Abstract
Security mechanisms are of critical importance in today’s interactive systems. While the primary goal of such mechanisms is to preserve security of information and premises, researchers and practitioners have come to understand the critical importance of usable security which is an area focusing on how to design and develop security mechanisms that respect human performance and their goals within an interactive system. Motivated by recent research works that underpinned the necessity of usability in security mechanisms, in this chapter we present an alternative approach to current state-of-the-art practices with the aim to achieve a balance between usability and security of two widely deployed and critical security mechanisms. In particular, we propose a set of human-centred design guidelines for adapting and personalizing user authentication and CAPTCHA mechanisms. Our intention is to provide the most optimized condition, in terms of design type and complexity level, based on specific human cognitive factors. The reader can further realize the adaptation effects and added value of this approach through a user study that investigated user interactions on given security tasks. According to these, the personalized condition of the user security tasks significantly improved task completion performance compared to the non-personalized one. Results of a post-study qualitative survey analysis also revealed that users perceived the improved usability of the personalized condition.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Adams A, Sasse A (1999) Users are not the enemy: why users compromise security mechanisms and how to take remedial measures. Commun ACM 42(12):40–46
Albert D, Jeng B, Tseng C, Wang J (2010) A study of CAPTCHA and its application to user authentication. In: Proceedings of the international conference on computational collective intelligence (ICCCI 2010), Springer, Berlin/Heidelberg, pp 433–440
Altun A, Cakan M (2006) Undergraduate students’ academic achievement, field dependent/independent cognitive styles and attitude toward computers. Educ Technol Soc 9(1):289–297
Angeli AD, Coventry L, Johnson G, Renaud K (2005) Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. Int J Hum Comput Stud 63(1–2):128–152
Baecher P, Buscher N, Fischlin M, Milde B (2011) Breaking reCAPTCHA: a holistic approach via shape recognition. In: Camenisch J, Fischer-Hbner S, Murayama Y, Portmann A, Rieder C (eds) Future challenges in security and privacy for academia and industry, vol 354, LNCS. Springer, Berlin/Heidelberg, pp 56–67
Belk M, Fidas C, Germanakos P, Samaras G (2012) Do cognitive styles of users affect preference and performance related to CAPTCHA challenges? In: Extended abstracts of the ACM SIGCHI conference on human factors in computing systems (CHI 2012), ACM Press, New York, pp 1487–1492
Belk M, Germanakos P, Fidas C, Samaras G (2013a) Studying the effect of human cognition on user authentication tasks. In: Proceedings of the conference on user modeling, adaptation, and personalization (UMAP 2013), Springer, Berlin/Heidelberg, pp 102–113
Belk M, Fidas C, Germanakos P, Samaras G (2013b) Security for diversity: studying the effects of verbal and imagery processes on user authentication mechanisms. In: Proceedings of the IFIP TC13 conference on human-computer interaction (INTERACT 2013), Springer-Verlag, Berlin/Heidelberg, pp 442–459
Belk M, Papatheocharous E, Germanakos P, Samaras G (2013c) Modeling users on the world wide web based on cognitive factors, navigation behaviour and clustering techniques. J Syst Softw 86(12):2995–3012
Belk M, Germanakos P, Fidas C, Holzinger A, Samaras G (2013d) Towards the personalization of CAPTCHA mechanisms based on individual differences in cognitive processing. In: Proceedings of the international conference on human factors in computing & informatics (SouthCHI 2013), Springer, Berlin/Heidelberg, pp. 409–426
Belk M, Germanakos P, Fidas C, Samaras G (2014a) A personalisation method based on human factors for improving usability of user authentication tasks. In: Proceedings of the conference on user modeling, adaptation, and personalization (UMAP 2014), Springer, Berlin/Heidelberg, pp 13–24
Belk M, Fidas C, Germanakos P, Samaras G (2014b) A personalised user authentication approach based on individual differences in information processing. Interact Comput. doi:10.1093/iwc/iwu033
Belk M, Fidas C, Germanakos P, Samaras G (2015) Do human cognitive differences in information processing affect preference and performance of CAPTCHA? Int J Hum Comput Stud 84:1–18
Biddle R, Chiasson S, van Oorschot P (2012) Graphical passwords: learning from the first twelve years. ACM Comput Surv 44(4):41
Bigham J, Cavender A (2009) Evaluating existing audio CAPTCHAs and an interface optimized for non-visual use. In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2009), ACM Press, New York, pp 1829–1838
Bonneau J, Herley C, van Oorschot P, Stajano F (2012) The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. Symposium on security and privacy, IEEE Computer Society, Washington, pp 553–567
Bulling A, Alt F, Schmidt A (2012) Increasing the security of gaze-based cued-recall graphical passwords using saliency masks. In: Proceedings of the ACM international conference on human factors in computing systems (CHI 2012), ACM Press, New York, pp 3011–3020
Bursztein E, Bethard S, Fabry C, Mitchell J, Jurafsky D (2010) How good are humans at solving CAPTCHAs? A large scale evaluation. In: Proceedings of the international symposium on security and privacy, IEEE Computer Society, Washington, pp 399–413
Bursztein E, Martin M, Mitchell J (2011) Text-based CAPTCHA strengths and weaknesses. In: Proceedings of the conference on computer and communications security (CCS 2011), ACM Press, New York, pp 125–138
Bursztein E, Moscicki A, Fabry C, Bethard S, Mitchell J, Jurafsky D (2014) Easy does it: more usable CAPTCHAs. In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2014), ACM Press, New York, pp 2637–2646
Chan T (2003) Using a text-to-speech synthesizer to generate a reverse Turing test. In: IEEE conference on tools with artificial intelligence, IEEE Computer Society, Washington, pp 226–232
Chan C, Hsieh C, Chen S (2014) Cognitive styles and the use of electronic journals in a mobile context. J Doc 70(6):997–1014
Chang T, El-Bishouty M, Graf S, Kinshuk (2013) An approach for detecting students’ working memory capacity from their behavior in learning systems. In: Proceedings of the international conference on advanced learning technologies (ICALT 2013), IEEE Computer Society, Washington, pp 82–86
Chellapilla K, Larson K, Simard P, Czerwinski M (2005) Designing human friendly human interaction proofs (HIPs). In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2005), ACM Press, New York, pp 711–720
Chen S, Liu X (2008) An integrated approach for modeling learning patterns of students in web-based instruction: a cognitive style perspective. ACM Trans Comput-Hum Interact, 15(1), Article 1, 28
Chew M, Baird H (2003) Baffletext: a human interactive proof. In: Proceedings of the international conference on document recognition and retrieval (DRR 2003), SPIE/IS&T, Bellingham, WA, pp 305–316
Chiasson S, van Oorschot P, Biddle R (2006) Usability study and critique of two password managers. In: Proceedings of the USENIX security symposium, USENIX Association, Berkeley, pp 1–16
Chiasson S, Forget A, Biddle R, van Oorschot P (2008) Influencing users towards better passwords: persuasive cued click-points. In: Proceedings of the BCS conference on people and computers, British Computer Society, Swinton, pp 121–130
Cranor L, Garfinkel S (2005) Security and usability. O’Reilly Media, Inc, Beijing/Farnham/Sebastopol
Datta R, Li J, Wang J.Z (2005) IMAGINATION: a robust image-based CAPTCHA generation system. In: ACM conference on multimedia, ACM Press, New York, pp 331–334
Davis D, Monrose F, Reiter M (2004) On user choice in graphical password schemes. In: Proceedings of the USENIX security symposium, USENIX Association, Berkeley
De Luca A, von Zezschwitz E, Pichler L, Hussmann H (2013) Using fake cursors to secure on-screen password entry. In: Proceedings of the ACM conference on human factors in computing systems (CHI 2013), ACM Press, New York, pp 2399–2402
Demetriou A, Spanoudis G, Shayer S, Mouyi A, Kazi S, Platsidou M (2013) Cycles in speed-working memory-G relations: towards a developmental-differential theory of the mind. Intelligence 41:34–50
Dhamija R, Perrig A (2000) DejaVu: a user study using images for authentication. In: Proceedings of the USENIX security symposium, USENIX Association, Berkeley
Dunphy P, Yan J (2007) Do background images improve “draw a secret” graphical passwords?. In: Proceedings of the ACM international conference on computer and communications security (CCS 2007), ACM Press, New York, pp 36–47
Elson J, Douceur J, Howell J, Saul J (2007) Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In: Proceedings of the international conference on computer and communications security (CCS 2007), ACM Press, New York, pp 366–374
Everitt K, Bragin T, Fogarty J, Kohno T (2009) A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: ACM international conference on human factors in computing systems (CHI 2009), ACM Press, New York, pp 889–898
Fidas CA, Voyiatzis AG, Avouris NM (2010) When security meets usability: a user-centric approach on a crossroads priority problem. In: Proceedings of Panhellenic conference on informatics. PCI’10. IEEE Computer Society, Washington, pp 112–117
Fidas C, Voyiatzis A, Avouris N (2011) On the necessity of user-friendly CAPTCHA. In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2012), ACM Press, New York, pp 2623–2626
Fidas C, Hussmann H, Belk M, Samaras G (2015) iHIP: towards a user centric individual human interaction proof framework. In: Proceedings of the ACM conference extended abstracts on human factors in computing systems (CHI EA 2015), ACM Press,New York, pp 2235–2240
Findlater L, Wobbrock J, Wigdor D (2011) Typing on flat glass: examining ten-finger expert typing patterns on touch surfaces. In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2011), ACM Press, New York, pp 2453–2462
Florencio D, Herley CA (2007) Large-scale study of web password habits. In: Proceedings of the ACM conference on World Wide Web (WWW 2007), ACM Press, pp 657–666
Forget A, Biddle R (2008) Memorability of persuasive passwords. In: Extended abstracts of the ACM SIGCHI conference on human factors in computing systems (CHI 2008), ACM Press, pp 3759–3764
Forget A, Chiasson S, van Oorschot P, Biddle R (2008) Improving text passwords through persuasion. In: Proceedings of the ACM international symposium on usable privacy and security (SOUPS 2012), ACM Press, pp 1–12.
Forget A, Chiasson S, Biddle R (2014) Towards supporting a diverse ecosystem of authentication schemes. In: Proceedings of the who are you?! Adventures in authentication workshop (WAY 2014) at the symposium on usable privacy and security (SOUPS 2014), USENIX Association
Gao H, Guo X, Chen X, Wang L, Liu X (2008) YAGP: yet another graphical password strategy. In: Proceedings of the IEEE conference on computer security applications, IEEE computer society, pp 121–129
Gao H, Liu H, Yao D, Liu X, Aickelin U (2010) An audio CAPTCHA to distinguish humans from computers. In: Proceedings of the international symposium on electronic commerce and security (SECS 2010), IEEE Computer Society, pp 265–269
Golle P (2008) Machine learning attacks against the asirra CAPTCHA. In: Proceedings of the conference on computer and communications security (CCS 2008), ACM Press, pp 535–542
Gossweiler R, Kamvar M, Baluja S (2009) What’s up CAPTCHA?: a CAPTCHA based on image orientation. In: Proceedings of the international conference on World Wide Web (WWW 2009), ACM press, pp 841–850
Halderman JA, Waters B, Felten E (2005) Convenient method for securely managing passwords. In: Proceedings of the ACM international conference on World Wide Web, ACM Press, pp 471–479
Hayashi E, Pendleton B, Ozenc F, Hong J (2012) WebTicket: account management using printable tokens. In Proceedings of the SIGCHI conference on human factors in computing systems (CHI’12). ACM Press, pp 997–1006
Herley C, van Oorschot P (2012) A research agenda acknowledging the persistence of passwords. IEE Secur Priv 10(1):28–36
Herley C, van Oorschot P, Patrick A (2009) Passwords: if we’re so smart, why are we still using them? In: Dingledine R, Golle P (eds) Financial cryptography and data security, vol 5628, LNCS. Springer, Heidelberg
Holman J, Lazar J, Feng JH, D’Arcy J (2007) Developing usable CAPTCHAs for blind users. In: Proceedings of the ACM SIGACCESS conference on computers and accessibility (ASSETS 2007), ACM Press, pp 245–246
Hong J, Hwang M, Tam K, Lai Y, Liu L (2012) Effects of cognitive style on digital jigsaw puzzle performance: a GridWare analysis. Comput Hum Behav 28(3):920–928
Inglesant P, Sasse A (2010) The true cost of unusable password policies: password use in the wild. In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2010), ACM Press, pp 383–392
Jermyn I, Mayer A, Monrose F, Reiter M, Rubin A (1999) The design and analysis of graphical passwords. In: Proceedings of the USENIX security symposium (Security 1999), USENIX Association, pp 1–1
Kluever KA, Zanibbi R (2009) Balancing usability and security in a video CAPTCHA. In: ACM symposium on usable privacy and security, Article 14, ACM Press, 11 p
Kobsa A, Nithyanand R, Tsudik G, Uzun E (2013) Can Jannie verify? Usability of display-equipped RFID tags for security purposes. J Comput Secur 21(3):347–370
Komanduri S, Shay R, Kelley P, Mazurek M, Bauer L, Christin N, Cranor L, Egelman S (2011) Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2011), ACM Press, pp 2595–2604
Kozhevnikov M (2007) Cognitive styles in the context of modern psychology: toward an integrated framework of cognitive style. Psychol Bull 133(3):464–481
Kuo C, Romanosky S, Cranor L (2006) Human selection of mnemonic phrase-based passwords. In: Proceedings of the ACM international symposium on usable privacy and security (SOUPS 2006), ACM Press, pp 67–78
Leonhard MD, Venkatakrishnan VN (2007) A comparative study of three random password generators. In: Proceedings of the IEEE international conference on electro/information technology (EIT 2007), IEEE Computer Society, pp 227–232
Ma Y, Feng J, Kumin L, Lazar J (2013) Investigating user behavior for authentication methods: a comparison between individuals with down syndrome and neurotypical users. ACM Trans Access Comput, 4(4), Article 15, p 27
Mihajlov M, Jerman-Blazic B (2011) On designing usable and secure recognition-based graphical authentication mechanisms. Interact Comput 23(6):582–593
Messick S (1993) The matter of style: manifestations of personality in cognition, learning, and teaching. Educational Testing Service, Princeton
Nelson D, Vu K (2010) Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords. Comput Hum Behav 26(4):705–715
Nicholson J, Dunphy P, Coventry L, Briggs P, Olivier PA (2012) Security assessment of tiles: a new portfolio-based graphical authentication system. In: Extended abstracts of the ACM SIGCHI conference on human factors in computing systems (CHI 2012), ACM Press, pp 1967–1972
Papatheocharous E, Belk M, Germanakos P, Samaras G (2014) Towards implicit user modeling based on artificial intelligence, cognitive styles and web interaction data. Int J Artif Intell Tools 23(2):21
Passfaces Corporation (2009) The science behind Passfaces. White paper, http://www.passfaces.com/enterprise/resources/white_papers.htm
Proctor R, Lien MC, Vu KP, Schultz E, Salvendy G (2002) Improving computer security for authentication of users: influence of proactive password restrictions. Behav Res Methods 34:163–169
Reardon LB, Moore DM (1988) The effect of organization strategy and cognitive styles on learning from complex instructional visuals. Int J Instr Media 15:353–363
Renaud K, Mayer P, Volkamer M, Maguire J (2013) Are graphical authentication mechanisms as strong as passwords?. In: Proceedings of the federated conference on computer science and information systems (FedCSIS 2013), IEEE Computer Society, pp 837–844
Reynaga G, Chiasson S (2013) The usability of CAPTCHAs on smartphones. In: Proceedings of the conference on security and cryptography (SECRYPT 2013), pp 427–434
Riding R, Cheema I (1991) Cognitive styles – an overview and integration. Educ Psychol 11(3–4):193–215
Ross SA, Halderman JA, Finkelstein A (2010) Sketcha: a CAPTCHA based on line drawings of 3D models. In: ACM conference on World Wide Web, ACM Press, New York, pp 821–830
Rui Y, Liu Z (2004) ARTiFACIAL: automated reverse Turing test using FACIAL features. J Multimedia Systems 9:493–502
Securimage v.3.5.2 (2014). http://www.phpcaptcha.org
Shay R, Komanduri S, Kelley P, Leon P, Mazurek M, Bauer L, Christin N, Cranor L (2010) Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the ACM symposium on usable privacy and security (SOUPS 2012), ACM Press, Article 2, 20 p
Shay R, Kelley P, Komanduri S, Mazurek M, Ur B, Vidas T, Bauer L, Christin N, Cranor L (2012) Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the ACM symposium on usable privacy and security (SOUPS 2012), ACM Press, Article 7, p 20
Shay R, Bauer L, Christin N, Cranor L, Forget A, Komanduri S, Mazurek M, Melicher W, Segreti S, Ur B (2015) A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In: Proceedings of ACM conference on human factors in computing systems (CHI 2015), ACM Press, pp 2903–2912
Shirali-Shahreza S, Penn G, Balakrishnan R, Ganjali Y (2013) Seesay and hearsay CAPTCHA for mobile interaction. In: Proceedings of the ACM SIGCHI conference on human factors in computing systems (CHI 2013), ACM Press, pp 2147–2156
Tao H, Adams C (2008) Pass-go: a proposal to improve the usability of graphical passwords. Netw Secur 7(2):273–292
Tullis TS, Tedesco DP, McCaffrey KE (2011) Can users remember their pictorial passwords six years later. In: Proceedings of the ACM SIGCHI international conference on human factors in computing systems (CHI 2011), ACM Press, pp 1789–1794
Varenhorst C (2004) Passdoodles: a lightweight authentication method. MIT Research Science Institute, Cambridge, MA
Vikram S, Fan Y, Gu G (2011) SEMAGE: a new image-based two-factor CAPTCHA. In: Proceedings of the international conference on computer security applications (CCS 2011), ACM Press, pp 237–246
von Ahn L, Blum M, Langford J (2004) Telling humans and computers apart automatically. Commun ACM 47:56–60
von Ahn L, Maurer B, McMillen C, Abraham D, Blum M (2008) reCAPTCHA: human-based character recognition via web security measures. Science 321(5895):1465–1468
von Zezschwitz E, De Luca A, Hussmann H (2014) Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance. In: Proceedings of the Nordic conference on human-computer interaction: fun, fast, foundational (NordiCHI 2014), ACM Press, pp 461–470
von Zezschwitz E, De Luca A, Brunkow B, Hussmann H (2015) SwiPIN: fast and secure PIN-entry on smartphones. In: Proceedings of the 33rd annual ACM conference on human factors in computing systems (CHI’15). ACM, New York, pp 1403–1406
Vu K, Proctor R, Bhargav-Spantzel A, Tai B, Cook J, Schultz E (2007) Improving password security and memorability to protect personal and organizational information. Int J Hum Comput Stud 65(8):744–757
Wiedenbeck S, Waters J, Birget J, Brodskiy A, Memon N (2005) Authentication using graphical passwords: effects of tolerance and image choice. In: Proceedings of the ACM symposium on usable privacy and security (SOUPS 2005), ACM Press, pp 1–12
Winkler C, Gugenheimer J, De Luca A, Haas G, Speidel P, Dobbelstein D, Rukzio E (2015) Glass unlock: enhancing security of smartphone unlocking through leveraging a private near-eye display. In: Proceedings of the ACM conference on human factors in computing systems (CHI 2015). ACM Press, pp 1407–1410
Wright N, Patrick A, Biddle R (2012) Do you see your password?: applying recognition to textual passwords. In: Proceedings of the ACM symposium on usable privacy and security (SOUPS 2012), ACM Press, Article 8
Yan J, El Ahmad AS (2008) A low-cost attack on a microsoft CAPTCHA. In: Proceedings of the ACM conference on computer and communications security (CCS 2008), ACM Press, pp 543–554
Yan J, Blackwell A, Anderson R, Grant A (2004) Password memorability and security: empirical results. IEEE Secur Priv Mag 2(5):25–31
Zhu B, Yan J, Li Q, Yang C, Liu J, Xu N, Yi M, Cai K (2010) Attacks and design of image recognition CAPTCHAs. In: Proceedings of the ACM conference on computer and communications security (CCS 2010), ACM Press, pp 187–200
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Germanakos, P., Belk, M. (2016). The Usable Security Case. In: Human-Centred Web Adaptation and Personalization. Human–Computer Interaction Series. Springer, Cham. https://doi.org/10.1007/978-3-319-28050-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-28050-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28048-6
Online ISBN: 978-3-319-28050-9
eBook Packages: Computer ScienceComputer Science (R0)