Yee-Yin Choong

A field study of user behavior and perceptions in smartcard authentication

A field study of 24 participants over 10 weeks explored user behavior and perceptions in a smartcard authentication system. Ethnographic methods used to collect data included diaries, surveys, interviews, and field observations. We observed a number of issues users experienced while they integrated smartcards into their work processes, including forgetting smartcards in readers, forgetting to use smartcards to authenticate, and difficulty understanding digital signatures and encryption. The greatest perceived benefit was the use of an easy-to-remember PIN in replacement of complicated passwords. The greatest perceived drawback was the lack of smartcard-supported applications. Overall, most participants had a positive experience using smartcards for authentication. Perceptions were influenced by personal benefits experienced by participants rather than an increase in security.

Real-time feedback for usable fingerprint systems

Compared with traditional password and other identification methods, biometrics such as face, iris, and fingerprints for automatic personal identification and verification have many advantages, and are increasingly gaining popularity in all kinds of applications. As the technologies mature, the community has begun to realize that usability has great impact on the final accuracy and efficiency of a biometric system. Although research has shown that effective user feedback can improve the quality of the fingerprint images captured and user satisfaction, currently user feedback information of fingerprint devices used in real world applications is very limited. We design a rich, quality-driven interactive real-time user feedback mechanism for unattended fingerprint kiosk. The system aims to improve the quality of biometric samples during the acquisition process by feeding rich information back to the user instantaneously by measuring objective parameters of the image. The paper proposes an innovative, cost-efficient, real-time algorithm for fingertip detection, slap/thumb rotation detection, and finger region intensity estimation. The paper provides detailed information on the technical solution and its implementation. Preliminary results show that the methodology can potentially increase efficiency, effectiveness, and user satisfaction of a fingerprint biometric system.

Human Generated Passwords --- The Impacts of Password Requirements and Presentation Styles

The generation stage of the user password management lifecycle is arguably the most important yet perilous step. Fulfilling minimum length and character type requirements while attempting to create something memorable can become an arduous task, leaving the users frustrated and confused. Our study focuses on two areas --- password requirements and formatting --- and examines the differences in user performance to understand the human password generation space. The results show a clear drop in performance when users generate passwords following a complex rule set as opposed to a simple rule set, with fewer passwords, more errors, and longer times for rule comprehension and password generation. Better formatted presentation helps reduce cognitive load in reading complex password rules and facilitates comprehension. Findings from this study will contribute to a better understanding of the user password generation stage and shed light on future development of password policies balancing security and usability.

Ten-Print Fingerprint Self-Captures: Graphics-only User Guidance without Language

Users of biometric systems have expanded from traditional law enforcement operators to the general population with diverse backgrounds. Past research has shown that usability was improved when users received real-time system feedback regarding their hand positioning and how to correct any undesirable positions. Users can perform fingerprint self-captures successfully by following real-time textual corrective instructions as reported by Choong, Theofanos and Guan. This paper builds on their work with two research questions: what symbols best convey the textual instructions, and, can diverse international users perform ten-print fingerprint self-captures by following graphics-only guidance with no language? We developed a prototype biometric self-capture kiosk to investigate these research questions. A total of 140 subjects participated in two controlled experiments. The findings show that the self-capture prototype is a highly usable system with evidence of great potential for supporting diverse users. By following the real-time graphics-only guidance, participants quickly learned, and were comfortable and confident to capture their own fingerprints without any assistance.

Public Safety Communication User Needs: Voices of First Responders

The public safety community is transitioning from land mobile radios to a communications technology ecosystem including a variety of broadband data sharing platforms. Successful deployment and adoption of new communications technology relies on efficient and effective user interfaces based on understanding first responder needs, requirements, and contexts of use; human factors research is needed to examine these factors. As such, this paper presents initial qualitative research results via semi-structured interviews with 133 first responders across the U.S. While there are similarities across disciplines, results show there is no easy “one size fits all” communications technology solution. To facilitate trust in new communications technology, solutions must be dependable, easy to use for first responders, and meet their communication needs through the application of user-centered design principles. During this shift in public safety communications technology, the time is now to leverage existing human factors expertise to influence emerging technology for public safety.

Voices of First Responders Identifying Public Safety Communication Problems: Findings from User-Centered Interviews, Phase 1, Volume 1 | NIST

................................................................................................................................................... I EXECUTIVE SUMMARY ................................................................................................................................. II TABLE OF CONTENTS ................................................................................................................................... V LIST OF TABLES ........................................................................................................................................... VI LIST OF FIGURES ......................................................................................................................................... VI GLOSSARY ................................................................................................................................................. VI

Must I, can I? I don’t understand your ambiguous password rules

Purpose The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules. Design/methodology/approach This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users’ interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space. Findings Results show that manipulating password rule terminology causes users’ interpretation of the allowed character space to shrink or expand. Users are confused by the terms “non-alphanumeric”, “symbols”, “special characters” and “punctuation marks” in password rules. Additionally, users are confused by partial lists of allowed characters using “e.g.” or “etc.” Practical implications This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements. Originality/value This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.

What's a Special Character Anyway? Effects of Ambiguous Terminology in Password Rules

Although many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects the user experience during password rule comprehension, a necessary precursor to password generation. Our research begins to address this gap by focusing on users’ comprehension of password generation rules. Varying terms—special characters, symbols, non-alphanumeric characters, and punctuation—are used in different password rules, but mostly without explicit definition. In this laboratory study, we used character-selection and compliance-checking tasks with 60 participants to investigate effects of varying terms on users’ password rule comprehension. Results show that manipulating terminology caused participants’ interpretation of the allowed character space to shrink or expand. Our quantitative and qualitative data show that participants were extremely confused by the variety of terms for “special character.” Seemingly small changes in language have large, observable impacts on users’ understanding of password rules. Language in password requirements must be carefully constructed to ensure that users fully comprehend the allowable character space. This research is an important first step to providing data-driven guidance on constructing clearer language for password rules.