TY - JOUR
T1 - Deploying authentication in the wild
T2 - Towards greater ecological validity in security usability studies
AU - Aebischer, Seb
AU - Dettoni, Claudio
AU - Jenkinson, Graeme
AU - Krol, Kat
AU - Llewellyn-Jones, David
AU - Masui, Toshiyuki
AU - Stajano, Frank
N1 - Funding Information:
This work was supported by the European Research Council (ERC) [StG 307224, Pico, to F.S.] and the extended visits of Gyazo inventor and CTO T.M. to Cambridge were supported by the Engineering and Physical Sciences Research Council (EPSRC) [EP/M019055/1, Future authentication systems, to F.S.].
Funding Information:
We are grateful to our colleagues David Harrison, Robert Irvine, Jeunese Payne, Max Spencer, Quentin Stafford-Fraser, Matthew Wahab and Chris Warrington for their contributions to the Pico project as well as to our external collaborator Jiny Bradshaw whose Bluetooth know-how was invaluable. We are particularly grateful to Nota Inc., the parent company of Gyazo, for allowing us to integrate Pico into their site and recruit their users into our study, and to Innovate UK for patiently trialling many versions of Pico over several months in the shared hope that we would at some point nail down those reliability issues. The Gyazo pilot study was originally written up as a workshop paper by the same authors [9] and praised by the referees for its emphasis on ecological validity. We were subsequently invited by the guest editors to extend that work and resubmit it to this journal. The Innovate UK pilot study was not previously written up anywhere else. Thanks to Paul van Oorschot for insightful comments on a draft of this article. This work was supported by the European Research Council (ERC) [StG 307224, Pico, to F.S.] and the extended visits of Gyazo inventor and CTO T.M. to Cambridge were supported by the Engineering and Physical Sciences Research Council (EPSRC) [EP/M019055/1, Future authentication systems, to F.S.].
Publisher Copyright:
© The Author(s) 2020. Published by Oxford University Press. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.
PY - 2020
Y1 - 2020
N2 - Pico is a token-based login method that claims to be simultaneously more usable and more secure than passwords. It does not ask users to remember any secrets, nor to type one-time passwords. We evaluate Pico's claim with two deployments and user studies, one on a web-based service and another within an organization. Our main aim is to collect actionable intelligence on how to improve the usability and deployability of Pico. In our first study we team up with an established website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. From the lessons of this first study, we retarget Pico's focus from replacing web passwords to replacing desktop login passwords; and thus in our second study we engage with a government organization, Innovate UK, to offer employees the ability to lock and unlock their computer automatically based on proximity. We focus particularly on the ecological validity of the trials and we thereby gain valuable insights into the viability of Pico, not only through the actual responses from the participants but also through the many practical challenges we had to face and overcome. Reflecting on the bigger picture, from our experience we believe the security usability community would greatly benefit from pushing towards greater ecological validity in published work, despite the considerable difficulties and costs involved.
AB - Pico is a token-based login method that claims to be simultaneously more usable and more secure than passwords. It does not ask users to remember any secrets, nor to type one-time passwords. We evaluate Pico's claim with two deployments and user studies, one on a web-based service and another within an organization. Our main aim is to collect actionable intelligence on how to improve the usability and deployability of Pico. In our first study we team up with an established website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. From the lessons of this first study, we retarget Pico's focus from replacing web passwords to replacing desktop login passwords; and thus in our second study we engage with a government organization, Innovate UK, to offer employees the ability to lock and unlock their computer automatically based on proximity. We focus particularly on the ecological validity of the trials and we thereby gain valuable insights into the viability of Pico, not only through the actual responses from the participants but also through the many practical challenges we had to face and overcome. Reflecting on the bigger picture, from our experience we believe the security usability community would greatly benefit from pushing towards greater ecological validity in published work, despite the considerable difficulties and costs involved.
KW - Authentication
KW - Ecological validity
KW - Passwords
UR - http://www.scopus.com/inward/record.url?scp=85101173819&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85101173819&partnerID=8YFLogxK
U2 - 10.1093/CYBSEC/TYAA010
DO - 10.1093/CYBSEC/TYAA010
M3 - Article
AN - SCOPUS:85101173819
SN - 2057-2093
VL - 6
JO - Journal of Cybersecurity
JF - Journal of Cybersecurity
IS - 1
ER -