Session:「Privacy, Passwords and Authentication」

Influences of Human Cognition and Visual Behavior on Password Strength during Picture Password Composition

論文URL: http://dl.acm.org/citation.cfm?doid=3173574.3173661

論文アブストラクト: Visual attention, search, processing and comprehension are important cognitive tasks during a graphical password composition activity. Aiming to shed light on whether individual differences on visual behavior affect the strength of the created passwords, we conducted an eye-tracking study (N=36), and adopted an accredited cognitive style theory to interpret the results. The analysis revealed that users with different cognitive styles followed different patterns of visual behavior which affected the strength of the created passwords. Motivated, by the results of the first study, we introduced adaptive characteristics to the user authentication mechanism, aiming to assist specific cognitive style user groups to create more secure passwords, and conducted a second study with a new sample (N=40) to test the adaptive characteristics. Results strengthen our assumptions that adaptive mechanisms based on users' differences in cognitive and visual behavior uncover a new perspective for improving the password's strength within graphical user authentication realms.

日本語のまとめ:

場依存型・場独立型の認知の違いが,グラフィカルパスワードの強度に与える影響を調べた.場依存型は画像の複雑さによって強度は変わらないが,場独立型は複雑であるほうが強度が向上する.それらの結果をもとに画像提示を変えたら強度を向上できた.

Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing

論文URL: http://dl.acm.org/citation.cfm?doid=3173574.3173738

論文アブストラクト: We evaluate the efficacy of shoulder surfing defenses for PIN-based authentication systems. We find tilting the device away from the observer, a widely adopted defense strategy, provides limited protection. We also evaluate a recently proposed defense incorporating an "invisible pressure component" into PIN entry. Contrary to earlier claims, our results show this provides little defense against malicious insider attacks. Observations during the study uncover successful attacker strategies for reconstructing a victim's PIN when faced with a tilt defense. Our evaluations identify common misconceptions regarding shoulder surfing defenses, and highlight the need to educate users on how to safeguard their credentials from these attacks.

日本語のまとめ:

PIN コードのショルダーハッキングの防衛法とその効果について調べた.デバイスを傾けて見えづらくする方法は3回覗き見れば45%で把握されてしまう.圧力を使った ForcePIN 方式は,タップ時間を見れば推測が容易で意味がない.

“It's not actually that horrible”: Exploring Adoption of Two-Factor Authentication at a University

論文URL: http://dl.acm.org/citation.cfm?doid=3173574.3174030

論文アブストラクト: Despite the additional protection it affords, two-factor authentication (2FA) adoption reportedly remains low. To better understand 2FA adoption and its barriers, we observed the deployment of a 2FA system at Carnegie Mellon University (CMU). We explore user behaviors and opinions around adoption, surrounding a mandatory adoption deadline. Our results show that (a) 2FA adopters found it annoying, but fairly easy to use, and believed it made their accounts more secure; (b) experience with CMU Duo often led to positive perceptions, sometimes translating into 2FA adoption for other accounts; and, (c) the differences between users required to adopt 2FA and those who adopted voluntarily are smaller than expected. We also explore the relationship between different usage patterns and perceived usability, and identify user misconceptions, insecure practices, and design issues. We conclude with recommendations for large-scale 2FA deployments to maximize adoption, focusing on implementation design, use of adoption mandates, and strategic messaging.

日本語のまとめ:

2要素認証(2FA)の導入障壁をユーザインタビューを通して探した.2FAを体験したことで,2FAへの印象が肯定的になり,ほかのログインでも2FAを使い始めるユーザもいた.義務導入と任意導入の違いでは,2FAへの印象の差異はない.

Leveraging Semantic Transformation to Investigate Password Habits and Their Causes

論文URL: http://dl.acm.org/citation.cfm?doid=3173574.3174144

論文アブストラクト: It is no secret that users have difficulty choosing and remembering strong passwords, especially when asked to choose different passwords across different accounts. While research has shed light on password weaknesses and reuse, less is known about user motivations for following bad password practices. Understanding these motivations can help us design better interventions that work with the habits of users and not against them.We present a comprehensive user study in which we both collect and analyze users' real passwords and the reasoning behind their password habits. This enables us to contrast the users' actual behaviors with their intentions. We find that user intent often mismatches practice, and that this, coupled with some misconceptions and convenience, fosters bad password habits. Our work is the first to show the discrepancy between user intent and practice when creating passwords, and to investigate how users trade off security for memorability.

日本語のまとめ:

「なぜそのパスワードに設定したか」を調べた.他の研究と違い,忘れてるアカウントも Gmail から抽出した.被験者全員がパスワードを再利用しており,理由は「覚えやすいから」がほとんど.パスワードの強度にかかわらず再利用される.