Influence of user perception, security needs, and social factors on device pairing method choices

Recent years have seen a proliferation of secure device pairing methods that try to improve both the usability and security of today's de-facto standard -- PIN-based authentication. Evaluating such improvements is difficult. Most comparative laboratory studies have so far mainly focused on completeness, trying to find the single best method among the dozens of proposed approaches -- one that is both rated the most usable by test subjects, and which provides the most robust security guarantees. This search for the "best" pairing method, however, fails to take into account the variety of situations in which such pairing protocols may be used in real life. The comparative study reported here, therefore, explicitly situates pairing tasks in a number of more realistic situations. Our results indicate that people do not always use the easiest or most popular method -- they instead prefer different methods in different situations, based on the sensitivity of data involved, their time constraints, and the social conventions appropriate for a particular place and setting. Our study also provides qualitative data on factors influencing the perceived security of a particular method, the users' mental models surrounding security of a method, and their security needs.

[1]  Marc Langheinrich,et al.  Toolkit for Bar Code Recognition and Resolving on Camera Phones - Jump Starting the Internet of Things , 2006, GI Jahrestagung.

[2]  Yang Wang,et al.  Serial hook-ups: a comparative usability study of secure device pairing methods , 2009, SOUPS.

[3]  Aaron J. Quigley,et al.  Interaction Techniques for Binding Smartphones: A Desirability Evaluation , 2009, HCI.

[4]  Michael Sirivianos,et al.  Loud and Clear: Human-Verifiable Authentication Based on Audio , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[5]  Diana K. Smetters,et al.  Network-in-a-Box: How to Set Up a Secure Wireless Network in Under a Minute , 2004, USENIX Security Symposium.

[6]  Sven Laur,et al.  Efficient Mutual Data Authentication Using Manually Authenticated Strings , 2006, CANS.

[7]  A. W. Roscoe,et al.  Usability and security of out-of-band channels in secure device pairing protocols , 2009, SOUPS.

[8]  TsudikGene,et al.  A comparative study of secure device pairing methods , 2009 .

[9]  Claudio Soriente,et al.  BEDA: Button-Enabled Device Pairing , 2007, IACR Cryptol. ePrint Arch..

[10]  Ersin Uzun,et al.  Usability Analysis of Secure Pairing Methods , 2007, Financial Cryptography.

[11]  N. Asokan,et al.  Security Associations in Personal Networks: A Comparative Analysis , 2007, ESAS.

[12]  Srdjan Capkun,et al.  Key Agreement in Peer-to-Peer Wireless Networks , 2006, Proceedings of the IEEE.

[13]  A. W. Roscoe,et al.  Two heads are better than one: security and usability of device associations in group scenarios , 2010, SOUPS.

[14]  J. Davenport Editor , 1960 .

[15]  Jun Rekimoto SyncTap: synchronous user operation for spontaneous network connection , 2004, Personal and Ubiquitous Computing.

[16]  Claudio Soriente,et al.  HAPADEP: Human-Assisted Pure Audio Device Pairing , 2008, ISC.

[17]  Christian Gehrmann,et al.  Manual authentication for wireless devices , 2004 .

[18]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[19]  Steven J. Murdoch,et al.  Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks , 2007, USENIX Security Symposium.

[20]  Arun Kumar,et al.  Caveat Emptor: A Comparative Study of Secure Device Pairing Methods , 2009, PerCom.

[21]  Kristiina Karvonen,et al.  Usability Testing for Secure Device Pairing in Home Networks , 2007 .

[22]  Kaisa Nyberg,et al.  Enhancements to Bluetooth Baseband Security , 2007 .

[23]  Arun Kumar,et al.  Alice Meets Bob: A Comparative Usability Study of Wireless Device Pairing Methods for a "Two-User" Setting , 2009, ArXiv.

[24]  Lujo Bauer,et al.  Lessons learned from the deployment of a smartphone-based access-control system , 2007, SOUPS '07.