PhD student Sanchari Das and Professor L. Jean Camp presented a technical briefing at Black Hat 2018 this year. Their research on Yubico security keys, done in partnership with PhD’s Gianpaolo Russo and Andrew Dingman, has improved both the understanding of authentication key usage as well as the implementation and acceptance rates of the keys themselves. Their technical briefing is well covered in CNET’s news article on their presentation in which they well describe the lack of usage problem that has prevented people from having easy to use security at their fingertips, as well as continuing research studies proving why they are not commonly used:
Two-factor authentication is one of the easiest ways to prevent hackers from hijacking your accounts. And at a time when hacks of retail chains like Chipotle, websites like Yahoo or credit-check bureaus like Equifax happen with a startlingly high frequency, it’s a practice you should start making a habit.
Camp and Das suggested that the best way to get more people to use two-factor authentication would be to better communicate the risks. The same way “Smoking Kills” signs next to cigarettes drive the point home, websites and apps should let users know that a strong password might not be enough.
Black Hat is a unique conference due to it’s blend of industry and academic security practitioners, researchers, and enthusiasts. With 17,000 attendees specializing in security, this conference is an experience for the first time attendee as Das notes.
This was my first year at Black Hat. I was pleased to speak about the usability and adaptability of Two-Factor Authentication. We particularly conducted our research on yubico security tokens where we studied technical-savvy people. Through qualitative study, our aim was to understand how security enthusiasts perceive risks and how can we communicate security risks and benefits in a better way to not only match user expectations but also enhance adaptability for better security practices. Our talk was attended by more than 1,500 session attendees. I was overwhelmed with the positive response our talk received. Security experts from Yubico, Duo, Microsoft, and other companies reached out to me during the wrap up session and asked me questions about our research. It was exciting for me to see the enthusiasm of these Black Hat attendees and how interested they are to enhance the user experience to create more secure environments. I thoroughly loved my experience at Black Hat. As a person who is starting her career in the field of privacy and security this was the perfect venue to showcase my work and research.
Professor Camp is an experienced attendee at security conferences as well as a widely recognized contributor in the area of usable security. As a Fellow of the IEEE and a Fellow of the AAAS, Camp has spent her career focussing on the intersection of human and technical trust, leveraging economic models and human-centered design to create safe, secure systems. Her direction and teaching can be heard in Das’s call for better usable security.
We have to make security more user friendly and that was the motivation of our research. Build tools which are not only secure but usable as well. Communicate risks in a better way such that they clearly understands why the users need to adapt to better security practices.
We should motivate the users and give them clear benefits without creating information overload which in turn can run into security fatigue. Humans should not be made the weakest link in this loop. Not everyone needs to understand the security jargons, but everyone needs to be protected from security vulnerabilities. As a security researcher I want to understand user perception and provide actionable risk communication techniques which motivate users to create a secure environment for themselves.
The research team’s work was a multi-stage study which observed users setting up and using Yubico keys. Those experiences were coded into quantifiable data which led the researchers to making a series of recommendations to the manufacturer. Once adopted, acceptance rates increased while failure rates decreased. Their studies continue with investigations into special risk groups including users in elderly populations.
Professor Camp has invested in multimedia risk communication for making security more understandable, acceptable, and usable. In addition to devices, she has pioneered short videos that teach the most basic computer security practices such as multi password use.
Professor Camp is also the co-director of the Security and Privacy in Informatics, Computing, and Engineering center at Indiana University. SPICE’s dedication to interdisciplinary and fundamental research in the field of security and privacy in informatics and computing is well reflected in our team’s presentation to Black Hat 2018.