1
A Personalization Method based on Human Factors for Improving Usability of User Authentication Tasks
Mar io s Be lk , Panag io t i s Ger m an akos , Chr i s to s F id as , Ge orge Samaras
D e p ar t me nt o f C o mpu te r S c i e nc e , Un ive r s i t y o f C yp r u sS AP AG , Wa l l do r f , G e r m anyE l e c t r i c a l and C o mpu te r E ng i ne e r i ng D e p a r t me nt Un ive r s i t y o f P a t ra s , G re e c e
T h e 2 2 n d C o n f e r e n c e o n U s e r Mo d e l i n g , Ad a p t a t i o n a n d P e r s o n a l i z a t i o nJu l y 1 0 , 2 0 1 4
2
IntroductionRelated WorkPersonalisation ApproachUser StudyConclusions
Outline
3
INTRODUCTION
4
I N T R O D U C T I O N
5
1
UMAP 2014J u l y 1 0 , 2 0 1 4
2
3
4
• Security issues of today’s interactive systems are considered of paramount importance
• The consequences of a security breach can • harm the credibility and legal liability of an organization• decrease users' trust and acceptance• exponentially increase maintenance and support costs
Security in Interactive Systems
One of the most important and challenging issues is to support users, engaged on tasks related to security, through usable computer human interface designs
5
I N T R O D U C T I O N
5
1
UMAP 2014J u l y 1 0 , 2 0 1 4
2
3
4
• User Authentication• CAPTCHA Challenges• Configuration of privacy settings• Monetary Transactions
Important Security- and Privacy-related Tasks
6
I N T R O D U C T I O N
5
1
UMAP 2014J u l y 1 0 , 2 0 1 4
2
3
4
The User Authentication Problem
Even more difficult to be memorized by humans
Current computing systems are more capable of guessing passwords through dictionary attacks
Password policies decrease memorability of P@5Sw0rDsrequire users to remember minimum 8+ characters, upper and lower case letters, special characters)
7
I N T R O D U C T I O N
5
1
UMAP 2014J u l y 1 0 , 2 0 1 4
2
3
4
VS
System User
8
RELATED WORK
9
R e l a t e d W o r k
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
User Authentication Types
What the user knows, what the user has and what the user is
1. Knowledge-based authentication, e.g., passwords2. Token-based authentication, e.g., credit card3. Biometric-based authentication, e.g., fingerprint
10
R e l a t e d W o r k
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
Password-based Authentication
Passwords are the most popular type of authentication
80% of US and UK companies apply text-based password authentication (Zhang et al., 2009)
11
R e l a t e d W o r k
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
Necessity for Increasing Usability of Passwords
Studies revealed major usability issues of current password mechanisms (Komanduri et al., 2011; Bonneau et al., 2012)• Policies make passwords hard to remember• Multiple passwords across multiple accounts (less usable)• Users don’t understand threats and risks, e.g., one password is
used across multiple accounts (less secure)
12
R e l a t e d W o r k
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
Password-based Authentication
Easy and fast to implement (vs. fingerprint and biometric-based)Cheap to implement (vs. credit cards and token-based)Popular among most of the usersDo not have privacy issues as fingerprint identifiers
13
R e l a t e d W o r k
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
Graphical authentication
Graphical authentication highly researched alternatives
Require users to remember images or draw patterns on a grid as their authentication key
More memorable. Pictures are better recalled and recognized than text (Paivio, 2006; 1971)
14
R e l a t e d W o r k
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
Recognition-based: Passfaces
Remember faces as the authentication key
Very memorableMemorability decreases until you have multiple Passfaces keys (Everitt et al., 2009)
15
R e l a t e d W o r k
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
Recognition-based: Single Object Images
Remember single-object imagesMore memorable than faces or abstract images (Mihajlov and Jerman-Blazic, 2011)
Images may be easily labeled, e.g., football, teddy bear, etc.
16
User Authentication Tasks
Textual Authentication
Graphical Authentication
?
focus of analysis remains mainly onthe technology layer and fails toanalyze and understand the users
17
APPROACH
18
UMAP 2014J u l y 1 0 , 2 0 1 4
A p p r o a c h
5
1
2
3
4
One-size-Fits-All
Ineffective practice of usability in security, does not naturally embed the users’ characteristics in the design processIgnores the fact that different users• different characteristics• develop different structural and functional mental models• need individual scaffolding
It is necessary to understand in depth the interdependencies among the user characteristics and the security tasks, taking place during the interactions with hypermedia environments
19
UMAP 2014J u l y 1 0 , 2 0 1 4
A p p r o a c h
5
1
2
3
4
Personalization Approach
Apply a personalization approach and to partially move our focus away from the technical issues of security towards understanding the users and developing new approaches for offering personalized solutions based on individual differences
Hypermedia personalization based on individual differences has shown significant improvement in usability of tasks and user experience
Personalize security task based on individual differences• Personalize based on what user characteristics?• Investigate whether there is an effect of user characteristics on security
interactions
20
UMAP 2014J u l y 1 0 , 2 0 1 4
A p p r o a c h
5
1
2
3
4
The Users and The Security Tasks
User Authentication
Embraces recall and/or recognition of textual or graphical information
Human computer interactions with regard to security mechanisms are in principal cognitive tasks that embrace to
recall and/or recognize, process and store information
21
UMAP 2014J u l y 1 0 , 2 0 1 4
A p p r o a c h
5
1
2
3
4
Individual Differences
Studies the ways in which individuals differ in their behavior
Broad term which includes emotions, cognitive factors, personality
• Cognitive Styles• Speed of Processing• Controlled Attention• Working Memory Capacity
22
UMAP 2014J u l y 1 0 , 2 0 1 4
A p p r o a c h
5
1
2
3
4
Cognitive Styles: Verbal/Imager
Verbals• Represent information using
verbal associations• Prefer and perform better when
hypermedia content is presented in the form of text
• Great reading accuracy and are better at recalling textual information
Imagers• Represent information in mental
pictures• Prefer and perform better when
the hypermedia content is provided in the form of graphical representation
• Do not perform efficiently when an exclusively verbal representation is provided
Describes individuals' mode of information representation and processing
23
UMAP 2014J u l y 1 0 , 2 0 1 4
A p p r o a c h
5
1
2
3
4
Individual Differences in Cognitive Processing
Speed of Processing
the maximum speed at which a given mental act
may be efficiently executed
Controlled Attention
cognitive processes that can identify and
concentrate on goal‐relevant information and
inhibit attention to irrelevant stimuli
Working Memory Capacity
the maximum amount of information that the mind can efficiently activate during
information processing
Explain the functioning of the human mind in terms of more basic processes
24
UMAP 2014J u l y 1 0 , 2 0 1 4
A p p r o a c h
5
1
2
3
4
Two-level Personalization Approach
1. Cognitive Styles -> Change the User Authentication Type
Verbals Imagers
2. Cognitive Processing Factors -> Change the Authentication Policy Strength
Low: Standard security policy High: Enhanced security policy
25
USER STUDY
26
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Main Research Question
Does matching the user authentication type(textual or graphical) and policy (standard orenhanced) to users’ cognitive styles and cognitiveprocessing abilities improve task efficiency andeffectiveness?
27
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Sample
Participants: 137 undergraduate studentsGender: 54 males, 83 femalesAge: 17-22When: September-December 2013
28
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Method of StudyA Web‐based system was applied within the frame of university courses. Used to download course material, view grades, etc. throughout the semester1. User enrolment process
Basic Profile: Username, email, age, gender, etc.Cognitive‐based Profile: Online psychometric tests for eliciting their cognitive styles and cognitive processing abilities
2. Authentication key recommendationText‐based password or graphical authenticationStandard (8) or enhanced (10) authentication policy
29
C o n c l u s i o n s
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
30
C o n c l u s i o n s
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
31
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Cognitive Style Elicitation
An individuals’ cognitive style is obtained by presenting a series of 48 questions about conceptual category and appearance to be true or false
24 statements compare two objects conceptually (e.g., “Are ski and cricket the same type?”)24 statements compare the colour of two objects (e.g., “Are cream and paper the same colour?”)
The test primarily considers response time and accuracy of each given answer to the questions and applies a specific algorithm to determine the cognitive style of the user
32
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Speed of Processing Elicitation
Read a number of words designating a color written in the same or different ink colorEighteen words were illustrated to the participants illustrating the words “red”, “green” or “blue” either written in red, green or blue ink color.The reaction times between eighteen stimuli and responses were recorded and their mean and median were automatically calculated
Blue
33
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Controlled Attention Elicitation
Instead of denoting the word itself, participants were required to recognize the ink color of words denoting a color different than the ink Eighteen words were illustrated to the participants illustrating the words “red”, “green” or “blue” either written in red, green or blue ink color, and the participants had to respond as quick as possible utilizing the keyboardThe reaction times between eighteen stimuli and responses were recorded and their mean and median were automatically calculated
Blue
34
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Working Memory Capacity ElicitationAssess working memory capacity with a Web‐based psychometric instrument that measures the amount of information a person can efficiently activate simultaneously
35
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
User Profiles
Cognitive Styles Cognitive Processing Abilities
Cluster 1 (Verbals) Cluster 2 (Imagers) Cluster 1 (Enhanced) Cluster 1 (Limited)
Mean (SD) N Mean (SD) N Mean (SD) N Mean (SD) N
0.84 (0.13) 77 1.25 (0.09) 60 ‐0.93 (0.56) 89 1.04 (0.49) 48
Two independent‐samples t‐tests were conducted to determine mean differences on the cognitive factors scores between the generated cluster groups
Results indicated that there were significant differences among (cognitive styles: t(128.892)=‐20.694, p<0.001; cognitive processing abilities: t(135)=‐20.193, p<0.001)
36
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Data Collection
Efficiency: total time (seconds) required for successful authentication. Recording started as soon users entered their username, until they successfully completed the authentication processEffectiveness: total number of tries made for successful authentication
37
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Task Efficiency
An independent‐samples t‐test was used to determine mean differences on the time needed to solve the personalized and non‐personalized user authentication mechanism. These results were statistically significant (t(2028.138)=‐29.996, p=0.03)
10
11
12
13
14
15
16
17
Personalised Non‐personalised
Time to Login (secon
ds)
Condition
38
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Task Effectiveness
Effectiveness was measured by the total number of attempts made for successfully authenticating in each condition.A Mann‐Whitney U test was run to determine if there were differences in total attempts between the personalized and the non‐personalized condition. Personalized attempts mean rank = 1031.92Non‐personalized attempts mean rank = 1452.27These results were statistically significantly different (U=517699, z=‐14.898, p=0.01)
39
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Validity of the Study
Internal validity: We recruited a sample of participants already familiarized with user authentication prior to the study
the participants involved rather experienced and average than novice users with respect to user authentication and therefore, the research design was setup in order to avoid inference errors
Ecological validity: The authentication tasks were integrated in a real Web‐based system and the participants were involved at their own physical environments without the intervention of any experimental equipment or person
participants were required to authenticate in the system throughout the semester during real‐life tasks (i.e., access their university course’s material)
40
UMAP 2014J u l y 1 0 , 2 0 1 4
U s e r S t u d y
5
1
2
3
4
Limitations of the Study
Participants were undergraduate students with an age between 17 to 22 yearsCarrying out a single assessment of users’ cognitive styles might not fully justify the users’ classification into specific user groupsFurther tests need to be conducted in order to reach more concrete conclusions
41
C o n c l u s i o n s
UMAP 2014J u l y 1 0 , 2 0 1 4
5
1
2
3
4
Conclusions
An alternative, to current state of the art, authentication mechanism aiming to personalize user authentication tasks based on individual differences in cognitive processing
User authentication tasks are performed by millions of users daily
The importance of user authentication task usability is considered to be of paramount importance since more usable security interactions, in less misuse and support costs, contribute to a more positive user acceptance for almost all citizens
42
THANK YOUFOR YOUR ATTENTION
Mar ios Belkb e lk@ c s . ucy. ac .cy
Ph .D. S tudentDepar tment o f Compu ter Sc ience , Univer s i t y o f Cypr u s
