HCI Lecture 10: Guest Lecture – Usability & Security 28 October 2008 ● Mike Just, Visiting Research Fellow Key Points: ➢ Reliance upon memory is a key factor for usability ➢ Usability and security can be achieved simultaneously ➢ Authentication can use memorized, as well as already known, information ➢ Cognitive passwords have, until now, received very little academic study, despite widespread use
24
Embed
HCI Lecture 10: Guest Lecture – Usability & Security 28 October … · 2008-11-03 · HCI Lecture 10: Guest Lecture – Usability & Security 28 October 2008 Mike Just, Visiting
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Key Points:➢ Reliance upon memory is a key factor for usability➢ Usability and security can be achieved simultaneously➢ Authentication can use memorized, as well as already
known, information➢ Cognitive passwords have, until now, received very little
Before beginning today's lecture, I would like to perform an experiment with youDetails are provided in the handoutThere are two stages for this experiment
Stage 1 – Start of Lecture Today Stage 2 – Start of Lecture on 25 November 2008
The experiment is voluntary – you can choose to not participate, or to withdraw at any pointAt no time will you be asked to submit any personal information
Can usability and security co-exist? Does increased security reduce usability?
Yes (sometimes) Does increased usability reduce security?
Yes (sometimes)Above examples should not be taken as general responses to questionsWe do know that reduced usability will also reduce security – System designers must find the balance between usability and security
And the design environment isn’t easy ... “Humans are incapable of securely storing high-quality
cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)”
C. Kaufman, R. Perlman, M. Speciner, “Network Security”, 2002
Consider the following examples What is your mother’s maiden name? What is your favourite colour? Who is your favourite actor? What was your high school locker combination? What was your first pet’s name?
Are these questions usable?Are these questions secure?
Many implementations existVery little academic research performedResult
Implementations have various interfaces Various functionality Likely inconsistent security protection Likely inconsistent usability (applicability, memorability,
Lorrie Cranor and Simson Garfinkel, Security and Usability, O'Reilly and Associates, 2005.Mike Just, “Designing and Evaluating Challenge Question Systems,” in IEEE Security & Privacy: Special Issue on Security and Usability, L. Faith-Cranor, S. Garfinkel, editors, p. 32-39, 2004.