Lessons Learned

5.3.5 Authentication in Highly Distractive Environments

The observations showed that distractions can appear in manifold ways, and in particular in the form of ongoing social interactions like chatting. Authentication mechanisms for public spaces should therefore have a simple design and work even without full attention given to them. For instance, a fictitious authentication mechanism that requires the user to follow a row of events to get the authentication right, can easily fail if during one of the steps a distraction occurs.

Therefore, it has to be possible for a user to recover from a distraction without having to start the authentication process over again.

people apply efficient security measurements when interacting with an ATM. “Security should not require an active user” can therefore be considered an important behavioral criterion when designing authentication mechanisms for public spaces. At the same time, applying this criterion renders learning and teaching approaches unnecessary.

The second criterion that finds strong support in the findings of the field study is about the im-portance of detailed and precise time measurement as presented in chapter 4. The private nature of the field study did not allow for detailed time measurement of PIN-entry. Still, it showed that there are additional tasks that come with authentication that have to be carefully measured and have to be considered part of it. The need for adequate measurement is further amplified by the fact that authentication is only a minor part of the interaction with the public terminal and thus every measured second counts.

Consistency, as discussed in chapter 4, is an important factor that influences performance and can also influence memorability. In the light of the field study findings, security has to be considered the third important factor connected and indirectly affected by consistency. Due to the fact that memorability issues, even though occurring seldomly, mostly led to security problems within the observations, these findings strongly support the benefits of inner and outer consistency.

The just discussed attributes gave insights on several criteria from a behavioral point of view. In addition to that, two completely new criteria were identified: social compatibility and compatibil-ity to distractions. Both of them are based on behavioral factors that mainly (or solely) occur in public or semi-public settings and are only important due to the presence of other people. Social compatibility takes into consideration that when in the presence of trusted persons, a user might not be willing to implicitly show mistrust to them by applying security measures. The observa-tions and interviews showed that this factor is often responsible for insecure behavior. Designing authentication mechanisms with regard to this criterion can therefore avoid insecure behavior.

This criterion and built-in security as proposed by “security should not require an active user” are closely related and solving one can solve both but does not necessarily have to.

Compatibility with distractions refers to findings that diverse distractions, mainly caused by the presence of friends and the like, can negatively influence security as well as performance. There-fore, an important factor of an authentication mechanism is that it has to be easy for a user to recover from errors. At the same time, correctly authenticating cannot demand from the user to constantly concentrate on the authentication process. A countdown-based approach, for instance, can therefore be rejected already in the design stage.

Finally, field studies are difficult to perform and it is hard to derive results from them. During the work performed for these field studies and interviews, we could derive several rules that helped us to improve the study design. For instance, the pre-studies that we performed significantly helped to come up with a study design that allowed for optimized observations. Without such diligent preparatory work, many important results might have been missing. Another lesson learned was that abiding to strict rules was necessary and helpful. Especially dealing with a privacy sensitive context without violating the privacy of the observed users is only possible with a predefined set of strict rules. More and more detailed descriptions of the lessons learned can be found in [33].

Chapter 6

Criteria and Case Studies

Es ist nicht genug zu wissen - man muss auch anwenden. Es ist nicht genug zu wollen - man muss auch tun. (Knowing is not enough; we must apply. Willing is not enough; we must do.)

– Johann Wolfgang von Goethe –

Within this thesis, the problem of securing authentication has been approached from diverse angles to understand all factors related to it. Only this way, we will be able to get closer to a solution for this ubiquitous problem: creating a usable and secure authentication mechanism for public spaces with the potential to replace standard authentication.

Within this process, several criteria were identified. Till now, they were only loosely defined and their application was only vaguely hinted. What are the criteria worth if we know them but we do not apply them? As mentioned earlier, the criteria can help to integrate behavioral and technical factors of usable privacy and security into the development process of authentication mechanisms. They can be applied to different phases of the development process, in the design as well as implementation and evaluation phases.

Incorporating security decisions in the development process of IT-systems is not a new idea.

However, security is usually only considered from a technical point of view like decisions on data security, encryption etc. The most famous examples for this are most probably UMLsec [62, 71]

and SecureUML [85], software engineering methods that use modified versions of the Unified Modeling Language (UML) to model security in the design of a software system. For instance, a software engineer can define encrypted connections when required for the system.

First attempts that try to incorporate behavioral factors to the development process are based on involving users in the design process [1, 49, 50] or use guidelines or recommendations on how to

design secure systems that cope with the needs of their users [139]. Due to their nature of being valid for all kinds of security relevant systems, all these concepts stay rather generic and do not provide concrete recommendations but rather hints.

Focusing on an application area, authentication mechanisms for public spaces, enabled us to provide concrete recommendations and criteria rather than generalized models. Therefore, this chapter contributes to this thesis the following way:

a) It lists and summarizes the criteria, their origin and their influence on the authentication mechanism.

b) It describes how and where the criteria can be applied to the development process of an authentication mechanism.

c) A practical example of how to use the criteria based on an authentication mechanism pre-sented in chapter 3 is outlined.

It has to be noted again that this work focuses only on criteria that affect usability, performance and security of authentication mechanisms on a usage level. There are also technical issues of security like encryption, data transmission and the like which are without a doubt very important but which are out of the scope of this work.