Usable Security – Are we nearly there yet? M. Angela Sasse Head of Information Security Research Director, Research Institute in Science of Cyber Security University College London, UK

History (Ancient) 1.The system must be substantially, if not mathematically, undecipherable; 2.The system must not require secrecy and can be stolen by the enemy without causing trouble; 3.It must be easy to communicate and remember the keys without requiring written notes, it must also be easy to change or modify the keys with different participants; 4.The system ought to be compatible with telegraph communication; 5.The system must be portable, and its use must not require more than one person; 6.Finally, regarding the circumstances in which such system is applied, it must be easy to use and must neither require stress of mind nor the knowledge of a long series of rules. Auguste Kerckhoffs, ‘La cryptographie militaire’, Journal des sciences militaires, vol. IX, pp. 5–38, Jan. 1883, pp. 161–191, Feb

History (Middle Ages) “It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized.” J. H. Saltzer & M. D. Schroeder, ‘The protection of information in computer systems’ Proceedings of the IEEE, vol. 63, no. 9, pp , Sept. 1975

History (Recent) Study on escalating cost of password resets at BT – too high workload –leads to shortcut security mechanisms –Users don’t understand threats and risks Also 1999: Whitten & Tygar “Why Johnny can’t encrypt” Adams & Sasse CACM 1999

What Has Happened Over The Past Decade? –Lots, arguably: ACM SOUPS (Symposium on Usable Security and Privacy) since 2004 SHB (Security & Human Behaviour) since 2008 Papers in CHI, CCS, Usenix, NSPW … Books: Cranor & Garfinkel, Shostack, Lacey University modules on usable security US National Academy of Sciences Workshop on Usable Security and Privacy 2009

And – is security more usable? Exhibit 1: Authentication Exhibit 2: Access Control Exhibit 3: Encryption Exhibit 4: CAPTCHAs

Authentication Lots of alternative authentication proposals Mostly graphicall; example: Passfaces Very memorable … until you have more than one Passfaces password (Everitt et al., CHI 2009) Selection biases result in low guessing difficulty

Passpoints Wiedenbeck et al. IJHCS 2005

Draw-a-Secret & BDAS Yan et. al

More ‘usable’ authentication... Authentication via Rorschach inkblot tests Singing your password (Reynaud et al., NSPW 2007) Thinking your password - free EEG thrown in (Thorpe et al., NSPW 2005) – now possible with Emotiv helmet? More biometrics (some dubious, some useful) Ringing up your friends in the middle of the night to provide you with previously entrusted re-set codes (Microsoft)

Passwords are plaguing people more than ever before 6-8 passwords per employee within organisation, despite single sign-on (SSO) (Inglesant & Sasse, CHI 2010) Getting worse: –Longer passwords –Increasing number of self-service re-sets, with –New layers of credentials added (e.g. challenge questions) –Interaction on new devices

Old security + new device = not usable, not secure 50%+ of pw entries on touchscreens entry time & errors 3- 5X higher (Schaub et al., MUM 2012)  severely reduced password space 12

The Great Authentication Fatigue More authentication than before, culminating in The Great Authentication Fatigue (Sasse et al., Procs HCII 2014) Illustrated by NIST study: –20+ authentications/day –10% failure rate (with ensuing recovery activity) –Significant impact on individual and organisational productivity –Not just time spent on security task: cost of disruption

Authentication ‘Wall of Disruption’ 14

Employees’ coping strategies 1.Batching and planning of activities to limit the number of logins 2.Storing passwords or writing them down 15

Impact on productivity – long-term 1.User opt out of services, return devices –Improves their productivity, but often reduces organizational productivity (example: ) –Organization has less control over alternatives 2.Stifling innovation: new opportunities that would require changes in security 3.Staff leaving organization to be more productive/creative elsewhere 16

Impact on security 1.User errors - even when they are trying to be secure 2.Coping strategies create vulnerabilities 3.Non-compliance/workarounds to get tasks done 4.‘Noise' created by habitual non-compliance makes malicious behavior harder to detect 5.Lack of appreciation of/respect for security creates a dysfunctional security culture 17

When breaking rules becomes the norm –People forget –High signal/noise ration, which makes hostile activity harder to detect

High cost – and patchy security

Password leak 1…

… and Password Leak 2!

Comp8 zombie – and why it could get worse Comp8 password standard – usable for 1-2 password with frequent use, but dictionary + history checks & expiry create impossible workload What is the security risk? Can be managed better without burdening users Why it could get worse: on basis of mTurk study, Shay et al. (CHI 2014) argue that char passwords are “usable”

Security: “users should make the effort” “An hour from each of 180 million online users (in the US) is worth approximately $2.5 billion. A major error in security thinking has been to treat as free a resource that is actually extremely valuable. ” C Herley, More Is Not The Answer IEEE S&P Jan/Feb

“Technology should be smarter than this!” Move from explicit to implicit authentication: 1.Proximity sensors to detect user presence 2.Behavioural biometrics: zero-effort, one-step, two-factor authentication 3.Exploit modality of interaction: use video-based authentication in video, audio in audio, etc. 4.Web fingerprinting can identify users – why not use it for good? 24

Digital Natives are getting restless

… and elephants are getting together

Research green shoots: PICO Cambridge University research project headed up by Frank Stajano Aim: “To liberate computer users from the inconvenience and insecurity of passwords.” Design directive. “You won't have to remember any secrets to authenticate.” Method: moving from something you know (passwords) to something you have (wearable cryptographic technology) See 27

Exhibit 2: Access Control Access control settings – RBAC, Sharepoint etc. Widespread circumvention via ing, password sharing, Dropbox (Bartsch & Sasse, ECIS 2013) Over-entitlements: access reviews by managers – battle ground in many organisations Green shoots: user self-reviews

Exhibit 3: Encryption Special Agent Johnny still can’t encrypt (Clark et al., USENIX 2011) PKI-based solutions could fix many problems (e.g. phishing) but are too difficult for users, developers, and too expensive Green shoots: Simply Secure foundation aiming to create usable encryption tools and blueprint for development process

Exhibit 4: CAPTCHAs – making humans prove they are not bots Not a particularly effective security measure Not usable: failure rate around 40% - so customers go elsewhere “CAPTCHAs waste 17 years of human effort every day” (Pogue, Scientific American March 2012) 30

Our non-compliance studies 1.Financial institution (8 interviews) 2.Technology company (9 interviews) 3.US government agency (24 interviews) 4.Utility company (118 int survey responses) 5.Telco (98 ints survey responses) 6.UK defence (6 interviews with auditors) Mechanisms: authentication, access control, USB, encryption, tokens/badges

Stop obsessing about the UI – focus on economics! Design failures are deeper than the UI – mis- alignment of goals and risk perceptions Must account for the cost of security – accept there is a limited budget, and work with it Need to focus on, and fit with, user goals and tasks Fit least-disruptive mechanism – automate if possible

Perceived individual cost of compliance Organisational cost of compliance Compliance Threshold Perceived indiv. cost exceeds perceived benefit 33 The Compliance Budget (Beautement et al. NSPW 2008)

Security: wake up and small the coffee “… security must make its way in an extremely competitive environment. Not only are there no un- claimed pools of user effort to be had, it is difficult to preserve existing pools from incursions. It is hard to reserve time, effort, screen real-estate or techniques for security when each of them is a valuable and monetizable resource.“ 34 C. Herley: More Is Not the Answer IEEE Security & Privacy Jan/Feb 2014

Conclusions Are we nearly there yet? No – if anything, things have become worse Need to minimise workload and friction of security in use, and model/predict it during the design stage Radical thought: give security a budget (say - 3%), and ask them to use it wisely

Work in progress Transforming existing deployments –Workload and friction audit, database –Use ‘Shadow Security’ practices as starting point for re- design (Kirlappos et al., 2014) –Transform security habits (Pfleeger et al. 2014) During development –Use cases with personas and workload gauges (Sentire, Porter et al. RE 2014) –Assess enrolment tasks with NASA TLX with small user groups –Develop personas with specific demand thresholds

Final appeal: End obstacle security

PAS and engage and work with users, instead of patronising them

Questions?