Publications

Gutmann, A., Renaud, K., Maguire, J., Mayer, P., Volkamer, M., Matsuura, K. and Müller-Quade, J. "ZeTA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology" To appear In Proceedings of the 1st IEEE European Symposium on Security and Privacy, (Saarbrücken, Germany, 2016), IEEE.

Acceptance rate: 17.6% / Abstract / PDF

Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. The contributions of this paper are:

1. we propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels.
2. we outline a security analysis to assess the envisaged performance of the proposed authentication protocol.
3. we report on a usability study that explores the viability of relying on human computation in this context.

Maguire, J. and Renaud, K. "Alternative Authentication in the Wild" In Proceedings of the 5th Annual Workshop on Socio-Technical Aspects in Security and Trust, co-located with the 28th IEEE Computer Security Foundations Symposium, (Verona, Italy, 2015), IEEE, pp.32-39.

Abstract / PDF

Alphanumeric authentication routinely fails to regulate access to resources with the required stringency, primarily due to usability issues. Initial deployment did not reveal the problems of passwords, deep and profound flaws only emerged once passwords were deployed in the wild. The need for a replacement is widely acknowledged yet despite over a decade of research into knowledge-based alternatives, few, if any, have been adopted by industry. Alternatives are unconvincing for three primary reasons. The first is that alternatives are rarely investigated beyond the initial proposal, with only the results from a constrained lab test provided to convince adopters of their viability. The second is that alternatives are seldom tested realistically where the authenticator mediates access to something of value. The third is that the testing rarely varies the device or context beyond that initially targeted. In the modern world different devices are used across a variety of contexts. What works well in one context may easily fail in another. Consequently, the contribution of this paper is an "in the wild" evaluation of an alternative authentication mechanism that had demonstrated promise in its lab evaluation. In the field test the mechanism was deployed to actual users to regulate access to an application in a context beyond that initially proposed. The performance of the mechanism is reported and discussed. We conclude by reflecting on the value of field evaluations of alternative authentication mechanisms. The contributions of this paper are:

1. we report on a field investigation of a previously proposed alternative authentication mechanism.
2. we highlight aspects related to the design and methodological considerations that need to be considered in carrying out a field investigation of an alternative authentication mechanism that performed well it its initial evaluations.
3. we discuss the lessons we learned and reflect on the value of probationing an alternative authentication mechanism in the wild.

Renaud, K. and Maguire, J. "Regulating Access to Adult Content (with Privacy Preservation)" In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, (Seoul, South Korea, 2015), ACM, pp.4019-4028.

Acceptance rate: 23.0% / Abstract / PDF

In the physical world we have well-established mechanisms for keeping children out of adult-only areas. In the virtual world this is generally replaced by self declaration. Some service providers resort to using heavy-weight identification mechanisms, judging adulthood as a side effect thereof. Collection of identification data arguably constitutes an unwarranted privacy invasion in this context, if carried out merely to perform adulthood estimation. This paper presents a mechanism that exploits the adult's more extensive exposure to public media, relying on the likelihood that they will be able to recall details if cued by a carefully chosen picture. We conducted an online study to gauge the viability of this scheme. With our prototype we were able to predict that the user was a child 99% of the time. Unfortunately the scheme also misclassified too many adults. We discuss our results and suggest directions for future research. The contributions of this paper are:

1. the concept of knowledge-based regulation of access to adult content
2. proven accuracy of the scheme based on two studies, using empirically validated images to perform adulthood estimation
3. discussion of the implementation challenges and proposals for future work

Renaud, K., Volkamer, M. and Maguire, J. (2014) "ACCESS: Describing and Contrasting Authentication Mechanisms" In Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust, (Crete, Greece, 2014), Springer International Publishing, pp.183-194.

Abstract

The password the almost universal authentication solution yet is buckling under the strain. It demonstrates insufficiency and weakness due to poor choice, reuse and ease of transfer. Graphical passwords, biometrics, and hardware tokens have been suggested as alternatives. Industry has, unfortunately, not embraced these alternatives. One possible explanation is the complexity of the choice process. To support authentication decision-markers we suggest a framework called ACCESS (Authentication ChoiCE Support System) which captures requirements, consults a knowledge base of existing authentication mechanisms and their properties, and suggests those mechanisms that match the specified requirements.

Renaud, K., Mayer, P., Volkamer, M. and Maguire, J. "Are Graphical Authentication Mechanisms As Strong As Passwords?" In Proceedings of the 2013 Federated Conference on Computer Science and Information Systems, (Krako, Poland, 2013), IEEE, pp.837-844.

Abstract

The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Consequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users' need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angeli et al. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts.

Renaud, K., Kennes, D., van Niekerk, J. and Maguire, J. "SNIPPET: Genuine knowledge-based authentication" In Proceedings of the 13th Annual Conference on Information Security, (Johannesburg, South Africa, 2013), IEEE, pp.1-8.

Abstract

Authentication is traditionally performed based on what you know, what you hold or what you are. The first is the most popular, in the form of the password. This is often referred to as “knowledge-based” authentication. Yet, given the guidelines for password restrictions commonly given to end-users we will argue that this is a misnomer. A strong password is actually a lengthy string of gibberish or nonsense. Common password strength guidelines advise users against choosing meaningful passwords. Humans are not very good at remembering nonsense strings so they very reasonably choose meaningful passwords which are easily guessed. This appears to constitute a stand off between the mnemonic needs of end users and the security needs of the system. If we could find a way of reducing the mnemonic load on users they might well be more likely to choose stronger authentication secrets. We could, for example, rely on pre-existing knowledge rather than requiring users to memorise a random alphanumeric string. If we were able to do this it should be easier for them to respond, and also harder for a random intruder to replicate the knowledge. Testing knowledge directly is probably infeasible in an au- thentication setting. We will show that experts can identify what they themselves produce as they go about carrying out their own skilled activities. We trialled a prototype mechanism which tested the mem- orability, observability and guessability of an authentication mechanism that relied on an expert programmer identifying his/her own code snippets. We conducted a pilot study and report on our findings. These findings are not conclusive given the small number of participants but they do show promise and suggest that this is an area worth pursuing.

Maguire, J. & Renaud, K. "You only live twice or the years we wasted caring about shoulder-surfing" In Proceedings of the 26th British HCI Group Annual Conference on People and Computers, (Birmingham, United Kingdom, 2012), ACM, pp.404-409.

Abstract

Passwords are a good idea, in theory. They have the potential to act as a fairly strong gateway. In practice though, passwords are plagued with problems. They are (1) easily shared, (2) trivial to observe and (3) maddeningly elusive when forgotten. While alternatives to passwords have been proposed, none, as yet, have been adopted widely. There seems to be a reluctance to switch from tried and tested passwords to novel alternatives, even if the most glaring flaws of passwords can be mitigated. One argument is that there is not enough investigation into the feasibility of many password alternatives. Graphical authentication mechanisms are a case in point. Therefore, in this paper, we detail the design of two prototype applications that utilise graphical authentication mechanisms. However, when forced to consider the design of such prototypes, we find that pertinent password problems eg. observation of entry, are just that: password problems. We conclude that effective, alternative authentication mechanisms should target authentication scenarios rather than the well-known problems of passwords. This is the only route to wide-spread adoption of alternatives.

Maguire, J. & Renaud, K. (2011) "An Alternative Avatar" Health, Wealth and Identity Theft Workshop at the 25th British HCI Group Annual Conference on People and Computers, (Newcastle, United Kingdom, 2011), ACM.

Abstract

Fragments of information are generated and maintained, everyday. In the aggregate, these fragments are crucial to companies like Google and Facebook. Therefore, they create free services which drive the creation of fragments and discourage the destruction of them. However, there are potentially unforeseen costs, in terms of security and energy, in managing all these fragments. We propose an image-based avatar, which fluctuates depending on the information generated by an individual online. The contribution of this paper is:

1. we propose an alternative to the username, in the form of a dynamic avatar whose appearance fluctuates depending on the information shared by the user.

Maguire, J. & Renaud, K. "Armchair Authentication" In Proceedings of the 23rd British HCI Group Annual Conference on People and Computers: Celebrating People and Technology, (Cambridge, United Kingdom, 2009), ACM, pp.388-397.

Acceptance rate: 25.0% / Abstract / PDF / Slide Deck

Alphanumeric authentication, by means of a secret, is not only a powerful mechanism, in theory, but prevails over all its competitors in practice. However, it is clearly inadequate in a world where increasing numbers of systems and services require people to authenticate in a shared space, while being actively observed. This new reality places pressure on a password mechanism never intended for use in such a context. Asterisks may obfuscate alphanumeric characters on entry but popular systems, e.g. Apple iPhone and Nintendo Wii, regularly require users to use an on-screen keyboard for character input. This may not be a real concern within the context of secluded space but inadvertly reveals a secret within shared space. Such a secret has an economic cost in terms of replacement, recall and revenue, all of which affect the financial return of the offending systems and services. In this paper, we present and evaluate a graphical authentication mechanism, Tetrad, which appears to have the potential to address these specific concerns. The contributions of this paper are:

1. we propose a observation-resilient graphical authentication mechanism for use on a television.
2. we report empirical evidence from a controlled lab-study on performance of observation-resilience and cognitive demands on the user.
3. we reflect and discuss the relevance of graphical authentication mechanisms in a shared-space.

The afordmentioned papers represent a curated selection, a full list of publications is available as well.

Participation

Curated list of messages from Twitter

Awards & Esteem

Postdoctoral and Early Career Researcher Exchange, Scottish Informatics & Computer Science Alliance (£5,900)

Awarded to support a research exchange with Prof. Melanie Volkamer at the Centre of Advanced Security Research in the Technische Universität Darmstadt in Germany. The opportunity affords me to the opportunity to experience a different environment, development my network and lay the foundation for future collaboration.

College of Science and Engineering Scholarship, University of Glasgow (£)

Pretigious scholarship awarded to cover Ph.D. tuition fees and provide a stipend. The last such scholarship awarded to The School of Computing Science to date.

Chancellor's Fund, University of Glasgow (£31,611)

Awarded to support the research, development and deployment of technologies and approaches for the learning and development of students in further education.

Talks

Graduate Employability Challenges and Practices. Centre for Computing Science Education. University of Glasgow. 20th of March 2017.

.

Alternative Authentication in the Wild, University of Verona, Socio-Technical Aspects in Security and Trust Workshop, 28th IEEE Computer Security Foundations Symposium (CSF 2015), 13th of July 2015

.

Regulating Access to Adult Content (with Privacy Preservation), Coex Convention and Exhibition Centre, 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI 2015), 23rd of April 2015

.

Regulating Access to Adult Content (with Privacy Preservation), Centre for Advanced Security Research, Technische Universitat Darmstadt, 5th of April 2015

.

Alternative Authentication Research in Scotland, Centre for Advanced Security Research, Technische Universitat Darmstadt, 5th of Feburary 2015

Research into graphical authentication has yet to be meaningfully transferred into industry. This is the case globally, but is concerning in Scotland as considerable research into the area has been published and presented by academics in SICSA universities (e.g. University of Glasgow, Glasgow Caledonian University, Napier University). The lack of knowledge transfer is particularly perplexing given the interest of industry in improving digital security. There are several explanations for the lack of progress, but a prominent issue is the inconsistency in reporting scientific data pertaining to graphical authentication. There is no framework for the reporting of field investigations into graphical authentication solutions. This situation not only hinders knowledge transfer into industry but the progress of research into alternative authentication solutions. Industry and researchers require metrics and strong qualitative data to utilise and progress research in the area. Consequently, the Scottish Informatics and Computer Science Alliance (SICSA) has provided financial support for a research exchange for me to visit and work with Prof. Melanie Volkamer. The primary aim of the proposed exchange is to develop a field evaluation framework for graphical authentication solutions to ensure consistent reporting of scientific data. The Center for Advanced Security Research at Technische Universität Darmstadt has an established track record of transferring knowledge into industry. Notably, Prof. Melanie Volkamer from the Technische Universität Darmstadt, along with Dr Karen Renaud and myself at the University of Glasgow have collaborated and made progress in transferring knowledge of graphical authentication research into industry.

Shrinking the Authentication Footprint. Seventh International Symposium on Human Aspects of Information Security & Assurance. 8th of May 2013.

.

You only live twice or the years we wasted caring about shoulder-surfing. University of Birmingham. 12th of September 2012.

.

An Alternative Avatar. BCS conference on Human Computer Interaction. Newcastle University. 5th of July 2011.

.

Armchair Authentication. BCS conference on Human Computer Interaction. University of Cambridge. 3rd of September 2009.

.

Keynote: Embedding podcasting in the curriculum. Media Enhanced Learning Special Interest Group. Glasgow Caledonian University. 7th of May 2009.

.

Student generated podcasts: Learning to cascade rather than create. 2nd Annual University of Glasgow Learning and Teaching Conference. University of Glasgow. 24th of April 2009.

.

Student generated podcasts: Learning to cascade rather than create. Learners in the Co-creation of Knowledge Symposium. Napier University. 30th of October 2008.

.

Teaching

Enterprise Computing M, Course Leader and Primary Lecturer to ≈80 enrolled students, Session: 2014-2015