“Ten strikes and you're out”: Increasing the number of login attempts can improve password usability

Many users today are struggling to manage an increasing number of passwords. As a consequence, many organizations face an increasing demand on an expensive resource – the system administrators or help desks. This paper suggests that re-considering the “3- strikes” policy commonly applied to password login systems would be an immediate way of reducing this demand. We analyzed 10 weeks worth of system logs from a sample of 386 users, whose login attempts were not restricted in the usual manner. During that period, only 10% of login attempts failed. We predict that requests for password reminders could be reduced by up to 44% by increasing the number of strikes from 3 to ten

Contextualizing the blogosphere: A comparison of traditional and novel user interfaces for the web

In this paper, we investigate how contextual user interfaces affect blog reading experience. Based on a review of previous research, we argue why and how contextualization may result in (H1) enhanced blog reading experiences. In an eyetracking experiment, we tested 3 different web-based user interfaces for information spaces. The StarTree interface (by Inxight) and the Focus-Metaphor interface are compared with a standard blog interface. Information tasks have been used to evaluate and compare task performance and user satisfaction between these three interfaces. We found that both contextual user interfaces clearly outperformed the traditional blog interface, both in terms of task performance as well as user satisfaction. © 2007 Laqua, S., Ogbechie, N. and Sasse, M. A

Better the Devil You Know: A User Study of Two CAPTCHAs and a Possible Replacement

CAPTCHAs are difficult for humans to use, causing frustration. Alternatives have been proposed, but user studies equate usability to solvability. We consider the user perspective to include workload and context of use. We assess traditional text-based CAPTCHAs alongside PlayThru, a 'gamified' verification mechanism, and NoBot, which uses face biometrics. A total of 87 participants were tasked with ticket-buying across three conditions: (1) all three mechanisms in comparison, and NoBot three times (2) on a laptop, and (3) on a tablet. A range of quantitative and qualitative measurements explored the user perspective. Quantitative results showed that participants completed reCAPTCHAs quickest, followed by PlayThru and NoBot. Participants were critical of NoBot in comparison but praised it in isolation. Despite reporting negative experiences with reCAPTCHAs, they were the preferred mechanism, due to familiarity and a sense of security and control. Although slower, participants praised NoBot's completion speeds, but regarded using personal images as invading privacy

"I don’t like putting my face on the Internet!": An acceptance study of face biometrics as a CAPTCHA replacement

Biometric technologies have the potential to reduce the effort involved in securing personal activities online, such as purchasing goods and services. Verifying that a user session on a website is attributable to a real human is one candidate application, especially as the existing CAPTCHA technology is burdensome and can frustrate users. Here we examine the viability of biometrics as part of the consumer experience in this space. We invited 87 participants to take part in a lab study, using a realistic ticket-buying website with a range of human verification mechanisms including a face biometric technology. User perceptions and accep- tance of the various security technologies were explored through interviews and a range of questionnaires within the study. The results show that some users wanted reassurance that their personal image will be protected or discarded af- ter verifying, whereas others felt that if they saw enough people using face biometrics they would feel assured that it was trustworthy. Face biometrics were seen by some par- ticipants to be more suitable for high-security contexts, and by others as providing extra personal data that had unac- ceptable privacy implications

Measuring the Success of Context-Aware Security Behaviour Surveys

Background: We reflect on a methodology for developing scenario-based security behaviour surveys that evolved through deployment in two large partner organisations (A & B). In each organisation, scenarios are grounded in workplace tensions between security and employees’ productive tasks. These tensions are drawn from prior interviews in the organisation, rather than using established but generic questionnaires. Survey responses allow clustering of participants according to predefined groups. Aim: We aim to establish the usefulness of framing survey questions around active security controls and problems experienced by employees, by assessing the validity of the clustering. We introduce measures for the appropriateness of the survey scenarios for each organisation and the quality of candidate answer options. We use these scores to articulate the methodological improvements between the two surveys. Method: We develop a methodology to verify the clustering of participants, where 516 (A) and 195 (B) free-text responses are coded by two annotators. Inter-annotator metrics are adopted to identify agreement. Further, we analyse 5196 (A) and 1824 (B) appropriateness and severity scores to measure the appropriateness and quality of the questions. Results: Participants rank questions in B as more appropriate than in A, although the variations in the severity of the answer options available to participants is higher in B than in A. We find that the scenarios presented in B are more recognisable to the participants, suggesting that the survey design has indeed improved. The annotators mostly agree strongly on their codings with Krippendorff’s α\textgreater0.7. A number of clusterings should be questioned, although α improves for reliable questionsby 0.15 from A to B. Conclusions: To be able to draw valid conclusions from survey responses, the train of analysis needs to be verifiable. Our approach allows us to further validate the clustering of responses by utilising free-text responses. Further, we establish the relevance and appropriateness of the scenarios for individual organisations. While much prior research draws on survey instruments from research before it, this is then often applied in a different context; in these cases adding metrics of appropriateness and severity to the survey design can ensure that results relate to the security experiences of employees

Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the 'weakest link in the security chain'. We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing human/computer interaction knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security

Do you knowdis? A user study of a knowledge discovery tool for organizations

Organisations today have no reliable way of ensuring that all employees are aware of information that may be relevant to their work. In this paper we report on a 2-year project in which we have iteratively designed, developed and tested a knowledge discovery system (KnowDis) for organizations. Early stages of our study revealed that, employees do not know what is available on the corporate intranet, or files and messages they have stored. KnowDis proactively fetches relevant information and displays it in an unobtrusive form; this increases employee awareness without disrupting their tasks. We discuss and characterize knowledge workers' email usage behavior. Our main study with 28 users of KnowDis-enhanced email showed it can improve the user experience and performance on information retrieval tasks for knowledge workers

A two-way interactive broadband satellite architecture to break the digital divide barrier

September 24-26, 2007, Turin, Ital