A number of security mechanisms are well understood from a technical point of view, but when applied in practice fail due to human factors. Our goal is to consider security mechanisms specifically specifically into account the human users that will use them. The following projects offer some overview of specific projects we are involved. (For more details see our publications page)
Usability of Risk-based Implicit Authentication
Internet services have realized that passwords will not be replaced in the near future. Thus, they came up with solutions to reinforce password-based authentication, mostly by considering additional factors other than passwords. Risk-based authentication is used to protect accounts if an unrecognized device or an unusual sign-in location is detected. In such cases, the website will ask for additional verification and notify the user via email.
- More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication – ACSAC 2020
- Evaluation of Risk-based Re-Authentication Methods – IFIP SEC 2020
- Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild – IFIP SEC 2019
- Who Are You? A Statistical Approach to Measuring User Authenticity – NDSS 2016
Longitudinal Privacy Management: Revocation of Online Data
Once data is published on the Internet, there is little hope to successfully remove it at a later point. This negatively affects a user’s privacy. We are looking at possibilities to remedy this problem, combining different views from a technological, legal, and sociological perspective.
- SoK: Managing Longitudinal Privacy of Publicly Shared Personal Online Data – PETS 2021
- Towards Contractual Agreements for Revocation of Online Data – IFIP SEC 2019
- User Perception and Expectations on Deleting Instant Messages – EuroUSEC 2018
- Neuralyzer: Flexible Expiration Times for the Revocation of Online Data – CODASPY 2016
Implications of Privacy Legislation for Personal Data
Privacy Norms in the Context of a Global Pandemic
Usable and Secure Online Authentication
Passwords are still the most widely used form of online authentication, despite being declared „dead“ on a regular basis. Our goal is to make passwords more secure, without making them harder to use.
- “You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company – SOUPS 2020
- On the Accuracy of Password Strength Meters – CCS 2018
- Designing Password-Reuse Notifications – CCS 2018
- Towards Implicit Visual Memory-Based Authentication – NDSS 2017
Authentication on Mobile Devices
Mobile devices offer a quite unique set of challenges for user authentication: Entering passwords or other authentication secrets on the small soft-keyboards is cumbersome at best, but touchscreens are well-suited for graphical passwords. Devices such as smart-phones and smart-watches offer a rich set of sensors, which can enable novel forms of user authentication. In this line of work we are interested in understanding the security and usability of the authentication methods on mobile devices.
- This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs – SP 2020
- EmojiAuth: Quantifying the Security of Emoji-based Authentication – USEC 2017
- On User Choice for Android Unlock Patterns – EuroUSEC 2016
- Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns – CCS 2013