M. Angela Sasse

Nissy Sombatruang, Tan Omiya, Daisuke Miyamoto et al.

A Virtual Private Network (VPN) helps to mitigate security and privacy risks of data transmitting on unsecured network such as public Wi-Fi. However, despite awareness of public Wi-Fi risks becoming increasingly common, the use of VPN when using public Wi-Fi is low. To increase adoption, understanding factors driving user decision to adopt a VPN app is an important first step. This study is the first to achieve this objective using discrete choice experiments (DCEs) to elicit individual preferences of specific attributes of a VPN app. The experiments were run in the United Kingdom (UK) and Japan (JP). We first interviewed participants (15 UK, 17 JP) to identify common attributes of a VPN app which they considered important. The results were used to design and run a DCE in each country. Participants (149 UK, 94 JP) were shown a series of two hypothetical VPN apps, varying in features, and were asked to choose one which they preferred. Customer review rating, followed by price of a VPN app, significantly affected the decision to choose which VPN app to download and install. A change from a rating of 3 to 4-5 stars increased the probability of choosing an app by 33% in the UK and 14% in Japan. Unsurprisingly, price was a deterrent. Recommendations by friends, source of product reviews, and the presence of in-app ads also played a role but to a lesser extent. To actually use a VPN app, participants considered Internet speed, connection stability, battery level on mobile devices, and the presence of in-app ads as key drivers. Participants in the UK and in Japan prioritized these attributes differently, suggesting possible influences from cultural differences.

Brain Glass, Graeme Jenkinson, Yuqi Liu et al.

Over the past 15 years, researchers have identified an increasing number of security mechanisms that are so unusable that the intended users either circumvent them or give up on a service rather than suffer the security. With hindsight, the reasons can be identified easily enough: either the security task itself is too cumbersome and/or time-consuming, or it creates high friction with the users` primary task. The aim of the research presented here is to equip designers who select and implement security mechanisms with a method for identifying the ``best fit`` security mechanism at the design stage. Since many usability problems have been identified with authentication, we focus on ``best fit`` authentication, and present a framework that allows security designers not only to model the workload associated with a particular authentication method, but more importantly to model it in the context of the user`s primary task. We draw on results from cognitive psychology to create a method that allows a designer to understand the impact of a particular authentication method on user productivity and satisfaction. In a validation study using a physical mockup of an airline check-in kiosk, we demonstrate that the model can predict user performance and satisfaction. Furthermore, design experts suggested personalized order recommendations which were similar to our model`s predictions. Our model is the first that supports identification of a holistic fit between the task of user authentication and the context in which it is performed. When applied to new systems, we believe it will help designers understand the usability impact of their security choices and thus develop solutions that maximize both.

Jeunese Payne, Graeme Jenkinson, Frank Stajano et al.

Security and usability issues with passwords suggest a need for a new authentication scheme. Several alternatives involve a physical device or token. We investigate one such alternative, Pico: an authentication scheme that utilizes multiple wearable devices. We present the grounded theory results of a series of semi-structured interviews for exploring perceptions of this scheme. We found that the idea of carrying physical devices increases perceived personal responsibility for secure authentication, making the risks and inconvenience associated with loss and theft salient for participants. Although our work is focused on Pico, the results of the study contribute to a broader understanding of user perception and concerns of responsibility for any token-based authentication schemes.

Kat Krol, Eleni Philippou, Emiliano De Cristofaro et al.

To prevent password breaches and guessing attacks, banks increasingly turn to two-factor authentication (2FA), requiring users to present at least one more factor, such as a one-time password generated by a hardware token or received via SMS, besides a password. We can expect some solutions -- especially those adding a token -- to create extra work for users, but little research has investigated usability, user acceptance, and perceived security of deployed 2FA. This paper presents an in-depth study of 2FA usability with 21 UK online banking customers, 16 of whom had accounts with more than one bank. We collected a rich set of qualitative and quantitative data through two rounds of semi-structured interviews, and an authentication diary over an average of 11 days. Our participants reported a wide range of usability issues, especially with the use of hardware tokens, showing that the mental and physical workload involved shapes how they use online banking. Key targets for improvements are (i) the reduction in the number of authentication steps, and (ii) removing features that do not add any security but negatively affect the user experience.