This chapter presented the development of a correct, complete, understandable, and effective password security awareness material along a systematic process. It addresses all attacks deemed relevant by the literature and independent information security experts from academia and industry and increases lay-users’ ability to correctly assess (a) whether specific password-related behaviour in different information security scenarios is secure or insecure and (b) the security of passwords. Furthermore, it significantly decreased the prevalence of misconceptions about password security. In particular, these abilities are retained or even improved six months after reading through the developed password security awareness material. At the same time, the awareness material was received positively by all participants.
The results of this study also point out areas for future work. The participating employees expressed the desire to learn more about password managers and the composition of secure passwords. Thus, it might be warranted to expand the awareness material accordingly or create additional awareness materials for these topics. Also, it might be worthwhile to investigate how to make the transition towards using a password manager easier for users.
The systematic development process presented in this chapter and applied to create the password security awareness material can help create other awareness materials beyond the password context. It could be easily applied to other information security contexts and other target audiences. Therefore, applying the process in areas other than password security represents another important line of future work.
Part II
Shoulder-surfing Resistant Text
Password Entry on Gamepads
5
Requirements and Status Quo of Authentication in the
Gamepad Context
Gamepad-driven devices such as game consoles are an important part of many people’s lives. A 2017 report by the entertainment software association found that about half of all American households own a dedicated game console [68]. It is common to use accounts for e.g. video streaming like Netflix, music streaming like Spotify, or game networks like Playstation Network on consoles. The text passwords protecting these accounts are entered on game consoles almost exclusively using on-screen keyboards in combination with gamepads as input devices, which are far more constrained (e.g. regarding the available buttons and input precision) than the traditional combination of mouse and keyboard. At the same time, for many users time spent on their consoles is also a social activity and therefore occurs in shared spaces: 53% of the users play on average five hours with others in person per week (as opposed to online multiplayer games) [68]. Considering that Renaud et al. [169] found in their survey that 90.9% of their participants would authenticate when not alone, opportunistic shoulder-surfing [227] is a real threat, leaving users in a dilemma: either show mistrust of people by asking them to look away [58], behave insecurely by letting them observe, or store the password on the device, which enables purchases by every person with access to the device.
To address the challenge of shoulder-surfing resistant text password entry on gamepads, this chapter presents the first investigation of this topic. To that end, it first describes the requirements of authentication which specifically apply to the gamepad context (section 5.1) and all authentication schemes must fulfil in order to be deemed suitable for the gamepad context. Overall six requirements across the three categories security, technical, and usability are identified. One of the defining requirements of this scenario is the resistance to opportunistic shoulder-surfing. It is important to note though that these requirements specifically applying to the gamepad context must be fulfilled in addition to any general requirements [26] that might are from a specific application scenario in the gamepad context (e.g. resistance against guessing attacks [27, 119]),
Then, as second step building on the identified requirements, the authentication schemes currently deployed in the gamepad context as well as a representative set of shoulder-surfing resistant schemes proposed in the literature are assessed along the requirements. The results of this assessment (section 5.2) show that none of the currently deployed and only four of the proposals in the literature fulfil all six requirements. From the discussion of these assessment results (section 5.3) it becomes clear that the grid-based scheme by Kim et al. [123] is the proposal which seems to be best suited for being adapted from a non-gamepad context to the gamepad context. Form the work presented in this chapter two important next steps arise which are then addressed in the next chapter: (1) an empirical assessment of the baseline performance in terms of shoulder-surfing as well as usability of the on-screen keyboard (as the de-facto standard in the gamepad context) and (2) an empirical evaluation of alternatives to the on-screen keyboard. Section 5.4 concludes this chapter.
5 Requirements and Status Quo of Authentication in the Gamepad Context
Contributions described in this chapter:
• The requirements of authentication in the gamepad context are identified and outlined. They can be grouped into three categories: security, technical, and usability. These requirements can inform the design of new authentication schemes in the gamepad context.
• The authentication schemes currently deployed in the gamepad context as well as a representative set of shoulder-surfing resistant authentication schemes proposed in the literature are assessed along the identified criteria.
Parts of the results described in this chapter have been published in:
• P. Mayer, N. Gerber, B. Reinheimer, P. Rack, K. Braun, and M. Volkamer, “I (don’t) see what you typed there! Shoulder-surfing resistant password entry on gamepads”, Conference on Human Factors in Computing Systems (CHI), 2019.