Ashley A. Cain

Human-centered authentication guidelines

Purpose Despite the widespread use of authentication schemes and the rapid emergence of novel authentication schemes, a general set of domain-specific guidelines has not yet been developed. This paper aims to present and explain a list of human-centered guidelines for developing usable authentication schemes. Design/methodology/approach The guidelines stem from research findings within the fields of psychology, human–computer interaction and information/computer science. Findings Instead of viewing users as the inevitable weak point in the authentication process, this study proposes that authentication interfaces be designed to take advantage of users’ natural abilities. This approach requires that one understands how interactions with authentication interfaces can be improved and what human capabilities can be exploited. A list of six guidelines that designers ought to consider when developing a new usable authentication scheme has been presented. Research limitations/implications This consolidated list of usable authentication guidelines provides system developers with immediate access to common design issues impacting usability. These guidelines ought to assist designers in producing more secure products in fewer costly development cycles. Originality/value Cybersecurity research and development has mainly focused on technical solutions to increase security. However, the greatest weakness of many systems is the user. It is argued that authentication schemes with poor usability are inherently insecure, as users will inadvertently weaken the security in their efforts to use the system. The study proposes that designers need to consider the human factors that impact end-user behavior. Development from this perspective will address the greatest weakness in most security systems by increasing end-user compliance.

A Rapid Serial Visual Presentation Method for Graphical Authentication

We propose a Rapid Serial Visual Presentation (RSVP) graphical authentication method that is suited for multi-touch mobile devices. This method presents degraded pictures of everyday objects in a temporal stream. Considering all the other authentication methods employ a spatial visual search, our method is unique (i.e., searching across time versus space). A temporal method of presentation is used to decreases login times down to 14 s and to allow login with a simple touch of the screen. By degrading the images, over-the-shoulder attackers are prevented from easily capturing the passcode. This study shows that all participants could successfully login at least once when allowed up to three attempts. After becoming familiar with the RSVP authentication method, participants took on the role of an attacker. Notably, no one was able to identify the passcode. The RSVP method offers a memorable, usable, quick, and secure alternative for authentication on multi-touch mobile devices.

Graphical Authentication Resistance to Over-the-Shoulder-Attacks

Graphical passwords offer advantages for memorability over conventional alphanumeric passwords, but in some cases they have been vulnerable to over-the-shoulder-attacks (OSA). Thus, many second-generation graphic based schemes are specifically designed to be resistant to OSA. This is often achieved by not having users select targets directly, but by adding cognitive operations to create seemingly random response patterns. This study takes the first step to directly compare three prototypical graphical password schemes to determine their relative resistance to OSAs employing a within-subjects design. We found that schemes requiring cognitive operations in response to target patterns were superior to direct selection of targets. Convex Hull Click was most secure, followed by What You See is What You Enter, while Use Your Illusion showed high vulnerability to OSA. In addition, we discuss a diversity of previous measurements, which are meant to examine security strength of new approaches. We highlight the need for standard OSA resistance measures depending on threat model needs.

A Quantitative Measure for Shared and Complementary Situation Awareness

As team structures evolve and become more complex, with human and automated agents working together to accomplish team goals, measurement approaches for system situation awareness must also adapt. This paper proposes a novel approach to the measurement of SA for human automation teams. Limitations of existing individual SA measurement approaches are highlighted with a particular focus on the sensitivity of current measures to knowledge held across human and automated agents in complex sociotechnical systems. We propose that elements from team communication data can be used as a basis for the quantification of shared and complementary situation awareness. We present a conceptual measurement approach for using communication data to measure shared and complementary situation awareness for human-automation teams, appropriate for both open or closed loop communication. This paper discusses how such a measurement approach would be applied specifically for human-automation teams, including automation that functions as decision aids, as managers, and automation that learns with the human operator, and discusses implications of our measure for training and design.

Swipe Authentication: Exploring Over-the-Shoulder Attack Performance

Swipe passwords are a popular method for authenticating on mobile phones. In public, these passwords may become visible to attackers who engage in shoulder surfing. There is a need for strategies that protect swipe passwords from over-the-shoulder attacks (OSAs). We empirically explored the impact of providing gesture visual feedback on OSA performance during successful and unsuccessful swipe login attempts on mobile phones. We found evidence that entry visual feedback facilitates OSAs. As users are biased towards symmetrical swipe patterns, we investigated their impact on attack performance. We found that symmetrical swipe patterns were less vulnerable than asymmetrical patterns, possibly due to the speed of entry. As users tend toward simple patterns, we investigated the impact that nonadjacent, diagonal knight moves have on OSAs. We found that knight moves significantly decreased OSA performance. We recommend users turn off gesture entry visual feedback and use knight moves for greater password security.

An exploratory study of cyber hygiene behaviors and knowledge

Abstract End users’ cyber hygiene often plays a large role in cybersecurity breaches. Therefore, we need a deeper understanding of the user differences that are associated with either good or bad hygiene and an updated perspective on what users do to promote good hygiene (e.g., employ firewall and anti-virus applications). Those individuals with good cyber hygiene follow best practices for security and protect their personal information. This exploratory study of cyber hygiene knowledge and behavior offers information that designers and researchers can employ to improve users’ hygiene practices. We surveyed 268 participants about their knowledge of concepts, their knowledge of threats, and their behaviors related to cyber hygiene. Further, we asked participants about their previous training and experiences. Notably, the participants represent a large cross section from age 18 to 55+. We addressed inconsistencies in the literature, we provide up-to-date information on behaviors and on users’ knowledge about password usage and phishing, and we explored the impact of age, gender, victim history, perceived expertise, and training on cyber hygiene.

Graphical Authentication Schemes: Balancing Amount of Image Distortion

Graphical authentication schemes offer a more memorable alternative to conventional passwords. One common criticism of graphical passcodes is the risk for observability by unauthorized onlookers. This type of threat is referred to as an Over-the-Shoulder Attack (OSA). A strategy to prevent casual OSAs is to distort the images, making them difficult for onlookers to recognize. Critically, the distortion should not harm legitimate users’ ability to recognize their passcode images. If designers select the incorrect amount of distortion, the passcode images could become vulnerable to attackers or images could become unrecognizable by users rendering the system useless for authentication. We suggest graphical authentication designers can distort images at brushstroke size 10 for a 112 × 90-pixel image to maintain user recognition and decrease casual OSAs. Also, we present mathematical equations to explicitly communicate the image distortion process to facilitate implementation of this OSA resistant approach.

Visual Saliency Predicts Fixations in Low Clutter Web Pages

Previous research has shown a computational model of visual saliency can predict where people fixate in cluttered web pages (Masciocchi & Still, 2013). Over time, web site designers are moving towards simpler, less cluttered webpages to improve aesthetics and to make searches more efficient. Even with simpler interfaces, determining a saliency ranking among interface elements is a difficult task. Also, it is unclear whether the traditionally employed saliency model (Itti, Koch, & Niebur, 1998) can be applied to simpler interfaces. To examine the model’s ability to predict fixations in simple web pages we compared a distribution of observed fixations to a conservative measure of chance performance (a shuffled distribution). Simplicity was determined by using two visual clutter models (Rosenholz, Li, & Nakano, 2007). We found under free-viewing conditions that the saliency model was able to predict fixations within less cluttered web pages.

Predicting Stimulus-Driven Attentional Selection Within Mobile Interfaces

Masciocchi and Still [1] suggested that biologically inspired computational saliency models could predict attentional deployment within webpages. Their stimuli were presented on a large desktop monitor. We explored whether a saliency model’s predictive performance can be applied to small mobile interface displays. We asked participants to free-view screenshots of NASA’s mobile application Playbook. The Itti et al. [2] saliency model was employed to produce the predictive stimulus-driven maps. The first six fixations were used to select values to form the saliency maps’ bins, which formed the observed distribution. This was compared to the shuffled distribution, which offers a very conservative chance comparison as it includes predictable spatial biases by using a within-subjects bootstrapping technique. The observed distribution values were higher than the shuffled distribution. This suggests that a saliency model was able to predict the deployment of attention within small mobile application interfaces.

Applying measurement to complementary situation awareness

As networks in complex domains such as cyber security increasingly become distributed, with multiple human and automated agents working together to complete team goals, capturing situation awareness (SA) becomes more difficult. Often, SA is defined and measured as individual SA (the knowledge held by an individual, such as a system administrator) or as shared SA (the knowledge held in common by multiple individuals). For these two types, ideal and actual SA have been measured using goal-oriented task analysis and knowledge-specific queries, respectively. We argue that measurements of SA could fill a gap by additionally measuring complementary SA (the knowledge elements held separately by individuals). In the current paper, we suggest how measures for individual SA can be applied to the measurement of the complementary component of SA. We adapt a technique that involves completing a goal-oriented task analysis for a given context and then querying human operators about specific knowledge elements. This adaption allows for the quantification of goal-oriented knowledge elements that are held by team members but are not shared. This technique for quantifying team SA that is complementary as well as shared can be applied to assess trainees and to inform future training programs. Understanding and measuring multiple facets of SA will help improve efficiency and security in distributed teams in cyber security. First, we review the literature on existing measurement techniques for SA, then we outline how measurement can be applied to complementary SA. Lastly, we discuss some applications of measuring complementary SA.