Hi all,
My name is Greg - I'm a user experience intern working on FXA,
specifically usable security.
Last week I attended the Symposium on Usable Privacy and Security, which
was ironically held at Facebook Headquarters in Menlo Park.
(http://cups.cs.cmu.edu/soups/2014/)
I didn't see a single bad paper. But a few seemed _especially_
interesting, and I've summarized them below. I include links to
individual papers, but the entire conference is open access and
available at https://www.usenix.org/conference/soups2014/proceedings if
anyone is interested
I wanted to give a short report on some of the research I saw there that
may be relevant to FXA, so below I haveve summarized a few papers may be
useful to FXA devs and/or designers.
0.) Memorizing 56-bit random passwords through spaced repetition
This was a lightning talk by Joe Bonneau (Princeton) and Stuart
Schechter (Microsoft Research). The basic idea is that via "spaced
repetition" users can memorize extremely long passwords, and that these
long passwords could be used for a password safe or other password
storage service to reduce cognitive load on users. One major issues is
that such a scheme can't be done all at once - it's done in chunks over
a series of days/weeks.
Unfortunately, this was a "lightning talk" and not a full paper, so it
has no entry in the online proceedings. But the presentation is
available at
https://docs.google.com/presentation/d/10exb3MkNvhwlnkU52K5-6AFZ3fLtJRacqhYW_ePlIeY/view
It's a bit confusing since there's no slide notes... but Wired also did
a nice write up that fills in the gaps:
http://www.wired.com/2014/07/how-to-teach-humans-to-remember-really-complex-passwords/
1.) Will this onion make you cry? A Usability Study of Tor-enabled
Mobile Apps
cups.cs.cmu.edu/soups/2014/posters/soups2014_posters-paper27.pdf
This is a poster that was presented at SOUPS, which does a great job
detailing a set of heuristics a developer can use to judge the usability
of security/privacy software
2.) Privacy attitudes of Mechanical Turk workers and the U.S. public
https://www.usenix.org/conference/soups2014/proceedings/presentation/kang
A lot of usable security studies use Mechancial Turk, and there's often
debate as to how representative Turkers are. This study compared the
privacy attitudes of Mechanical Turkers to a recent Pew Study on privacy
(http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/)
which uses more traditional social science methods, and found that US
Turkers are more privacy conscious than the US population (even when
adjusting for the fact that US turkers are younger on average than the
general population), something that should be taken into account when
reporting on Mechanical Turk studies
3.) Towards Continuous and Passive Authentication via Touch Biometrics:
An Experimental Study on Smartphones
https://www.usenix.org/conference/soups2014/proceedings/presentation/xu
This paper discussed using "touch biometrics" - not a user's
fingerprint, but instead authenticating based on a statistical model of
how you make gestures on a touch screen device. It's not ready for prime
time (there's a long learning phase for the machine learning algorithm
and needs several gestures to accurately authenticate), but it's a
promising and novel method of authentication. Especially since, as Chris
Soghoian pointed out in his keynote, almost no one uses strong passwords
on their mobile devices due to the burden that typing a long password
20+ times a day would be.
4.) The Password Life Cycle: User Behaviour in Managing Passwords
https://www.usenix.org/conference/soups2014/proceedings/presentation/stobert
We know that users often re-use passwords. This is a cool qualitative
study which describes a "password lifecycle" which helps explain how
well meaning users arrive at the decision to reuse passwords. There's
also a lot of other useful ancedotes too numerous to list here.
--
Greg Norcie (IRC: gnorcie)
Intern, Identity Team
Desk 7360
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
