Our Research at CHI2012 – usable security and public displays

This year we have the chance to share some of our research with the community at CHI2012. The work focuses on usable security ([1] and [2]) and public display systems [3]. Florian got together with the researchers from T-Labs a best paper award for [3].

Please have a look at the papers… I think it is really worthwhile.

Increasing the security of gaze-based graphical passwords [1]
With computers being used ever more ubiquitously in situations where privacy is important, secure user authentication is a central requirement. Gaze-based graphical passwords are a particularly promising means for shoulder-surfing-resistant authentication, but selecting secure passwords remains challenging. In this paper, we present a novel gaze-based authentication scheme that makes use of cued-recall graphical passwords on a single image. In order to increase password security, our approach uses a computational model of visual attention to mask those areas of the image that are most likely to attract visual attention. We create a realistic threat model for attacks that may occur in public settings, such as filming the user’s interaction while drawing money from an ATM. Based on a 12-participant user study, we show that our approach is significantly more secure than a standard image-based authentication and gaze-based 4-digit PIN entry.” [1]

Assessing the vulnerability of magnetic gestural authentication [2]

Secure user authentication on mobile phones is crucial, as they store highly sensitive information. Common approaches to authenticate a user on a mobile phone are based either on entering a PIN, a password, or drawing a pattern. However, these authentication methods are vulnerable to the shoulder surfing attack. The risk of this attack has increased since means for recording high-resolution videos are cheaply and widely accessible. If the attacker can videotape the authentication process, PINs, passwords, and patterns do not even provide the most basic level of security. In this project, we assessed the vulnerability of a magnetic gestural authentication method to the video-based shoulder surfing attack. We chose a scenario that is favourable to the attacker. In a real world environment, we videotaped the interactions of four users performing magnetic signatures on a phone, in the presence of HD cameras from four different angles. We then recruited 22 participants and asked them to watch the videos and try to forge the signatures. The results revealed that with a certain threshold, i.e, th=1.67, none of the forging attacks was successful, whereas at this level all eligible login attempts were successfully recognized. The qualitative feedback also indicated that users found the magnetic gestural signature authentication method to be more secure than PIN-based and 2D signature methods.“[2] There is also a youtube video: http://www.youtube.com/watch?v=vhwURyTp_jY

Looking glass: a field study on noticing interactivity of a shop window[3]
In this paper we present our findings from a lab and a field study investigating how passers-by notice the interactivity of public displays. We designed an interactive installation that uses visual feedback to the incidental movements of passers-by to communicate its interactivity. The lab study reveals: (1) Mirrored user silhouettes and images are more effective than avatar-like representations. (2) It takes time to notice the interactivity (approx. 1.2s). In the field study, three displays were installed during three weeks in shop windows, and data about 502 interaction sessions were collected. Our observations show: (1) Significantly more passers-by interact when immediately showing the mirrored user image (+90%) or silhouette (+47%) compared to a traditional attract sequence with call-to-action. (2) Passers-by often notice interactivity late and have to walk back to interact (the landing effect). (3) If somebody is already interacting, others begin interaction behind the ones already interacting, forming multiple rows (the honeypot effect). Our findings can be used to design public display applications and shop windows that more effectively communicate interactivity to passers-by.” [3]

References
[1] Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the security of gaze-based cued-recall graphical passwords using saliency masks. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 3011-3020. DOI=10.1145/2208636.2208712 http://doi.acm.org/10.1145/2208636.2208712
[2] Alireza Sahami Shirazi, Peyman Moghadam, Hamed Ketabdar, and Albrecht Schmidt. 2012. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 2045-2048. DOI=10.1145/2208276.2208352 http://doi.acm.org/10.1145/2208276.2208352
[3] Jörg Müller, Robert Walter, Gilles Bailly, Michael Nischt, and Florian Alt. 2012. Looking glass: a field study on noticing interactivity of a shop window. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 297-306. DOI=10.1145/2207676.2207718 http://doi.acm.org/10.1145/2207676.2207718

>Our Research at CHI2012 – usable security and public displays

>This year we have the chance to share some of our research with the community at CHI2012. The work focuses on usable security ([1] and [2]) and public display systems [3]. Florian got together with the researchers from T-Labs a best paper award for [3].

Please have a look at the papers… I think it is really worthwhile.

Increasing the security of gaze-based graphical passwords [1]
With computers being used ever more ubiquitously in situations where privacy is important, secure user authentication is a central requirement. Gaze-based graphical passwords are a particularly promising means for shoulder-surfing-resistant authentication, but selecting secure passwords remains challenging. In this paper, we present a novel gaze-based authentication scheme that makes use of cued-recall graphical passwords on a single image. In order to increase password security, our approach uses a computational model of visual attention to mask those areas of the image that are most likely to attract visual attention. We create a realistic threat model for attacks that may occur in public settings, such as filming the user’s interaction while drawing money from an ATM. Based on a 12-participant user study, we show that our approach is significantly more secure than a standard image-based authentication and gaze-based 4-digit PIN entry.” [1]

Assessing the vulnerability of magnetic gestural authentication [2]

Secure user authentication on mobile phones is crucial, as they store highly sensitive information. Common approaches to authenticate a user on a mobile phone are based either on entering a PIN, a password, or drawing a pattern. However, these authentication methods are vulnerable to the shoulder surfing attack. The risk of this attack has increased since means for recording high-resolution videos are cheaply and widely accessible. If the attacker can videotape the authentication process, PINs, passwords, and patterns do not even provide the most basic level of security. In this project, we assessed the vulnerability of a magnetic gestural authentication method to the video-based shoulder surfing attack. We chose a scenario that is favourable to the attacker. In a real world environment, we videotaped the interactions of four users performing magnetic signatures on a phone, in the presence of HD cameras from four different angles. We then recruited 22 participants and asked them to watch the videos and try to forge the signatures. The results revealed that with a certain threshold, i.e, th=1.67, none of the forging attacks was successful, whereas at this level all eligible login attempts were successfully recognized. The qualitative feedback also indicated that users found the magnetic gestural signature authentication method to be more secure than PIN-based and 2D signature methods.“[2] There is also a youtube video: http://www.youtube.com/watch?v=vhwURyTp_jY

Looking glass: a field study on noticing interactivity of a shop window[3]
In this paper we present our findings from a lab and a field study investigating how passers-by notice the interactivity of public displays. We designed an interactive installation that uses visual feedback to the incidental movements of passers-by to communicate its interactivity. The lab study reveals: (1) Mirrored user silhouettes and images are more effective than avatar-like representations. (2) It takes time to notice the interactivity (approx. 1.2s). In the field study, three displays were installed during three weeks in shop windows, and data about 502 interaction sessions were collected. Our observations show: (1) Significantly more passers-by interact when immediately showing the mirrored user image (+90%) or silhouette (+47%) compared to a traditional attract sequence with call-to-action. (2) Passers-by often notice interactivity late and have to walk back to interact (the landing effect). (3) If somebody is already interacting, others begin interaction behind the ones already interacting, forming multiple rows (the honeypot effect). Our findings can be used to design public display applications and shop windows that more effectively communicate interactivity to passers-by.” [3]

References
[1] Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the security of gaze-based cued-recall graphical passwords using saliency masks. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 3011-3020. DOI=10.1145/2208636.2208712 http://doi.acm.org/10.1145/2208636.2208712
[2] Alireza Sahami Shirazi, Peyman Moghadam, Hamed Ketabdar, and Albrecht Schmidt. 2012. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 2045-2048. DOI=10.1145/2208276.2208352 http://doi.acm.org/10.1145/2208276.2208352
[3] Jörg Müller, Robert Walter, Gilles Bailly, Michael Nischt, and Florian Alt. 2012. Looking glass: a field study on noticing interactivity of a shop window. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 297-306. DOI=10.1145/2207676.2207718 http://doi.acm.org/10.1145/2207676.2207718

Our Research at CHI2012 – usable security and public displays

This year we have the chance to share some of our research with the community at CHI2012. The work focuses on usable security ([1] and [2]) and public display systems [3]. Florian got together with the researchers from T-Labs a best paper award for [3].

Please have a look at the papers… I think it is really worthwhile.

Increasing the security of gaze-based graphical passwords [1]
With computers being used ever more ubiquitously in situations where privacy is important, secure user authentication is a central requirement. Gaze-based graphical passwords are a particularly promising means for shoulder-surfing-resistant authentication, but selecting secure passwords remains challenging. In this paper, we present a novel gaze-based authentication scheme that makes use of cued-recall graphical passwords on a single image. In order to increase password security, our approach uses a computational model of visual attention to mask those areas of the image that are most likely to attract visual attention. We create a realistic threat model for attacks that may occur in public settings, such as filming the user’s interaction while drawing money from an ATM. Based on a 12-participant user study, we show that our approach is significantly more secure than a standard image-based authentication and gaze-based 4-digit PIN entry.” [1]

Assessing the vulnerability of magnetic gestural authentication [2]

Secure user authentication on mobile phones is crucial, as they store highly sensitive information. Common approaches to authenticate a user on a mobile phone are based either on entering a PIN, a password, or drawing a pattern. However, these authentication methods are vulnerable to the shoulder surfing attack. The risk of this attack has increased since means for recording high-resolution videos are cheaply and widely accessible. If the attacker can videotape the authentication process, PINs, passwords, and patterns do not even provide the most basic level of security. In this project, we assessed the vulnerability of a magnetic gestural authentication method to the video-based shoulder surfing attack. We chose a scenario that is favourable to the attacker. In a real world environment, we videotaped the interactions of four users performing magnetic signatures on a phone, in the presence of HD cameras from four different angles. We then recruited 22 participants and asked them to watch the videos and try to forge the signatures. The results revealed that with a certain threshold, i.e, th=1.67, none of the forging attacks was successful, whereas at this level all eligible login attempts were successfully recognized. The qualitative feedback also indicated that users found the magnetic gestural signature authentication method to be more secure than PIN-based and 2D signature methods.“[2] There is also a youtube video: http://www.youtube.com/watch?v=vhwURyTp_jY

Looking glass: a field study on noticing interactivity of a shop window[3]
In this paper we present our findings from a lab and a field study investigating how passers-by notice the interactivity of public displays. We designed an interactive installation that uses visual feedback to the incidental movements of passers-by to communicate its interactivity. The lab study reveals: (1) Mirrored user silhouettes and images are more effective than avatar-like representations. (2) It takes time to notice the interactivity (approx. 1.2s). In the field study, three displays were installed during three weeks in shop windows, and data about 502 interaction sessions were collected. Our observations show: (1) Significantly more passers-by interact when immediately showing the mirrored user image (+90%) or silhouette (+47%) compared to a traditional attract sequence with call-to-action. (2) Passers-by often notice interactivity late and have to walk back to interact (the landing effect). (3) If somebody is already interacting, others begin interaction behind the ones already interacting, forming multiple rows (the honeypot effect). Our findings can be used to design public display applications and shop windows that more effectively communicate interactivity to passers-by.” [3]

References
[1] Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the security of gaze-based cued-recall graphical passwords using saliency masks. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 3011-3020. DOI=10.1145/2208636.2208712 http://doi.acm.org/10.1145/2208636.2208712
[2] Alireza Sahami Shirazi, Peyman Moghadam, Hamed Ketabdar, and Albrecht Schmidt. 2012. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 2045-2048. DOI=10.1145/2208276.2208352 http://doi.acm.org/10.1145/2208276.2208352
[3] Jörg Müller, Robert Walter, Gilles Bailly, Michael Nischt, and Florian Alt. 2012. Looking glass: a field study on noticing interactivity of a shop window. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems (CHI ’12). ACM, New York, NY, USA, 297-306. DOI=10.1145/2207676.2207718 http://doi.acm.org/10.1145/2207676.2207718

CHI2012 opening Keynote by Margaret Gould Stewart – Empowerment, Disruption, Magic

Margaret Gould Stewart, a highly regarded user experience designer currently leading UX design at YouTube, presented the opening keynote at CHI2012.  She started her talk with reminding us that humans are story tellers – they always have been and probably always will. What is not constant is the medium – as technologies change so do means for storytelling and sharing.

The topic started out with talking about video connects the world. It extended to a larger view – changing the world through experience design (in the context of video). I often wonder what designers are and she added another quite interesting explanation: designers are humanist. By putting up the definition for humanism she made her point clear that this could apply to good people in design, essentially it is down to caring for humans in their works.

To show the power of video in connecting people she used the following example: the film “Life in a Day” and as it said in the credits “a movie filmed by you”. I have not seen it yet, but the trailer made me curious to look at this one (see the film on YouTube).

By asking the question: what are the things that make sites like YouTube have impact? she introduced 3 principles. Sites have to be:

  • Empowering
  • Disruptive
  • Magical

She outlined what these 3 principles mean for user experience design.

For empowering she had very strong examples: how photo sharing, video sharing, and social networks changed what we see of natural disaster and the effect on people. It also changed way we see it and how we can respond to it. The concrete example was the information coverage on the Hurricane Katrina 2005 (pre-video-sharing age) and the recent flood in Asia. Empowering = helping people to share their stories.

Disruption is in this context the change in use of media and especially how it changes how we perceive the ubiquitous technology of TV. The capabilities of video sharing platforms has, are very different than those of TV – at the same time it is disrupting TV massively. She had a further example of how such technology can disrupt: The Khan Academy (basically sharing educational videos) is challenging the education system. As a further step she had an example where a teacher encourages students to make their own instructional videos as means for them to learn. Disruption = finding new ways that are challenging / overthrowing the old approach.

Magic is what makes technology exciting. There is a quote by Arthur C. Clarke “Any sufficiently advanced technology is indistinguishable from magic”. The term “magic” has a long tradition in human computer interaction. Alan Kay talked about it with regard to graphical user interfaces. We had some years back a paper  a paper on Magic beyond the screen [1]. In the talk Margaret Gould Stewart used as another example Instagram, as software that provides magical capabilities for the person using it. Another example of magic she discussed is the GPS based “moving dot” on a map that makes navigation in mobile maps easy. Even without navigational skills people can “magically” find their way. Her advice is “do not get in the way of magic” – focus on the experience not technology in the back ground. In short she summarized:  “Magic disrupts the notion of reality”.

She combined the principles in one example in the design of YouTube. She discussed the page design using an analogy to a plate.  A great plate makes all food presented on it look more attractive and the design goal of the YouTube page is to be such a plate for video. It should make look all videos look better.

Another example used to highlight how to empower, disrupt, and create magic is the http://www.thejohnnycashproject.com/. Each participant can manipulate one frame of the video (within given limits) and the outcome of the whole video is amazing. Cannot be described, you have to watch it.

Related to the example above an interesting question comes up: How much control is required and what type of control is applied. Here one example is twitter, which limits how much you can write but it does not limit what you post (limiting the form but not the content). She made an interesting argument about control. If you believe that democracy works and is good you can assume that people in general will make the right decisions. One further indicator is, that positive things go viral much more often than negative things. One of the takeaway messages is to believe in people an empower them.

To sum up, there are three questions to be asked when designing an experience:

  • How to empower people?
  • How to disrupt
  • How to create magic?

A final and important point is that there are things that cannot be explained and she argued that we should value this.

[1]  Albrecht Schmidt, Dagmar Kern, Sara Streng, and Paul Holleis. 2008. Magic Beyond the Screen. IEEE MultiMedia 15, 4 (October 2008), 8-13. DOI=10.1109/MMUL.2008.93 http://dx.doi.org/10.1109/MMUL.2008.93

>CHI2012 opening Keynote by Margaret Gould Stewart – Empowerment, Disruption, Magic

>

Margaret Gould Stewart, a highly regarded user experience designer currently leading UX design at YouTube, presented the opening keynote at CHI2012.  She started her talk with reminding us that humans are story tellers – they always have been and probably always will. What is not constant is the medium – as technologies change so do means for storytelling and sharing.

The topic started out with talking about video connects the world. It extended to a larger view – changing the world through experience design (in the context of video). I often wonder what designers are and she added another quite interesting explanation: designers are humanist. By putting up the definition for humanism she made her point clear that this could apply to good people in design, essentially it is down to caring for humans in their works.

To show the power of video in connecting people she used the following example: the film “Life in a Day” and as it said in the credits “a movie filmed by you”. I have not seen it yet, but the trailer made me curious to look at this one (see the film on YouTube).

By asking the question: what are the things that make sites like YouTube have impact? she introduced 3 principles. Sites have to be:

  • Empowering
  • Disruptive
  • Magical

She outlined what these 3 principles mean for user experience design.

For empowering she had very strong examples: how photo sharing, video sharing, and social networks changed what we see of natural disaster and the effect on people. It also changed way we see it and how we can respond to it. The concrete example was the information coverage on the Hurricane Katrina 2005 (pre-video-sharing age) and the recent flood in Asia. Empowering = helping people to share their stories.

Disruption is in this context the change in use of media and especially how it changes how we perceive the ubiquitous technology of TV. The capabilities of video sharing platforms has, are very different than those of TV – at the same time it is disrupting TV massively. She had a further example of how such technology can disrupt: The Khan Academy (basically sharing educational videos) is challenging the education system. As a further step she had an example where a teacher encourages students to make their own instructional videos as means for them to learn. Disruption = finding new ways that are challenging / overthrowing the old approach.

Magic is what makes technology exciting. There is a quote by Arthur C. Clarke “Any sufficiently advanced technology is indistinguishable from magic”. The term “magic” has a long tradition in human computer interaction. Alan Kay talked about it with regard to graphical user interfaces. We had some years back a paper  a paper on Magic beyond the screen [1]. In the talk Margaret Gould Stewart used as another example Instagram, as software that provides magical capabilities for the person using it. Another example of magic she discussed is the GPS based “moving dot” on a map that makes navigation in mobile maps easy. Even without navigational skills people can “magically” find their way. Her advice is “do not get in the way of magic” – focus on the experience not technology in the back ground. In short she summarized:  “Magic disrupts the notion of reality”.

She combined the principles in one example in the design of YouTube. She discussed the page design using an analogy to a plate.  A great plate makes all food presented on it look more attractive and the design goal of the YouTube page is to be such a plate for video. It should make look all videos look better.

Another example used to highlight how to empower, disrupt, and create magic is the http://www.thejohnnycashproject.com/. Each participant can manipulate one frame of the video (within given limits) and the outcome of the whole video is amazing. Cannot be described, you have to watch it.

Related to the example above an interesting question comes up: How much control is required and what type of control is applied. Here one example is twitter, which limits how much you can write but it does not limit what you post (limiting the form but not the content). She made an interesting argument about control. If you believe that democracy works and is good you can assume that people in general will make the right decisions. One further indicator is, that positive things go viral much more often than negative things. One of the takeaway messages is to believe in people an empower them.

To sum up, there are three questions to be asked when designing an experience:

  • How to empower people?
  • How to disrupt
  • How to create magic?

A final and important point is that there are things that cannot be explained and she argued that we should value this.

[1]  Albrecht Schmidt, Dagmar Kern, Sara Streng, and Paul Holleis. 2008. Magic Beyond the Screen. IEEE MultiMedia 15, 4 (October 2008), 8-13. DOI=10.1109/MMUL.2008.93 http://dx.doi.org/10.1109/MMUL.2008.93

CHI2012 opening Keynote by Margaret Gould Stewart – Empowerment, Disruption, Magic

Margaret Gould Stewart, a highly regarded user experience designer currently leading UX design at YouTube, presented the opening keynote at CHI2012.  She started her talk with reminding us that humans are story tellers – they always have been and probably always will. What is not constant is the medium – as technologies change so do means for storytelling and sharing.

The topic started out with talking about video connects the world. It extended to a larger view – changing the world through experience design (in the context of video). I often wonder what designers are and she added another quite interesting explanation: designers are humanist. By putting up the definition for humanism she made her point clear that this could apply to good people in design, essentially it is down to caring for humans in their works.

To show the power of video in connecting people she used the following example: the film “Life in a Day” and as it said in the credits “a movie filmed by you”. I have not seen it yet, but the trailer made me curious to look at this one (see the film on YouTube).

By asking the question: what are the things that make sites like YouTube have impact? she introduced 3 principles. Sites have to be:

  • Empowering
  • Disruptive
  • Magical

She outlined what these 3 principles mean for user experience design.

For empowering she had very strong examples: how photo sharing, video sharing, and social networks changed what we see of natural disaster and the effect on people. It also changed way we see it and how we can respond to it. The concrete example was the information coverage on the Hurricane Katrina 2005 (pre-video-sharing age) and the recent flood in Asia. Empowering = helping people to share their stories.

Disruption is in this context the change in use of media and especially how it changes how we perceive the ubiquitous technology of TV. The capabilities of video sharing platforms has, are very different than those of TV – at the same time it is disrupting TV massively. She had a further example of how such technology can disrupt: The Khan Academy (basically sharing educational videos) is challenging the education system. As a further step she had an example where a teacher encourages students to make their own instructional videos as means for them to learn. Disruption = finding new ways that are challenging / overthrowing the old approach.

Magic is what makes technology exciting. There is a quote by Arthur C. Clarke “Any sufficiently advanced technology is indistinguishable from magic”. The term “magic” has a long tradition in human computer interaction. Alan Kay talked about it with regard to graphical user interfaces. We had some years back a paper  a paper on Magic beyond the screen [1]. In the talk Margaret Gould Stewart used as another example Instagram, as software that provides magical capabilities for the person using it. Another example of magic she discussed is the GPS based “moving dot” on a map that makes navigation in mobile maps easy. Even without navigational skills people can “magically” find their way. Her advice is “do not get in the way of magic” – focus on the experience not technology in the back ground. In short she summarized:  “Magic disrupts the notion of reality”.

She combined the principles in one example in the design of YouTube. She discussed the page design using an analogy to a plate.  A great plate makes all food presented on it look more attractive and the design goal of the YouTube page is to be such a plate for video. It should make look all videos look better.

Another example used to highlight how to empower, disrupt, and create magic is the http://www.thejohnnycashproject.com/. Each participant can manipulate one frame of the video (within given limits) and the outcome of the whole video is amazing. Cannot be described, you have to watch it.

Related to the example above an interesting question comes up: How much control is required and what type of control is applied. Here one example is twitter, which limits how much you can write but it does not limit what you post (limiting the form but not the content). She made an interesting argument about control. If you believe that democracy works and is good you can assume that people in general will make the right decisions. One further indicator is, that positive things go viral much more often than negative things. One of the takeaway messages is to believe in people an empower them.

To sum up, there are three questions to be asked when designing an experience:

  • How to empower people?
  • How to disrupt
  • How to create magic?

A final and important point is that there are things that cannot be explained and she argued that we should value this.

[1]  Albrecht Schmidt, Dagmar Kern, Sara Streng, and Paul Holleis. 2008. Magic Beyond the Screen. IEEE MultiMedia 15, 4 (October 2008), 8-13. DOI=10.1109/MMUL.2008.93 http://dx.doi.org/10.1109/MMUL.2008.93