentication based on rich tapping patterns that addresses this problem. We present a novel tapping detection technique, using a single example as a template.

We also report on two user studies (N = 30 and N = 19) where tapping authentication is compared to the leading alternatives, both in an "out in the open" and in an "under the table" condition. Results indicate that the tapping method approximates current standards of security and usability, but also affords inconspicuous authentication, thus allowing the user to self-protect in social settings.

Investigating User Behavior for Authentication Methods: A Comparison between Individuals with Down Syndrome and Neurotypical Users

  • Authors: Yao Ma (Taiyuan University of Technology), Jinjuan Feng (Towson University and UMBC), Libby Kumin (Loyola University Maryland), Jonathan Lazar (Harvard University and Towson University)
  • Year: 2013.
  • Publication: ACM Transactions on Accessible Computing (TACCESS) archive, Volume 4 Issue 4, July 2013, Article No. 15
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: A wide variety of authentication mechanisms have been designed to ensure information security. Individuals with cognitive disabilities depend on computers and the Internet for a variety of tasks and, therefore, use authentication applications on an everyday basis. However, although there have been numerous studies investigating password usage by neurotypical users, there have been no research studies conducted to examine the use of authentication methods by individuals with cognitive disabilities. In this article, we systematically investigate how individuals with cognitive disabilities, specifically Down syndrome (DS), interact with various user authentication mechanisms.

This research provides the first benchmark data on the performance of individuals with DS when using multiple authentication methods. It confirms that individuals with DS are capable of using the traditional alphanumeric passwords with reasonable efficiency. The passwords created by individuals with DS are of similar strength to those created by neurotypical people. Graphic passwords are not as effective as traditional alphanumeric and mnemonic passwords regarding efficiency, and are less preferred by the participants. Based on the findings of the study, we propose design guidelines that aim to assist both practitioners and researchers in designing and developing effective authentication applications that fit the specific needs of individuals with DS.

PassChords: secure multi-touch authentication for blind people

  • Authors: Shiri Azkenot (University of Washington), Kyle Rector (University of Washington), Richard Ladner (University of Washington), Jacob Wobbrock (University of Washington)
  • Year: 2012
  • Publication: ASSETS '12 Proceedings of the 14th international ACM SIGACCESS conference on Computers and accessibility, Pages 159-166.
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: Blind mobile device users face security risks such as inaccessible authentication methods, and aural and visual eavesdropping. We interviewed 13 blind smartphone users and found that most participants were unaware of or not concerned about potential security threats. Not a single participant used optional authentication methods such as a password-protected screen lock. We addressed the high risk of unauthorized user access by developing PassChords, a non-visual authentication method for touch surfaces that is robust to aural and visual eavesdropping. A user enters a PassChord by tapping several times on a touch surface with one or more fingers. The set of fingers used in each tap defines the password.

We give preliminary evidence that a four-tap PassChord has about the same entropy, a measure of password strength, as a four-digit personal identification number (PIN) used in the iPhone's Passcode Lock. We conducted a study with 16 blind participants that showed that PassChords were nearly three times as fast as iPhone's Passcode Lock with VoiceOver, suggesting that PassChords are a viable accessible authentication method for touch screens.

On the need for different security methods on mobile phones

  • Authors: Noam Ben-Asher, Niklas Kirschnick, Hanul Sieger, Joachim Meyer, Asaf Ben-Oved, and Sebastian Möller.
  • Year: 2011
  • Publication: MobileHCI '11 Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services, Pages 465-473
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: Mobile phones are rapidly becoming small-size general purpose computers, so-called smartphones. However, applications and data stored on mobile phones are less protected from unauthorized access than on most desktop and mobile computers. This paper presents a survey on users' security needs, awareness and concerns in the context of mobile phones. It also evaluates acceptance and perceived protection of existing and novel authentication methods.

The responses from 465 participants reveal that users are interested in increased security and data protection. The current protection by using PIN (Personal Identification Number) is perceived as neither adequate nor convenient in all cases. The sensitivity of data stored on the devices varies depending on the data type and the context of use, asking for the need for another level of protection. According to these findings, a two-level security model for mobile phones is proposed. The model provides differential data and service protection by utilizing existing capabilities of a mobile phone for authenticating users.

Toward tactile authentication for blind users

  • Authors: Ravi Kuber and Shiva Sharma
  • Year: 2010.
  • Publication: Proceedings of the 11th international ACM SIGACCESS conference on Computers and accessibility (Assets '09), 115-122
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: This paper describes the design of an accessible authentication mechanism. The Tactile Authentication System has been adapted to enable individuals who are blind to access electronic data using their sense of touch. To enter the system, users must identify a set of pre-selected pin-based icons from a wider range presented via a tactile mouse. As information is presented underneath the user's fingertips, 'tactile passwords' are shielded from observers, thereby enhancing security from third-party attacks.

Results from a pilot study showed that five participants were able to authenticate entry to the non-visual interface over the course of a two week period. However, findings have revealed that the time needed to perform this process should be reduced to improve the quality of the user experience.

Freedom to roam: a study of mobile device adoption and accessibility for people with visual and motor disabilities

  • Authors: Shaun K. Kane, Chandrika Jayant, Jacob O. Wobbrock, and Richard E. Ladner.
  • Year: 2009.
  • Publication: Proceedings of the 11th international ACM SIGACCESS conference on Computers and accessibility (Assets '09), 115-122
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: Mobile devices provide people with disabilities new opportunities to act independently in the world. However, these empowering devices have their own accessibility challenges. We present a formative study that examines how people with visual and motor disabilities select, adapt, and use mobile devices in their daily lives. We interviewed 20 participants with visual and motor disabilities and asked about their current use of mobile devices, including how they select them, how they use them while away from home, and how they adapt to accessibility challenges when on the go.

Following the interviews, 19 participants completed a diary study in which they recorded their experiences using mobile devices for one week. Our results show that people with visual and motor disabilities use a variety of strategies to adapt inaccessible mobile devices and successfully use them to perform everyday tasks and navigate independently. We provide guidelines for more accessible and empowering mobile device design.

Privacy and technology: folk definitions and perspectives

  • Authors: Michelle Kwasny, Kelly Caine, Wendy A. Rogers, and Arthur D. Fisk
  • Year: 2008.
  • Publication: CHI '08 Extended Abstracts on Human Factors in Computing Systems (CHI EA '08). 3291-3296.
  • Full text: Restricted, ACM Digital Library
  • Keywords:

Abstract: In this paper we present preliminary results from a study of individual differences in privacy beliefs and relate folk definitions of privacy to extant privacy theory. Focus groups were conducted with younger and older adult participants who shared their individual definitions of privacy and engaged in a discussion of privacy across six scenarios.

Taken together, Westin's and Altman's theories of privacy accounted for both younger and older adults' ideas about privacy; however, neither theory successfully accounted for findings across all age and gender groups. Whereas males tended to think of privacy in terms of personal needs and convenience, females focused more on privacy in terms of others, respecting privacy rights, and safety. Older adults tended to be more concerned with privacy of space than information privacy. Initial results suggest that designing for commonalities in privacy perceptions among group members is feasible.

On user authentication by means of video events recognition

  • Reference Type:  Journal Article
  • Author: Catuogno, Luigi and Galdi, Clemente
  • Year: 2014
  • Journal: Journal of Ambient Intelligence and Humanized Computing
  • Volume: 5
  • Issue: 6
  • Pages: 909-918
  • ISSN: 1868-5137
  • DOI: 10.1007/s12652-014-0248-5
  • Keywords: Graphical password, Authentication, Human cryptography
  • Notes: machine learning

Abstract: Graphical password schemes have been widely analyzed in the last couple of decades. Typically such schemes are not resilient to adversaries who are able to collect a considerable amount of session transcripts, and can process them automatically in order to extract the secret. In this paper we discuss a possible enhancement to graphical passwords aiming at making infeasible to the attacker to automatically process the collected transcripts. In particular, we investigate the possibility of replacing static graphical challenges with on-the-fly edited videos. In our approach, the system challenges the user by showing her a short film containing a number of pre-defined pass-events and the user replies with the proof that she recognized such events. We present a proof-of-concept prototype, FilmPW, and discuss some issues related to event life-cycle management. Our preliminary experiments show that such an authentication mechanism is well accepted by users and achieves low error rates.

Design, Testing and Implementation of a New Authentication Method Using Multiple Devices

  • Reference Type:  Generic
  • Author: Cetin, Cagri
  • Year: 2015
  • Secondary Author: Ligatti, Jay, Goldgof, Dmitry and Liu, Yao
  • Publisher: ProQuest Dissertations Publishing
  • Keywords: Computer Science, Applied Sciences, Access Control, Authentication Protocols, Mobile Devices, Security, Verification
  • Notes: machine learning

Abstract: Authentication protocols are very common mechanisms to confirm the legitimacy of someone's or something's identity in digital and physical systems. This thesis presents a new and robust authentication method based on users' multiple devices. Due to the popularity of mobile devices, users are becoming more likely to have more than one device (e.g., smartwatch, smartphone, laptop, tablet, smart-car, smart-ring, etc.). The authentication system presented here takes advantage of these multiple devices to implement authentication mechanisms. In particular, the system requires the devices to collaborate with each other in order for the authentication to succeed. This new authentication protocol is robust against theft-based attacks on single device.

An attacker would need to steal multiple devices in order to compromise the authentication system. The new authentication protocol comprises an authenticator and at least two user devices, where the user devices are associated with each other. To perform an authentication on a user device, the user needs to respond a challenge by using his/her associated device. After describing how this authentication protocol works, this thesis will discuss three different versions of the protocol that have been implemented. In the first implementation, the authentication process is performed by using two smartphones. Also, as a challenge, a QR code is used. In the second implementation, instead of using a QR code, NFC technology is used for challenge transmission. In the last implementation, the usability with different platforms is exposed. Instead of using smartphones, a laptop computer and a smartphone combination is used. Furthermore, the authentication protocol has been verified by using an automated protocol-verification tool to check whether the protocol satisfies authenticity and secrecy properties. Finally, these implementations are tested and analyzed to demonstrate the performance variations over different versions of the protocol.

References to follow up from CHI 2017

This is a temporary section that contains relevant papers from the recent CHI conference. They will be integrated into the above list as they are reviewed.

How Do System Administrators Resolve Access-Denied Issues in the Real World?

  • Tianyin Xu, Han Min Naing, Le Lu, Yuanyuan Zhou
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 348-361, ACM New York, NY, USA

Abstract: The efficacy of access control largely depends on how system administrators (sysadmins) resolve access-denied issues. A correct resolution should only permit the expected access, while maintaining the protection against illegal access. However, anecdotal evidence suggests that correct resolutions are occasional---sysadmins often grant too much access (known as security misconfigurations) to allow the denied access, posing severe security risks.

This paper presents a quantitative study on real-world practices of resolving access-denied issues, with a particular focus on how and why security misconfigurations are introduced during problem solving. We characterize the real-world security misconfigurations introduced in the field, and show that many of these misconfigurations were the results of trial-and-error practices commonly adopted by sysadmins to work around access denials.

We argue that the lack of adequate feedback information is one fundamental reason that prevents sysadmins from developing precise understanding and thus induces trial and error. Our study on access-denied messages shows that many of today's software systems miss the opportunities for providing adequate feedback information, imposing unnecessary obstacles to correct resolutions.

User Interactions and Permission Use on Android

  • Kristopher Micinski, Daniel Votipka Rock Stevens Nikolaos Kofinas Michelle L. Mazurek Jeffrey S. Foster
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 362-373, ACM New York, NY, USA

Abstract: Android and other mobile operating systems ask users for authorization before allowing apps to access sensitive resources such as contacts and location. We hypothesize that such authorization systems could be improved by becoming more integrated with the app's user interface.

In this paper, we conduct two studies to test our hypothesis. First, we use apptracer{}, a dynamic analysis tool we developed, to measure to what extent user interactions and sensitive resource use are related in existing apps. Second, we conduct an online survey to examine how different interactions with the UI affect users' expectations about whether an app accesses sensitive resources.

Our results suggest that user interactions such as button clicks can be interpreted as authorization, reducing the need for separate requests; but that accesses not directly tied to user interactions should be separately authorized, possibly when apps are first launched.

Where Usability and Security Go Hand-in-Hand: Robust Gesture-Based Authentication for Mobile Systems

  • Can Liu, Gradeigh D. Clark, Janne Lindqvist
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 374-386, ACM New York, NY, USA

Abstract: Gestures have recently gained interest as a secure and usable authentication method for mobile devices. Gesture authentication relies on recognition, wherein raw data is collected from user input and preprocessed into a more manageable form before applying recognition algorithms. Preprocessing is done to improve recognition accuracy, but little work has been done in justifying its effects on authentication.

We examined the effects of three variables: location, rotation, and scale, on authentication accuracy. We found that an authentication-optimal combination (location invariant, scale variant, and rotation variant) can reduce the error rate by 45.3% on average compared to the recognition-optimal combination (all invariant). We analyzed 13 gesture recognizers and evaluated them with three criteria: authentication accuracy, and resistance against both brute-force and imitation attacks.

Our novel multi-expert method (Garda) achieved the lowest error rate (0.015) in authentication accuracy, the lowest error rate (0.040) under imitation attacks, and resisted all brute-force attacks.

I'm too Busy to Reset my LinkedIn Password: On the Effectiveness of Password Reset Emails

  • Jun Ho Huh, Hyoungshick Kim, Swathi S.V.P. Rayala, Rakesh B. Bobba, Konstantin Beznosov
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 387-391, ACM New York, NY, USA

Abstract: A common security practice used to deal with a password breach is locking user accounts and sending out an email to tell users that they need to reset their password to unlock their account. This paper evaluates the effectiveness of this security practice based on the password reset email that LinkedIn sent out around May 2016, and through an online survey conducted on 249 LinkedIn users who received that email.

Our evaluation shows that only about 46% of the participants reset their passwords. The mean time taken to reset password was 26.3 days, revealing that a significant proportion of the participants reset their password a few weeks, or even months after first receiving the email. Our findings suggest that more effective persuasive measures need to be added to convince users to reset their password in a timely manner, and further reduce the risks associated with delaying password resets.

Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication

  • Yomna Abdelrahman, Mohamed Khamis, Stefan Schneegass, Florian Alt
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 3751-3763, ACM New York, NY, USA

Abstract: PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous and affordable, we foresee a new form of threat to user privacy on mobile devices. Thermal cameras allow performing thermal attacks, where heat traces, resulting from authentication, can be used to reconstruct passwords.

In this work we investigate in details the viability of exploiting thermal imaging to infer PINs and patterns on mobile devices. We present a study (N=18) where we evaluated how properties of PINs and patterns influence their thermal attacks resistance.

We found that thermal attacks are indeed viable on mobile devices; overlapping patterns significantly decrease successful thermal attack rate from 100% to 16.67%, while PINs remain vulnerable (>72% success rate) even with duplicate digits. We conclude by recommendations for users and designers of authentication schemes on how to resist thermal attacks.

Thumprint: Socially-Inclusive Local Group Authentication Through Shared Secret Knocks

  • Sauvik Das, Gierad Laput, Chris Harrison, Jason I. Hong
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 3764-3774, ACM New York, NY, USA

Abstract: Small, local groups who share protected resources (e.g., families, work teams, student organizations) have unmet authentication needs. For these groups, existing authentication strategies either create unnecessary social divisions (e.g., biometrics), do not identify individuals (e.g., shared passwords), do not equitably distribute security responsibility (e.g., individual passwords), or make it difficult to share or revoke access (e.g., physical keys).

To explore an alternative, we designed Thumprint: inclusive group authentication with a shared secret knock. All group members share one secret knock, but individual expressions of the secret are discernible. We evaluated the usability and security of our concept through two user studies with 30 participants.

Our results suggest that (1) individuals who enter the same shared thumprint are distinguishable from one another, (2) that people can enter thumprints consistently over time, and (3) that thumprints are resilient to casual adversaries.

Design and Evaluation of a Data-Driven Password Meter

  • Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami, Naeini Hana Habib, Noah Johnson, William Melicher
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 3775-3786, ACM New York, NY, USA

Abstract: Despite their ubiquity, many password meters provide inaccurate strength estimates. Furthermore, they do not explain to users what is wrong with their password or how to improve it.

We describe the development and evaluation of a data-driven password meter that provides accurate strength measurement and actionable, detailed feedback to users. This meter combines neural networks and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about the user's password. We describe the meter's iterative development and final design. We detail the security and usability impact of the meter's design dimensions, examined through a 4,509-participant online study.

Under the more common password-composition policy we tested, we found that the data-driven meter with detailed feedback led users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator.

Can Unicorns Help Users Compare Crypto Key Fingerprints?

  • Joshua Tan, Lujo Bauer, Joseph Bonneau, Lorrie Faith Cranor, Jeremy Thomas, Blase Ur
  • CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, Colorado, USA — May 06 - 11, 2017, Pages 3787-3798, ACM New York, NY, USA

Abstract: Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure.

We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%.

We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.

Emerging uses of authentication technology to focus on

This section contains a list of emerging uses of authentication that RQTF has become aware of, and may be of relevance to a Research Note considering accessibility implications.

See also the Authentication on the Web: Issue List page for a fuller list of issues.

Coverage of authentication in accessibility standards

Some recent standards make reference to accessibility implications of authentication, using biometric means. Some biometric measures may not be possible for some people with disabilities; other measures may be unreliable due to the changing nature of a particular disability. We need to find out more and report what standards say here.

Continuous authentication

Some systems may continuously monitor individuals, and potentially revoke authentication if certain trigger situations are met. Examples, issues for people with disabilities and potential solutions can be added here.