The Emperor's New Security Indicators:
An evaluation of website authentication
and the effect of role playing on usability studies
[Download PDF]
This is a working draft of a paper to appear at the IEEE Symposium on Security and Privacy from May 20--27, 2007 in Oakland, California.
Authors
- Stuart Schechter (MIT Lincoln Laboratory)
- Rachna Dhamija (Harvard University & CommerceNet)
- Andy Ozment (MIT Lincoln Laboratory & University of Cambridge)
- Ian Fischer (Harvard University)
Abstract
We evaluate website authentication measures that are designed to protect users from man-in-the-middle, "phishing", and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant's site-authentication image---the customer-selected image that many websites now expect their users to verify before entering their passwords. Finally, we replaced the bank's login page with a warning page. After each clue, we measured whether participants entered their passwords or withheld them.We also investigate how a study's design affects participant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused instructions.
We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 92% participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants' security behavior: role-playing participants behaved significantly less securely than those using their own passwords.
This paper has been accepted for publication at the 2007 IEEE Symposium on Security and Privacy, May 20-23, 2007, Oakland, California, USA. Copyright 2007 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Interested in Security Usability?
Consider attending:
- The Usable Security Workshop on February 15-16, 2007.
- The Symposium On Usable Privacy and Security on July 18-20, 2007.