Publications

Renaud, K., Maguire, J., Zimmerman, V. and Draper, S. "Lessons Learned from Evaluating Eight Password Nudges in the Wild" To appear in Proceedings of the 2017 Workshop on Learning from Authoritative Security Experiment Results (LASER), (Virginia, United States, 2017), USENIX, pp.XX-XX.

Abstract / PDF

Abstract

Maguire, J. and Draper, S. "Privacy of Personal Things in Active Learning Spaces Needs Individually Evolved Requirements" To appear in Proceedings of the 1st Annual ACM Workshop on the Internet of Safe Things, co-located with the 15th ACM Conference on Embedded Networked Sensor Systems, (Delft, Netherlands, 2017), ACM, pp.XX-XX.

Abstract / PDF

Abstract

Gutmann, A., Renaud, K., Maguire, J., Mayer, P., Volkamer, M., Matsuura, K. and Müller-Quade, J. "ZeTA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology" To appear In Proceedings of the 1st IEEE European Symposium on Security and Privacy, (Saarbrücken, Germany, 2016), IEEE.

Acceptance rate: 17.6% / Abstract / PDF

Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. The contributions of this paper are:

1. we propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels.
2. we outline a security analysis to assess the envisaged performance of the proposed authentication protocol.
3. we report on a usability study that explores the viability of relying on human computation in this context.

Maguire, J. and Renaud, K. "Alternative Authentication in the Wild" In Proceedings of the 5th Annual Workshop on Socio-Technical Aspects in Security and Trust, co-located with the 28th IEEE Computer Security Foundations Symposium, (Verona, Italy, 2015), IEEE, pp.32-39.

Abstract / PDF

Alphanumeric authentication routinely fails to regulate access to resources with the required stringency, primarily due to usability issues. Initial deployment did not reveal the problems of passwords, deep and profound flaws only emerged once passwords were deployed in the wild. The need for a replacement is widely acknowledged yet despite over a decade of research into knowledge-based alternatives, few, if any, have been adopted by industry. Alternatives are unconvincing for three primary reasons. The first is that alternatives are rarely investigated beyond the initial proposal, with only the results from a constrained lab test provided to convince adopters of their viability. The second is that alternatives are seldom tested realistically where the authenticator mediates access to something of value. The third is that the testing rarely varies the device or context beyond that initially targeted. In the modern world different devices are used across a variety of contexts. What works well in one context may easily fail in another. Consequently, the contribution of this paper is an "in the wild" evaluation of an alternative authentication mechanism that had demonstrated promise in its lab evaluation. In the field test the mechanism was deployed to actual users to regulate access to an application in a context beyond that initially proposed. The performance of the mechanism is reported and discussed. We conclude by reflecting on the value of field evaluations of alternative authentication mechanisms. The contributions of this paper are:

1. we report on a field investigation of a previously proposed alternative authentication mechanism.
2. we highlight aspects related to the design and methodological considerations that need to be considered in carrying out a field investigation of an alternative authentication mechanism that performed well it its initial evaluations.
3. we discuss the lessons we learned and reflect on the value of probationing an alternative authentication mechanism in the wild.

Renaud, K. and Maguire, J. "Regulating Access to Adult Content (with Privacy Preservation)" In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, (Seoul, South Korea, 2015), ACM, pp.4019-4028.

Acceptance rate: 23.0% / Abstract / PDF

In the physical world we have well-established mechanisms for keeping children out of adult-only areas. In the virtual world this is generally replaced by self declaration. Some service providers resort to using heavy-weight identification mechanisms, judging adulthood as a side effect thereof. Collection of identification data arguably constitutes an unwarranted privacy invasion in this context, if carried out merely to perform adulthood estimation. This paper presents a mechanism that exploits the adult's more extensive exposure to public media, relying on the likelihood that they will be able to recall details if cued by a carefully chosen picture. We conducted an online study to gauge the viability of this scheme. With our prototype we were able to predict that the user was a child 99% of the time. Unfortunately the scheme also misclassified too many adults. We discuss our results and suggest directions for future research. The contributions of this paper are:

1. the concept of knowledge-based regulation of access to adult content
2. proven accuracy of the scheme based on two studies, using empirically validated images to perform adulthood estimation
3. discussion of the implementation challenges and proposals for future work

Renaud, K., Volkamer, M. and Maguire, J. (2014) "ACCESS: Describing and Contrasting Authentication Mechanisms" In Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust, (Crete, Greece, 2014), Springer International Publishing, pp.183-194.

Abstract

The password the almost universal authentication solution yet is buckling under the strain. It demonstrates insufficiency and weakness due to poor choice, reuse and ease of transfer. Graphical passwords, biometrics, and hardware tokens have been suggested as alternatives. Industry has, unfortunately, not embraced these alternatives. One possible explanation is the complexity of the choice process. To support authentication decision-markers we suggest a framework called ACCESS (Authentication ChoiCE Support System) which captures requirements, consults a knowledge base of existing authentication mechanisms and their properties, and suggests those mechanisms that match the specified requirements.

Renaud, K., Maguire, J., van Niekerk, J., & Kennes, D. (2014) "Contemplating Skill-based Authentication". SAIEE Research Journal, vol. 105 no. 2 pp. 48-60 .

Abstract

Humans develop skills as they go through their lives: some are fairly common, such as reading, but others are developed to maximise employment opportunities. These skills develop over a long period of time and are much rarer. Here we consider whether we can exploit this reality in the security arena, specifically to achieve a stronger form of authentication. Authentication has traditionally been performed based on what users know, hold or are. The first is the most popular, in the form of the password. This is often referred to as “knowledge-based” authentication. Yet, rigorously following guidelines for password creation produces forgettable gibberish and nonsense strings, not knowledge. Nonsense is hard to remember and users engage in a number of coping strategies to ameliorate this, and these tend to weaken the authenticator. It would be beneficial to find a way of reducing this memorial load, to identify a more usable mechanism. This is hard: usually reducing the memorial load also makes the secret easier to guess. The challenge is in finding a way to reduce memory load while holding the line as far as strength is concerned. Here we contemplate exploiting recognition of artefacts resulting from experts practicing their craft: “skill-based” authentication. This should reduce the memorial load and effort, but also, crucially, make it harder for a random intruder to replicate. We report on how we trialled SNIPPET, a prototype of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets from successive challenge sets. We found that our participants were all able to identify their own code snippets and that other participants were unable to guess these, even when they observed the legitimate person authenticating beforehand. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing. We conclude by returning to the three NIST-identified forms of authentication and consider how SNIPPET can be positioned within the general authentication arena.

Renaud, K., Mayer, P., Volkamer, M. and Maguire, J. "Are Graphical Authentication Mechanisms As Strong As Passwords?" In Proceedings of the 2013 Federated Conference on Computer Science and Information Systems, (Krako, Poland, 2013), IEEE, pp.837-844.

Abstract

The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Consequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users' need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angeli et al. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts.

Renaud, K., Kennes, D., van Niekerk, J. and Maguire, J. "SNIPPET: Genuine knowledge-based authentication" In Proceedings of the 13th Annual Conference on Information Security, (Johannesburg, South Africa, 2013), IEEE, pp.1-8.

Abstract

Authentication is traditionally performed based on what you know, what you hold or what you are. The first is the most popular, in the form of the password. This is often referred to as “knowledge-based” authentication. Yet, given the guidelines for password restrictions commonly given to end-users we will argue that this is a misnomer. A strong password is actually a lengthy string of gibberish or nonsense. Common password strength guidelines advise users against choosing meaningful passwords. Humans are not very good at remembering nonsense strings so they very reasonably choose meaningful passwords which are easily guessed. This appears to constitute a stand off between the mnemonic needs of end users and the security needs of the system. If we could find a way of reducing the mnemonic load on users they might well be more likely to choose stronger authentication secrets. We could, for example, rely on pre-existing knowledge rather than requiring users to memorise a random alphanumeric string. If we were able to do this it should be easier for them to respond, and also harder for a random intruder to replicate the knowledge. Testing knowledge directly is probably infeasible in an au- thentication setting. We will show that experts can identify what they themselves produce as they go about carrying out their own skilled activities. We trialled a prototype mechanism which tested the mem- orability, observability and guessability of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets. We conducted a pilot study and report on our findings. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing.

Maguire, J. & Renaud, K. (2013) "Shrinking the Authentication Footprint" pp.2-11 in Proceedings of the 7th International Symposium on Human Aspects of Information Security & Assurance, Lisbon May 2013.

Abstract

Developers create paths for users to tread. Some users will stay on the beaten track; others will diverge and take risky shortcuts. If user-preferred and developer-created paths diverge too much, it is time for the developer to consider a new path. A case in point is the humble password. They fill an important developer need: a cheap and easy mechanism to control access and enforce accountability. Unfortunately, users find the constant requests for authentication a nuisance. They respond by walking down risky paths that compromise the mechanism but allow them to satisfy goals more quickly. The answer, for some researchers, has been to come up with password alternatives. This focus is misguided, since the alternatives do nothing to reduce the authentication footprint. The reality is that developers overuse authentication. The problem is not the authentication step, but rather its position in the path. Authentication is sometimes used even when there is no real need for it. This creates confusion in the user’s mind about the consequences of authentication: sometimes it authorises significant side effects and other times it is difficult to identify its raison d’etre. Here we suggest some developer patterns which minimise authentication requests, emphasising necessity rather than gratuitousness. We believe this will help to ease the current situation by moving towards genuine risk mitigation rather than harming authentication by excessive use thereof.

Renaud, K. & Maguire, J. (2013) "How do you solve a problem like Authentication?" in Human Factors in the Safety and Security of Critical Systems Workshop, Glasgow March 2013.

Abstract

The security aspect that the computer user encounters most often is the password prompt - a demand that they verify their identity by providing a shared secret. Authentication, for the deployer, regulates access and enforces accountability. Authentication, for the user, obstructs, intrudes and delays gratification. Whereas users could probably put up with this if it happens relatively infrequently, this tends not to be the case. An authentication prompt is presented a number of times during the day. Sometimes it has serious consequences, such as when it is required to authorise the purchase of a digital item, and the permits consequent credit card charge. Other times it merely identifies the user to allow the system to customise the interface. The range of consequences and the multiplicity of systems mandating shared secrets collide with human limitations and the current password bloat and general end-user exasperation.

Is it at all possible to improve authentication? As researchers, we have primarily addressed this problem in one of three ways: (1) by trying to find a password replacement, (2) by formulating rules and regulations to coerce users into choosing stronger passwords, or (3) fostering a security culture within the organisation, hoping that the social pressure will induce people to behave more securely. These endeavours have met with limited success. Alternatives have not been embraced by the developer community, rules and regulations are often ignored, subverted or deliberately flouted. Fostering a security culture has had more success, in relative terms, but still has not really addressed the “authentication problem”. The one thing these approaches have in common is their focus on the human agent: the end user.

Consider a related problem in the physical world: locks on doors. These have not changed in centuries and the doors themselves are probably weaker than they were a hundred years ago. Yet do locks really prevent intrusion? A determined intruder finds the average lock an minor deterrent, and the door itself is sometimes even made of glass, allowing the thief to subvert the lock entirely. Yet one never hears about a desperate search for a door or lock replacement. One doesn’t hear the refrain, ‘How do you solve a problem like the door lock? This even though they, too, are lost, copied and shared. Why, when it comes to virtual locks, is there such a drive to come up with the perfect locking mechanism? The password and the average door lock function similarly: neither is perfect but both provide an acceptable measure of security. Here we will argue that it might be time to suspend our unrealistic expectations that we can find a perfect lock in the virtual world when we live quite happily with imperfect security in the physical world.

Maguire, J. & Renaud, K. "You only live twice or the years we wasted caring about shoulder-surfing" In Proceedings of the 26th British HCI Group Annual Conference on People and Computers, (Birmingham, United Kingdom, 2012), ACM, pp.404-409.

Abstract

Passwords are a good idea, in theory. They have the potential to act as a fairly strong gateway. In practice though, passwords are plagued with problems. They are (1) easily shared, (2) trivial to observe and (3) maddeningly elusive when forgotten. While alternatives to passwords have been proposed, none, as yet, have been adopted widely. There seems to be a reluctance to switch from tried and tested passwords to novel alternatives, even if the most glaring flaws of passwords can be mitigated. One argument is that there is not enough investigation into the feasibility of many password alternatives. Graphical authentication mechanisms are a case in point. Therefore, in this paper, we detail the design of two prototype applications that utilise graphical authentication mechanisms. However, when forced to consider the design of such prototypes, we find that pertinent password problems eg. observation of entry, are just that: password problems. We conclude that effective, alternative authentication mechanisms should target authentication scenarios rather than the well-known problems of passwords. This is the only route to wide-spread adoption of alternatives.

Maguire, J. & Renaud, K. (2011) "An Alternative Avatar" Health, Wealth and Identity Theft Workshop at the 25th British HCI Group Annual Conference on People and Computers, (Newcastle, United Kingdom, 2011), ACM.

Abstract

Fragments of information are generated and maintained, everyday. In the aggregate, these fragments are crucial to companies like Google and Facebook. Therefore, they create free services which drive the creation of fragments and discourage the destruction of them. However, there are potentially unforeseen costs, in terms of security and energy, in managing all these fragments. We propose an image-based avatar, which fluctuates depending on the information generated by an individual online. The contribution of this paper is:

1. we propose an alternative to the username, in the form of a dynamic avatar whose appearance fluctuates depending on the information shared by the user.

Maguire, J. & Renaud, K. "Armchair Authentication" In Proceedings of the 23rd British HCI Group Annual Conference on People and Computers: Celebrating People and Technology, (Cambridge, United Kingdom, 2009), ACM, pp.388-397.

Acceptance rate: 25.0% / Abstract / PDF / Slide Deck

Alphanumeric authentication, by means of a secret, is not only a powerful mechanism, in theory, but prevails over all its competitors in practice. However, it is clearly inadequate in a world where increasing numbers of systems and services require people to authenticate in a shared space, while being actively observed. This new reality places pressure on a password mechanism never intended for use in such a context. Asterisks may obfuscate alphanumeric characters on entry but popular systems, e.g. Apple iPhone and Nintendo Wii, regularly require users to use an on-screen keyboard for character input. This may not be a real concern within the context of secluded space but inadvertly reveals a secret within shared space. Such a secret has an economic cost in terms of replacement, recall and revenue, all of which affect the financial return of the offending systems and services. In this paper, we present and evaluate a graphical authentication mechanism, Tetrad, which appears to have the potential to address these specific concerns. The contributions of this paper are:

1. we propose a observation-resilient graphical authentication mechanism for use on a television.
2. we report empirical evidence from a controlled lab-study on performance of observation-resilience and cognitive demands on the user.
3. we reflect and discuss the relevance of graphical authentication mechanisms in a shared-space.

Participation

Awards & Esteem

Postdoctoral and Early Career Researcher Exchange, Scottish Informatics & Computer Science Alliance (£5,900)

Awarded to support a research exchange with Prof. Melanie Volkamer at the Centre of Advanced Security Research in the Technische Universität Darmstadt in Germany. The opportunity affords me to the opportunity to experience a different environment, development my network and lay the foundation for future collaboration.

College of Science and Engineering Scholarship, University of Glasgow (£)

Pretigious scholarship awarded to cover Ph.D. tuition fees and provide a stipend. The last such scholarship awarded to The School of Computing Science to date.

Chancellor's Fund, University of Glasgow (£31,611)

Awarded to support the research, development and deployment of technologies and approaches for the learning and development of students in further education.

Talks

Lessons learned from integrating industry and exposing enterprises to computing science students. SEED: Skills in Entrepreneurial Education - SICSA worskhop. University of Dundee. 5th of September 2017

.

Privacy Lessons Learned from Active Learning Spaces. Learning Enhancement & Academic Development Service. University of Glasgow. 12th of July 2017

.

Preserving Privacy and Reconceptualising Sharing in Active Learning Spaces. University of Manchester. 6th of July 2017

.

Graduate Employability Challenges and Practices. Centre for Computing Science Education. University of Glasgow. 20th of March 2017.

.

Alternative Authentication in the Wild, University of Verona, Socio-Technical Aspects in Security and Trust Workshop, 28th IEEE Computer Security Foundations Symposium (CSF 2015), 13th of July 2015

.

Regulating Access to Adult Content (with Privacy Preservation), Coex Convention and Exhibition Centre, 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI 2015), 23rd of April 2015

.

Regulating Access to Adult Content (with Privacy Preservation), Centre for Advanced Security Research, Technische Universitat Darmstadt, 5th of April 2015

.

Alternative Authentication Research in Scotland, Centre for Advanced Security Research, Technische Universitat Darmstadt, 5th of Feburary 2015

Research into graphical authentication has yet to be meaningfully transferred into industry. This is the case globally, but is concerning in Scotland as considerable research into the area has been published and presented by academics in SICSA universities (e.g. University of Glasgow, Glasgow Caledonian University, Napier University). The lack of knowledge transfer is particularly perplexing given the interest of industry in improving digital security. There are several explanations for the lack of progress, but a prominent issue is the inconsistency in reporting scientific data pertaining to graphical authentication. There is no framework for the reporting of field investigations into graphical authentication solutions. This situation not only hinders knowledge transfer into industry but the progress of research into alternative authentication solutions. Industry and researchers require metrics and strong qualitative data to utilise and progress research in the area. Consequently, the Scottish Informatics and Computer Science Alliance (SICSA) has provided financial support for a research exchange for me to visit and work with Prof. Melanie Volkamer. The primary aim of the proposed exchange is to develop a field evaluation framework for graphical authentication solutions to ensure consistent reporting of scientific data. The Center for Advanced Security Research at Technische Universität Darmstadt has an established track record of transferring knowledge into industry. Notably, Prof. Melanie Volkamer from the Technische Universität Darmstadt, along with Dr Karen Renaud and myself at the University of Glasgow have collaborated and made progress in transferring knowledge of graphical authentication research into industry.

Shrinking the Authentication Footprint. Seventh International Symposium on Human Aspects of Information Security & Assurance. 8th of May 2013.

.

You only live twice or the years we wasted caring about shoulder-surfing. University of Birmingham. 12th of September 2012.

.

An Alternative Avatar. BCS conference on Human Computer Interaction. Newcastle University. 5th of July 2011.

.

Armchair Authentication. BCS conference on Human Computer Interaction. University of Cambridge. 3rd of September 2009.

.

Keynote: Embedding podcasting in the curriculum. Media Enhanced Learning Special Interest Group. Glasgow Caledonian University. 7th of May 2009.

.

Student generated podcasts: Learning to cascade rather than create. 2nd Annual University of Glasgow Learning and Teaching Conference. University of Glasgow. 24th of April 2009.

.

Student generated podcasts: Learning to cascade rather than create. Learners in the Co-creation of Knowledge Symposium. Napier University. 30th of October 2008.

.

Teaching

Enterprise Cyber Security M, Course co-ordinator and Primary Lecturer to ≈120 enrolled students, Session: 2016-2017

.

Professional Skills and Issues H, Course co-ordinator and Primary Lecturer to ≈150 enrolled students, Session: 2016-2017

.

Human Centred Security M, Course co-ordinator and Primary Lecturer to ≈60 enrolled students, Session: 2015-2017

IT Architectures M, Course co-ordinator and Primary Lecturer to ≈24 enrolled students, Session: 2015-2016

.

Enterprise Computing M, Course co-ordinator and Primary Lecturer to ≈80 enrolled students, Session: 2014-2016

.