Focus Group Methodology - Establishing the Users’ Perspective

3.1 Establishing the Users’ Perspective

3.1.1 Focus Group Methodology

To assess views and attitudes regarding the authentication requirements on mobile devices a focus group was conducted, in order to provide a forum for users to express and exchange their perspectives. Whilst an early survey by the research

group had undertaken a quantitative-based study to explore user perceptions (Clarke

& Furnell, 2002), it was felt a follow up qualitative study was required to better understand the reasons behind some of the key results.

The focus group aimed to include a mixture of end-users, representatives from the mobile industry, researchers in the area, and representatives from educational technology and university perspectives. It was important to have a multifaceted view on the subject and cover the perspectives of users that were likely to make different use of their device and as such they would have different requirements. Also important was to get the views from the providers’ perspective to establish whether they identify an issue on current authentication and how alternative solutions are perceived. A detailed listing of the participants’ composition can be found in Table 3-1.

Participant Background / Basis for inclusion

1 Representative from a UK mobile network operator.

2 Creator of a web resource that tracks mobile technologies and trends 3 Project student, addressing public understanding of biometrics 4 Project student, conducting user trials and evaluation of biometrics 5 Academic, active in the mobile security domain

6 Learning technologist, commencing research into educational uses of mobile devices

7 Psychologist, with research interests in use of mobile technologies

8 Representative from university ICT department, responsible for campus deployment of mobile devices.

9 Academic with interest in human factors of technology.

10 Male mobile phone user 11 Female mobile phone user 12 Female mobile phone user

Table 3-1: Summary of focus group participants

All of the participants were regular end-users of mobile devices, and in many cases conversant with the features and facilities of smartphone devices. As such, they were able to offer perspectives with first-hand knowledge of the more advanced features and facilities that are likely to become the baseline standard in a few years.

It is understandable that the time at which the research took place (2007), people were not yet of full adoption of smartphones and their capabilities, at least to the extent that would be expected to be today given penetration of the mobile device.

A number of research questions were created to form the framework of the discussion, addressing the main areas of interest around the objectives of this research on user authentication. A list of the question as well as a brief justification behind them follows.

1. Do participants recognise a need for security on their current devices?

This question aimed to investigate whether users consider their current usage of mobile devices to merit protection, with particular emphasis being given to whether or not user authentication is an important requirement.

2. How do participants perceive the current authentication facilities, and do they use them?

The intention here is to focus participants’ attention specifically towards the PIN-based techniques that are dominant upon current devices, exploring opinions about the general nature of the method the extent to which they are used in practice.

3. Do participants envisage a need for greater security provision in the future?

Anticipating that some participants would be unlikely to prioritise a need for authentication based upon their current usage of the device, this question aimed to make them consider the range of emerging and future applications of mobile devices that may involve far more sensitive data. Then they were asked to reassess their views on the requirement for authentication, based on this future scenario.

4. How do participants perceive the potential alternative methods of authentication and the ways in which they could operate?

Assuming that the preceding question would highlight a requirement for further protection, this question aims to elicit opinions about alternative mechanisms (such as token and biometric approaches), and methods of applying them.

The participants were not led towards any particular viewpoints during the discussion of each question. However a discussion guide was formed and followed during the session that would provide the background and the context for the research questions to be answered. The session lasted 100 minutes and was video recorded in order to capture any non-verbal information that could provide further input (i.e.

reactions to a certain view) or help to quantitative appraisal of answers (i.e. show of hands as an answer). Transcription of the recorded session followed and analysis of the derived document provided a series of results. Some key results were:

Current Usage & Authentication

• The current usage of their mobile device for the majority of the users was restricted to basic telephony and text messaging although some of them suggested that this is likely to change in the future

• Based on the above point most of the users felt not being at risk as their usage was still limited, and did not involve accessing sensitive information

• Regarding current authentication achieved by the PIN, only 1/3 of them use it at switch on and only one participant used the PIN on standby mode. The rest of the group considered that their use of the phone did not require any protection based on their current usage. However the majority stated concerns for the actual effectiveness and usability of current authentication, noting traditional drawbacks of knowledge-based authentication.

Future Usage & Protection

• Most of the participants agreed that future applications and potential usage of their device would involve access of highly sensitive information and therefore they would see their security requirements altering to correspond to that change and look for enhanced security.

• Another significant point identified by participants as part of this enhanced security is the fact that not all services carry the same risks - something that this report will address later in this chapter. So they would expect to have the

security applied respectively to the risk associated with a specific service or application.

Alternative Authentication

• Looking at the alternatives to knowledge-based authentication – tokens and biometrics, participants were not receptive to the former but highly positive to the adoption of the latter. As previous research had also in the past shown, users are starting to be more open to biometric techniques and consider their use in order to enhance security (Clarke et al. 2002).

• In regards to specific biometric techniques, fingerprint was the most popular amongst all, however as one of the participants commented this preference is more likely to derive out of the fact that fingerprint is the most well-known one and therefore users are more familiar with the approach. Interestingly, some suggested the use of biometrics that can be applied based on the use of the device - something that can therefore mitigate any reliance on extra hardware and therefore extra cost of the device as well as extra interaction.

• Another significant outcome based also on the above was also that no single technique can fit the needs of all users and therefore a more flexible approach would be more appropriate.

• Although the matter of privacy of biometrics was commented upon, there was no real concern from the users’ perspective in regards to this matter, which

indicates the change in culture towards biometrics as people have been traditionally cautious relatively to this issue. Rather than privacy concern was raised towards the actual usability of the techniques and how well it would work in a mobile context and therefore where it will become a not easy to use security feature.

Going beyond point-of-entry

• The users were asked to provide their views on the application of continuous authentication during the use of the device if this was to be applied in a transparent fashion, in order to provide security at all times and mitigating the users’ interaction in comparison to explicit authentication. The views on the matter were mixed. However participants did not appear to be reluctant to the use of such approach, with the only concern focusing again on the usability of the approach.

• A secondary issue was again the issue of privacy but mainly when the participants were asked to comment upon storage of biometric data and who they would perceive to be more appropriate to safeguard that data. Again views were mixed however the majority raised significant concern in regards to the issue of trust to others than themselves. A more detailed discussion specifically on this is provided in Section 3.3.

As this focus group indicated future mobile usage will bring in the foreground the need for more enhanced and flexible authentication. Furthermore even though current usage does not command the need for extra security, current authentication

is perceived to hardly provide any protection in the first place. This focus group provided a significant part of the requirement analysis of this research as the user’s perspective is always an important factor when designing security mechanisms.

In document Non-Intrusive Continuous User Authentication for Mobile Devices (Page 70-77)