SPICE Yubico Research Paper Presented at Financial Crypto 2018

Indiana University Bloomington - Sanchari Das, Security & Privacy in Informatics, Computing, and Engineering (SPICE) Team member and PhD student, presented her paper Why Johnny Doesn’t Use Two Factor, A Two-Phase Usability Study of the FIDO U2F Security Key at Financial Cryptography and Data Security 2018.

Financial Cryptography and Data Security (Financial Crypto 2018) is a major international conference for research, development, and education in all areas of information assurance in business and industry. This year’s central focus of the conference was securing systems and transactions with the goal of bringing together stakeholders; from security and cryptography researchers and practitioners, to government and business entities. The program featured talks, academic presentations, technical demonstrations, panel discussions, and workshops.

Das presented on her work with Yubico Security Keys usage. The Yubico key is a physical password assistant. The key is a tool for two part authentication, designed for users that are very tactile and not very technically capable. Recognizing the low rate of adoption among users, Das ran a two part study to improve implementation, usage, and user understanding of the Yubico key. Phase one was implemented with a think aloud protocol which observed users as they paired the Key with their google account. Observed problems were then communicated to Yubico with a list of suggestions to make the key more usable. Once changes were made, a second study done a year later found marked increases in usability but it was unclear if acceptability had also increased.  Das notes:

Two-Factor authentication is important step towards enhancing security and reduces the threats for users in a password only authentication environment.  Our results illustrated both the importance and limits of usability on acceptability, adoption, and adherence in Two-Factor Authentication.

Working with Yubico, new studies will be done during Indiana University’s Mini University 2018 week. With a large representation of older students, Mini University presents a unique opportunity to gather data on users 50 and older. Reflecting SPICE’s dedicated to actionable research results, Das’s work with Yubico is a prime example of the interdisciplinary model of research which combines avenues of usable security, system security, and broad impact on the real world.

Sanchari Das, a PhD Student in School of Informatics, Computing, and Engineering at Indiana University Bloomington. A security track researcher, her work includes studies in usable security and privacy, user experience, social media research, and human-computer interaction.  In addition to presenting her hard work, Das was able to make connections with other stakeholders in the field of security, connections which which help cross-pollination and collaborative projects in the future.

A copy of her paper can be read here.