Shoulder-Surfing Resistant Authentication for Augmented Reality

Augmented Reality (AR) Head-Mounted Displays (HMD) are increasingly used in industry to digitize processes and enhance user experience by enabling real-time interaction with both physical and virtual objects. In this context, HMD provide access to sensitive data and applications which demand authenticating users before granting access. Furthermore, these devices are often used in shared spaces. Thus, shoulder-surfing attacks need to be addressed. As users can remember pictures more easily than text, we applied the recognition-based graphical password scheme “Things” from previous work on an AR HMD while placing the pictures for each authentication attempt in a random order. We implemented this scheme for the HMD Microsoft HoloLens and conducted a user study evaluating Things\u27s usability. All participants could be successfully authenticated and the System Usability Scale (SUS) score is with 74 categorized as above average. We discuss as future work how to improve the SUS scores, e.g., by using different grid designs and input methods

Towards Secure and Usable Authentication for Augmented and Virtual Reality Head-Mounted Displays

Immersive technologies, including augmented and virtual reality (AR & VR) devices, have enhanced digital communication along with a considerable increase in digital threats. Thus, authentication becomes critical in AR & VR technology, particularly in shared spaces. In this paper, we propose applying the ZeTA protocol that allows secure authentication even in shared spaces for the AR & VR context. We explain how it can be used with the available interaction methods provided by Head-Mounted Displays. In future work, our research goal is to evaluate different designs of ZeTA (e.g., interaction modes) concerning their usability and users\u27 risk perception regarding their security - while using a cross-cultural approach

Reporting on insights gained into UK citizens\u27 perceptions of contactless card risks

Contactless debit cards are widely used in the UK, slowly becoming popular in other countries as well. The feature that distinguishes these cards from regular ones is that they can be used without entering a PIN if the transaction amount is below a predetermined limit. This is undeniably convenient, but introduces a risk: cards could be lost or stolen, and the new holder could make purchases without providing a PIN. European banking regulations (PSD2) mandate that customers be fully refunded by their banks in these cases (as long as no negligence can be proven). While the law is clear regarding liability and citizens’ actual contactless card risks, we wanted to explore UK citizens’ perceptions in this respect. We conducted an online survey, specifically exploring the perceptions of liability, severity and likelihood of contactless card fraud. We discovered that participants’ risk perceptions were not aligned with their actual risk. In particular, most participants assumed that they themselves would be liable for any contested transactions. There are clear lessons to be learned – also valid for other EU countries – emphasising the need to ensure that consumers are aware of their rights in this respect

An investigation of phishing awareness and education over time: When and how to best remind users

Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months

An investigation of phishing awareness and education over time: When and how to best remind users

Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months

Diagnosis of comorbid migraine without aura in patients with idiopathic/genetic epilepsy based on the gray zone approach to the International Classification of Headache Disorders 3 criteria

BackgroundMigraine without aura (MwoA) is a very frequent and remarkable comorbidity in patients with idiopathic/genetic epilepsy (I/GE). Frequently in clinical practice, diagnosis of MwoA may be challenging despite the guidance of current diagnostic criteria of the International Classification of Headache Disorders 3 (ICHD-3). In this study, we aimed to disclose the diagnostic gaps in the diagnosis of comorbid MwoA, using a zone concept, in patients with I/GEs with headaches who were diagnosed by an experienced headache expert.MethodsIn this multicenter study including 809 consecutive patients with a diagnosis of I/GE with or without headache, 163 patients who were diagnosed by an experienced headache expert as having a comorbid MwoA were reevaluated. Eligible patients were divided into three subgroups, namely, full diagnosis, zone I, and zone II according to their status of fulfilling the ICHD-3 criteria. A Classification and Regression Tree (CART) analysis was performed to bring out the meaningful predictors when evaluating patients with I/GEs for MwoA comorbidity, using the variables that were significant in the univariate analysis.ResultsLonger headache duration (<4 h) followed by throbbing pain, higher visual analog scale (VAS) scores, increase of pain by physical activity, nausea/vomiting, and photophobia and/or phonophobia are the main distinguishing clinical characteristics of comorbid MwoA in patients with I/GE, for being classified in the full diagnosis group. Despite being not a part of the main ICHD-3 criteria, the presence of associated symptoms mainly osmophobia and also vertigo/dizziness had the distinguishing capability of being classified into zone subgroups. The most common epilepsy syndromes fulfilling full diagnosis criteria (n = 62) in the CART analysis were 48.39% Juvenile myoclonic epilepsy followed by 25.81% epilepsy with generalized tonic-clonic seizures alone.ConclusionLonger headache duration, throbbing pain, increase of pain by physical activity, photophobia and/or phonophobia, presence of vertigo/dizziness, osmophobia, and higher VAS scores are the main supportive associated factors when applying the ICHD-3 criteria for the comorbid MwoA diagnosis in patients with I/GEs. Evaluating these characteristics could be helpful to close the diagnostic gaps in everyday clinical practice and fasten the diagnostic process of comorbid MwoA in patients with I/GEs

PassGlobe: Ein Shoulder-Surfing resistentes Authentifizierungsverfahren für Virtual Reality Head-Mounted Displays

Mit Virtual Reality (VR) kann in virtuelle Welten eingetaucht und mit einer immersiven 3-D Umgebung interagiert werden. Das virtuelle Erlebnis wird dabei durch Head-Mounted Displays (HMDs) realisiert. Der zunehmende Einsatz von VR durch Unternehmen und Privatpersonen in unterschiedlichen Bereichen setzt sichere und nutzerfreundliche Authentifizierungsverfahren voraus. Dabei ist die Gefahr von Shoulder-Surfing Angriffen während der Authentifizierung besonders groß, da man während des VR-Erlebnisses von der realen Umgebung komplett isoliert ist. In dieser Arbeit wird existierende Literatur zu VR-Authentifizierung anhand vorher definierter Anforderungen evaluiert und das graphische Authentifizierungsverfahren PassGlobe vorgeschlagen, welches resistent gegenüber Shoulder-Surfing Angriffen ist