Exploring User-Centered Security Design for Usable Authentication Ceremonies

Security technology often follows a systems design approach that focuses on components instead of users. As a result, the users’ needs and values are not sufficiently addressed, which has implications on security usability. In this paper, we report our lessons learned from applying a user-centered security design process to a well-understood security usability challenge, namely key authentication in secure instant messaging. Users rarely perform these key authentication ceremonies, which makes their end-to-end encrypted communication vulnerable. Our approach includes collaborative design workshops, an expert evaluation, iterative storyboard prototyping, and an online evaluation. While we could not demonstrate that our design approach resulted in improved usability or user experience, we found that user-centered prototypes can increase the users’ comprehension of security implications. Hence, prototypes based on users’ intuitions, needs, and values are useful starting points for approaching long-standing security challenges. Applying complementary design approaches may improve usability and user experience further.

[1]  Sasha Costanza-Chock,et al.  Design Justice , 2020 .

[2]  Yang Wang,et al.  Serial hook-ups: a comparative usability study of secure device pairing methods , 2009, SOUPS.

[3]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[4]  Arun Kumar,et al.  Pairing devices for social interactions: a comparative usability evaluation , 2011, CHI.

[5]  Blase Ur,et al.  Can Unicorns Help Users Compare Crypto Key Fingerprints? , 2017, CHI.

[6]  K. Seamons,et al.  A Survey Of the Privacy Preferences and Practices of Iranian Users of Telegram , 2018 .

[7]  Susanne Bødker,et al.  Threats or threads: from usable security to secure experience? , 2008, NordiCHI.

[8]  James T. Miller,et al.  An Empirical Evaluation of the System Usability Scale , 2008, Int. J. Hum. Comput. Interact..

[9]  Thomas Franke,et al.  A Personal Resource for Technology Interaction: Development and Validation of the Affinity for Technology Interaction (ATI) Scale , 2019, Int. J. Hum. Comput. Interact..

[10]  Scott Ruoti,et al.  Standard Metrics and Scenarios for Usable Authentication , 2016, WAY@SOUPS.

[11]  Daniel Zappala,et al.  "Something isn't secure, but I'm not sure how that translates into a problem": Promoting autonomy by designing for understanding in Signal , 2019, SOUPS @ USENIX Security Symposium.

[12]  Jacques Traoré,et al.  A fair and efficient solution to the socialist millionaires' problem , 2001, Discret. Appl. Math..

[13]  Susanne Bødker,et al.  Experiencing security in interaction design , 2011, CHI.

[14]  Daniel Zappala,et al.  Is that you, Alice? A Usability Study of the Authentication Ceremony of Secure Messaging Applications , 2017, SOUPS.

[15]  Daniel Zappala,et al.  "We're on the Same Page": A Usability Study of Secure Email Using Pairs of Novice Users , 2015, CHI.

[16]  Daniel Zappala,et al.  Action Needed! Helping Users Find and Complete the Authentication Ceremony in Signal , 2018, SOUPS @ USENIX Security Symposium.

[17]  Bernt Schiele,et al.  Smart-Its Friends: A Technique for Users to Easily Establish Connections between Smart Artefacts , 2001, UbiComp.

[18]  Harry Halpin,et al.  Can Johnny build a protocol? Co-ordinating developer and user intentions for privacy-enhanced secure messaging protocols , 2017 .

[19]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[20]  Amir Herzberg,et al.  Can Johnny finally encrypt?: evaluating E2E-encryption in popular IM applications , 2016, STAST.

[21]  S. Lundgren Exploring the Interplay Between Emotions and Interaction , 2009, Nordes 2009: Engaging Artifacts.

[22]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[23]  M. Angela Sasse,et al.  Obstacles to the Adoption of Secure Communication Tools , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[24]  Christian Gehrmann,et al.  Manual authentication for wireless devices , 2004 .

[25]  Paul Dourish,et al.  Beyond the user: use and non-use in HCI , 2009, OZCHI.

[26]  Anders Bruun,et al.  Let your users do the testing: a comparison of three remote asynchronous usability testing methods , 2009, CHI.

[27]  John Bowers,et al.  Representing the user: notes on the disciplinary rhetoric of human-computer interaction , 1995 .

[28]  Kaj Grønbæk,et al.  Cooperative Prototyping: Users and Designers in Mutual Activity , 1990, Int. J. Man Mach. Stud..

[29]  Laura A. Dabbish,et al.  The Role of Social Influence in Security Feature Adoption , 2015, CSCW.

[30]  Jason L. Huang,et al.  Detecting Insufficient Effort Responding with an Infrequency Scale: Evaluating Validity and Participant Reactions , 2014, Journal of Business and Psychology.

[31]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[32]  Jan Stage,et al.  What happened to remote usability testing?: an empirical study of three methods , 2007, CHI.

[33]  Peter Y. A. Ryan,et al.  Security - Visible, Yet Unseen? , 2019, CHI.

[34]  Michael J. Freedman,et al.  CONIKS: Bringing Key Transparency to End Users , 2015, USENIX Security Symposium.

[35]  Luigi Lo Iacono,et al.  Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs , 2020, CHI.

[36]  Ian Goldberg,et al.  Improved user authentication in off-the-record messaging , 2007, WPES '07.

[37]  Markus Huber,et al.  When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art Secure Mobile Messaging , 2016 .

[38]  Daniel Zappala,et al.  I Don't Even Have to Bother Them!: Using Social Media to Automate the Authentication Ceremony in Secure Messaging , 2019, CHI.

[39]  Gottfried Wilhelm,et al.  Participatory Design for Security-Related User Interfaces , 2015 .

[40]  William Buxton,et al.  Usability evaluation considered harmful (some of the time) , 2008, CHI.

[41]  M. Sasse,et al.  From Paternalistic to User-Centred Security: Putting Users First with Value-Sensitive Design , 2017 .

[42]  Clay Spinuzzi,et al.  The Methodology of Participatory Design , 2005 .