Usable Security
Hyoungshick Kim
Department of Software
College of Software
Sungkyunkwan University
Sungkyunkwan University
http://seclab.skku.edu/
Assistant Professor in Department of Software,
Sungkyunkwan University
• Education
✓ Ph.D. in Computer Science, University of Cambridge
• Experiences
✓ Professor, Sungkyunkwan University, Korea (2013 – present)
✓ Postdoctoral Fellow, University of British Columbia, Canada
(2012-2013)
✓ Senior Engineer, Samsung Electronics (2004-2008)
• Research interests:
✓ Security engineering
✓ Usable security
✓ Software security
• Homepage: http://seclab.skku.edu/
Hyoungshick Kim (김형식)
• Lab members:
• Academic staff: 2
• PhD students: 4
• MS students: 14
Why should we make secure systems more usable?
[“I Feel Like I’m Taking Selfies All Day!
Towards Understanding Biometric
Authentication on Smartphones”, CHI 2015]
Why did I study usable security?
Joseph Bonneau(http://jbonneau.com/ )
He is particularly interested in secure communication
tools, cryptocurrencies, password and web
authentication, and HTTPS and PKI on the web.
Usability and Security
• Usability and security are often seen as competing design goals
• However, security mechanisms have to be usable to be effective
– Otherwise, mechanisms that are not employed in practice or that are used incorrectly, provide little or no protection
– For example, many people don’t use AV solutions because they believe security solutions will degrade the performance of their systems
Our system should include …
App App
OS
Hardware
You
Without understanding human behavior correctly, we cannot build a secure system!
Users are the weakest link?
But are we asking too much?
Help me!
Our brain is not a storage device
≠Pattern recognition Large memory
A simple experiment
abcd1234 u$4Kv9:jabcd1234 u4$Kv9:j
Which one is easier to remember?
So we chose ‘password’, ‘123456’ …
Top 10 worst passwords (2014) compiled from
millions of stolen passwords by hackers.
Is password policy a good solution?
Security nerds’ imagination
123456$
Real-world password
u4$Kv9:j
Top 10 symbols used
“Surpass: System-initiated User-replaceable passwords”, CCS 2015
Sungkyunkwan University (SKKU) Security Lab.
Most popularly used pattern locks
Security experts always recommend
• Pick a hard to guess password
• Don’t use it anywhere else
• Change it often
• Don’t write it down
How?
Security for Security
Most people don’t like security?
So, security is often ignored
Why? Security is too challenging
• Security is the secondary task
– Security should be designed to fit into primary task
– Primary task should set performance requirements
– Users want to minimize their workload and complexity
Blame and train
• Users are wrong! Why?– To make excuse for security engineers!
• Do users have to be security experts to use systems securely?
• In general “blame and train” is not a good way to fix usability problems
How can we solve these problems?
Design usable security solutions
It is a lot easier to change the system than to
change people.
WHAT’S USABLE SECURITY?
Usable security
HCI(Human
Computer
Interaction)
Security
Usable security is about making
systems secure and usable
Key findings about Passfaces
• Very memorable
– until you have more
than one Passfaces
password (Everitt et al.,
CHI 2009)
• Selection biases result in
low guessing difficulty (“Security and Usability: Designing
Secure Systems that People Can
Use”, 2005)
How about picture gesture?
A built-in feature in “Microsoft Windows 8”
“On the Security of Picture Gesture Authentication”,
Usenix Security 2013
Main topics
• Authentication
• Authorization
• Privacy
• Usability of security mechanisms
• Security of human tasks
• User behaviors
• Warnings and Decisions
• Education
Main venues
• General: IEEE S&P (Oakland), USENIX Security, ACM CCS, NDSS
• Usable Security: CHI, SOUPS, USEC
• General: IEEE S&P (Oakland), USENIX Security, ACM CCS, NDSS
• Usable Security: CHI, SOUPS, USEC
MAKING SECURITY SYSTEMS MORE USABLE
How can we make secure systems more usable?
1. Make it “just work”
– Invisible security
– Don’t give users too many choices
2. Make security/privacy understandable
– Make it visible
– Make it intuitive
– Use metaphors that users can relate to
1. Make it “just work”
(but it’s not that easy)
This makes users very happy !
Minimize user decision
Reduce the mental workload to make a
security decision
Use automated analysis
to determine probability
of danger
No CAPTCHA
This is not CAPTCHA, but FDS
to track suspicious users.
Using a natural intuitive flow
• Focus on the user’s primary task
– Remember that security is the second task
– Security is naturally incorporated into the system as an invisible component for the user’s task
– All parts of the system work in the same way
• Interfaces should be designed to minimize the effort needed to accomplish security tasks
Apple’s Touch ID
Bad question
Your web browser thinks this is a phishing web site. Do you want to go there anyway?
Go there anywayDon’t go there
I don’t know what a phishing site is.
I really want to go to this site.
Of course I will go there anyway!
You are trying to go to evilsite.com. Do you really want to go there or would you rather go to yourbank.com?
Go to evilsite.com
Go to yourbank.com
Better question
Of course I want to go to yourbank.com!
2. Make security understandable
Use understandable words
A poor warning example
앱이 미래의 기기에서 사용할 수 있는USB 저장소의 권한을 테스트하도록허용합니다.
In practice …
Only a very small number of users can
understand the risk of their security
behavior.
(e.g., about 3% of users understood
the meaning of Android permissions.)
Use of privacy facts
“Privacy as Part of the App Decision-Making Process”, CHI 2013
However, this is also not easy
All failed …
How about new designs?
“Do Security Toolbars Actually Prevent
Phishing Attacks”, CHI 2006
Making it hard to do the wrong thing
• We need to make it easier for the user to do the right thing, hard to do the wrong thing, and easy to recover when the wrong thing happens anyway
• It is also very important to think what the default setting values should be
SSL warning in Chrome
Chrome 36
(30.9%)
Chrome 37
(58.3%)
“Improving SSL Warnings: Comprehension and Adherence”, CHI 2015
Use of password strength meters
• Password strength meters help the user to strengthen her
password by giving visual indication of the strength of the
chosen password
• Meters lead to longer or stronger passwords
• Meters don’t affect memorability
• “How Does Your Password Measure Up? The Effect of Strength
Meters on Password Creation”, USENIX Security 2012
• “Does My Password Go up to Eleven? The Impact of Password Meters
on Password Selection”, CHI 2013
Conclusion: develop iPhone-like security solutions!
Questions?