Abstract
In this paper we explore the tension between automatic security and intentionality. During a user trial of Pico we offered two proximity authentication modalities: scanning a QR code, or pressing a button in the Pico app that is available only when the user is in Bluetooth range of a machine they can authenticate to. The feedback from this trial provides an insight into users’ expectations with regard to intentionality. We discuss how this relates to the Pico authentication solution, how it has informed future Pico design decisions, and we suggest some ways in which security and usability researchers could address the issue of intentionality in future security design.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
With each new mention of a participant, we report the operating system they used Pico on.
- 2.
For quotes from pilot participants, we use the format of PPX, that is “pilot participant” followed by a number.
- 3.
Any participant quotes coming from questionnaires are reproduced as written by our participants.
References
Anderson, R.: Why information security is hard—An economic perspective. In: Computer Security Applications Conference (ACSAC 2001), pp. 358–365. IEEE (2001)
Apple Support: How to unlock your Mac with your Apple Watch, January 2018. https://support.apple.com/en-us/HT206995
BBC: ‘Relay crime’ theft caught on camera, November 2017. http://www.bbc.co.uk/news/av/uk-42132804/relay-crime-theft-caught-on-camera
Currie, J., Walker, R.: Traffic congestion and infant health: Evidence from E-ZPass. Am. Econ. J.: Appl. Econ. 3(1), 65–90 (2011)
Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Conference on Computer and Communications Security (CCS), pp. 716–726. ACM (2014)
Emms, M., van Moorsel, A.: Practical attack on contactless payment cards. In: HCI2011 Workshop—Health, Wealth and Identity Theft (2011)
Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: Network and Distributed System Security Symposium (NDSS) (2011)
Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: New Security Paradigms Workshop (NSPW 2009), pp. 133–144. ACM (2009)
Herley, C.: More is not the answer. IEEE Secur. Priv. 12(1), 14–19 (2014)
Hirose, M.: Newly Obtained Records Reveal Extensive Monitoring of E-ZPass Tags Throughout New York, April 2015. https://www.aclu.org/blog/privacy-technology/location-tracking/newly-obtained-records-reveal-extensive-monitoring-e-zpass
Jia, H., Wu, M., Jung, E., Shapiro, A., Sundar, S.S.: Balancing human agency and object agency: An end-user interview study of the Internet of Things. In: ACM Conference on Ubiquitous Computing, pp. 1185–1188. ACM (2012)
Krol, K., Philippou, E., De Cristofaro, E., Sasse, M.A.: “They brought in the horrible key ring thing!” Analysing the usability of two-factor authentication in UK online banking. In: NDSS Workshop on Usable Security (USEC) (2015)
Krol, K., Rahman, M.S., Parkin, S., De Cristofaro, E., Vasserman, E.: An exploratory study of user perceptions of payment methods in the UK and the US. In: NDSS Workshop on Usable Security (USEC) (2016)
Payne, J., Jenkinson, G., Stajano, F., Sasse, M.A., Spencer, M.: Responsibility and tangible security: Towards a theory of user acceptance of security tokens. In: NDSS Workshop on Usable Security (USEC) (2016)
SAASPASS: About: What is SAASPASS? February 2018. https://saaspass.com/about.html
Sasse, M.A., Smith, M., Herley, C., Lipford, H., Vaniea, K.: Debunking security-usability tradeoff myths. IEEE Secur. Priv. 14(5), 33–39 (2016)
Shin, D.-H., Jung, J., Chang, B.-H.: The psychology behind QR codes: User experience perspective. Comput. Hum. Behav. 28(4), 1417–1426 (2012)
Stajano, F.: Pico: No more passwords! Talk at USENIX Security (2011). https://www.usenix.org/conference/usenix-security-11/pico-no-more-passwords
Stajano, F.: Pico: No more passwords! In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25867-1_6
Transport for London: Card clash, February 2018. https://tfl.gov.uk/fares-and-payments/oyster/using-oyster/card-clash
Ulatowski, L.M.: Recent developments in RFID technology: Weighing utility against potential privacy concerns. J. Law Policy Inf. Soc. 3, 623 (2007)
Weiser, M.: The computer for the 21st century. Sci. Am. Spec. Issue Commun. Comput. Netw. 265(September), 94–104 (1991)
Windows Support: Lock your Windows 10 PC automatically when you step away from it, April 2018. https://support.microsoft.com/en-gb/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from
Acknowledgements
We thank the European Research Council (ERC) for funding this research through grant StG 307224 (Pico).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Krol, K., Llewellyn-Jones, D., Aebischer, S., Dettoni, C., Stajano, F. (2018). Intentionality and Agency in Security. In: Matyáš, V., Švenda, P., Stajano, F., Christianson, B., Anderson, J. (eds) Security Protocols XXVI. Security Protocols 2018. Lecture Notes in Computer Science(), vol 11286. Springer, Cham. https://doi.org/10.1007/978-3-030-03251-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-03251-7_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03250-0
Online ISBN: 978-3-030-03251-7
eBook Packages: Computer ScienceComputer Science (R0)