InfoSec Seminar: Upcoming papers at NDSS Usable Security Workshop (USEC'15)

Speaker: Kat Krol, Iacovos Kirlappos

Date/Time: 29-Jan-2015, 16:00 UTC



Talk 1: 

Kat Krol, Eleni Philippou, Emiliano De Cristofaro, M. Angela Sasse. “They brought in the horrible key ring thing”. Analysing the Usability of Two-Factor Authentication in UK Online Banking.


Aiming to prevent password breaches and guessing attacks, banks increasingly turn to two-factor authentication (2FA), requiring users to present at least one more factor, such as a one-time code generated by a hardware token or received via SMS, besides a password. We can expect some solutions -- especially those adding a token -- to create extra work for users, but little research has actually focused on usability, user acceptance, and perceived security of deployed 2FA.

This paper presents an in-depth study of 2FA usability with 21 UK online banking customers, 15 of whom had accounts with more than one bank. We collected a rich set of qualitative and quantitative data through two rounds of semi-structured interviews, and an authentication diary over an average of 11 days. Our participants reported a wide range of usability issues especially with the use of hardware tokens, showing that the mental and physical workload involved shapes how they use online banking. Key targets for improvements are the reduction in the number of authentication steps, minimising confusion, and removal of features that do not add any security but negatively affect the user experience. 


Talk 2:

Iacovos Kirlappos and M. Angela Sasse. Fixing Security Together: Leveraging trust relationships to improve security in organizations


Current approaches to information security focused on deploying security mechanisms, creating policies and communicating those to employees.   Little consideration was given to how policies and mechanisms affect trust relationships in an organization, and in turn security behavior.  Our analysis of 208 in-depth interviews with employees in two large multinational organizations found two trust relationships: between the organization and its employees (organization-employee trust), and between employees (inter-employee trust).  When security interferes with employees’ ability to complete work tasks, they rely on inter-employee trust to overcome those obstacles (e.g. sharing a password with a colleague who is locked out of a system and urgently needs access).  Thus, non-compliance is a collaborative action, which develops inter-employee trust further, as employees now become “partners in crime”.  The existence of these two relationships also presents employees with a clear dilemma: either try to comply with cumbersome security (and honor organization-employee trust) or help their colleagues by violating security (preserving inter-employee trust).  We conclude that designers of security policies and mechanisms need to support both types of trust, and discuss how to leverage trust to achieve effective security protection.  This can enhance organizational cooperation to tackle security challenges, provide motivation for employees to behave securely, while also reducing the need for expensive physical and technical security mechanisms.  

Slides here



This page was last modified on 27 Mar 2014.