Lynne Coventry

Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems

The weakness of knowledge-based authentication systems, such as passwords and Personal Identification Numbers (PINs), is well known, and reflects an uneasy compromise between security and human memory constraints. Research has been undertaken for some years now into the feasibility of graphical authentication mechanisms in the hope that these will provide a more secure and memorable alternative. The graphical approach substitutes the exact recall of alphanumeric codes with the recognition of previously learnt pictures, a skill at which humans are remarkably proficient. So far, little attention has been devoted to usability, and initial research has failed to conclusively establish significant memory improvement. This paper reports two user studies comparing several implementations of the graphical approach with PINs. Results demonstrate that pictures can be a solution to some problems relating to traditional knowledge-based authentication but that they are not a simple panacea, since a poor design can eliminate the picture superiority effect in memory. The paper concludes by discussing the potential of the graphical approach and providing guidelines for developers contemplating using these mechanisms.

Usability and biometric verification at the ATM interface

This paper describes some of the consumer-driven usability research conducted by NCR Self Service Strategic Solutions in the development of an understanding of usability and user acceptance of leading-edge biometrics verification techniques. We discuss biometric techniques in general and focus upon the usability phases and issues, associated with iris verification technology at the Automated Teller Machine (ATM) user interface. The paper concludes with a review of some of the major research issues encountered, and an outline of future work in the area.

VIP: a visual approach to user authentication

This paper addresses knowledge-based authentication systems in self-service technology, presenting the design and evaluation of the Visual Identification Protocol (VIP). The basic idea behind it is to use pictures instead of numbers as a means for user authentication. Three different authentication systems based on images and visual memory were designed and compared with the traditional Personal Identification Number (PIN) approach in a longitudinal study involving 61 users. The experiment addressed performance criteria and subjective evaluation. The study and associated design exploration revealed important knowledge about users, their attitudes towards and behaviour with novel authentication approaches using images. VIP was found to provide a promising and easy-to-use alternative to the PIN. The visual code is easier to remember, preferred by users and potentially more secure than the numeric code. Results also provided guidelines to help designers make the best use of the natural power of visual memory in security solutions.

Age-related performance issues for PIN and face-based authentication systems

Graphical authentication systems typically claim to be more usable than PIN or password-based systems, but these claims often follow limited, single-stage paradigm testing on a young, student population. We present a more demanding test paradigm in which multiple codes are learned and tested over a three-week period. We use this paradigm with two user populations, comparing the performance of younger and older adults. We first establish baseline performance in a study in which populations of younger and older adults learn PIN codes and we follow this with a second study in which younger and older adults use two face-based graphical authentication systems employing young faces vs. old faces as code components. As expected, older adults show relatively poor performance when compared to younger adults, irrespective of the authentication material, but this age-related deficit can be markedly reduced by the introduction of age-appropriate faces. We conclude firstly that this paradigm provides a good basis for the future evaluation of memory-based authentication systems and secondly that age-appropriate face-based authentication is viable in the security marketplace.

Assistive technology for older adults: psychological and socio-emotional design requirements

The EU-funded multi-disciplinary DALi (Devices for Assisted Living) project aims to develop a semi-autonomous, intelligent mobility aid for older adults, which supports navigation in crowded and unstructured environments. We demonstrate the necessity to consider hitherto underexplored user-inclusive requirements which address psychological and socio-emotional needs of users. Using a qualitative methodology, including focus groups and interviews, our results showed that the design of the intelligent walker for older adults has to address issues of anticipated or experienced socio-emotional and psychological costs, including self-consciousness, pride, embarrassment, fear of being stigmatised and not wanting to admit a need. We suggest potential design strategies to increase emotional benefits and reduce psychological and emotional costs associated with use of assistive technology, thus facilitating product adoption.

SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment

Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that allows resesarchers and organisational stakeholders to work together to identify a set of nudges that might promote best behavioral practice. We describe the structured approach or framework, which we call SCENE, and follow this description with a worked example of how the approach has been utilised effectively in the development of a nudge to mitigate insecure behaviors around selection of wireless networks.

Principles of Persuasion in Social Engineering and Their Use in Phishing

Research on marketing and deception has identified principles of persuasion that influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdinis principles of influence, Graggs psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original taxonomies.

Risk perceptions of cyber-security and precautionary behaviour

A quantitative empirical online study examined a set of 16 security hazards on the Internet and two comparisons in 436 UK- and US students, measuring perceptions of risk and other risk dimensions. First, perceived risk was highest for identity theft, keylogger, cyber-bullying and social engineering. Second, consistent with existing theory, significant predictors of perceived risk were voluntariness, immediacy, catastrophic potential, dread, severity of consequences and control, as well as Internet experience and frequency of Internet use. Moreover, control was a significant predictor of precautionary behaviour. Methodological implications emphasise the need for non-aggregated analysis and practical implications emphasise risk communication to Internet users.

Faces and Pictures: Understanding age differences in two types of graphical authentications

Recall of knowledge-based authentication codes such as passwords and PINs can be problematic, particularly for older adults given the known memory decline associated with ageing. We explored the extent to which recognition-based Graphical Authentication Systems were effective alternatives to PINs and passwords in a study in which users were asked to commit several different codes to memory and recall them at different time periods. Populations of younger and older adults were given face-based and picture-based authentication codes to remember over the course of three weeks. Results show a pronounced age effect, with younger participants outperforming older participants. Older participants fared better with the face-based system over the picture-based system while younger participants exhibited the opposite effect. A significant performance drop was observed for older participants over time, as additional codes were introduced.

Exploring the relationship between impulsivity and decision-making on mobile devices

Mobile devices offer a common platform for both leisure and work-related tasks, but this has resulted in a blurred boundary between home and work. In this paper, we explore the security implications of this blurred boundary, both for the worker and the employer. Mobile workers may not always make optimal security-related choices when “on the go” and more impulsive individuals may be particularly affected as they are considered more vulnerable to distraction. In this study, we used a task scenario, in which 104 users were asked to choose a wireless network when responding to work demands while out of the office. Eye-tracking data was obtained from a subsample of 40 of these participants in order to explore the effects of impulsivity on attention. Our results suggest that impulsive people are more frequent users of public devices and networks in their day-to-day interactions and are more likely to access their social networks on a regular basis. However, they are also likely to make risky decisions when working on-the-go, processing fewer features before making those decisions. These results suggest that those with high impulsivity may make more use of the mobile Internet options for both work and private purposes, but they also show attentional behavior patterns that suggest they make less considered security-sensitive decisions. The findings are discussed in terms of designs that might support enhanced deliberation, both in the moment and also in relation to longer term behaviors that would contribute to a better work–life balance.