Pico part III: Making Pico psychologically acceptable to the everyday user

Many users are willing to sacrifice some security to gain quick and easy access to their services, often in spite of advice from service providers. Users are somehow expected to use a unique password for every service, each sufficiently long and consisting of letters, numbers, and symbols. Since most users do not (indeed, cannot) follow all these rules, they rely on unrecommended coping strategies that make passwords more usable, including writing passwords down, using the same password for several services, and choosing easy-­to-­guess passwords, such as names and hobbies. But usable passwords are not secure passwords and users are blamed when things go wrong.

This isn’t just unreasonable, it’s unjustified, because even secure passwords are not immune to attack. A number of security breaches have had little to do with user practices and password strength, such as the Snapchat hacking incident, theft of Adobe customer records and passwords, and the Heartbleed bug. Stronger authentication requires a stronger and more usable authentication scheme, not longer and more complex passwords.

We have been evaluating the usability of our more secure, token-­based system: Pico, a small, dedicated device that authenticates you to services. Pico is resistant to theft-resistant because it only works when it is close to its owner, which it detects by communicating with other devices you own – Picosiblings. These devices are smaller and can be embedded in clothing and accessories. They create a cryptographic “aura” around you that unlocks Pico.

For people to adopt this new scheme, we need to make sure Pico is psychologically acceptable – unobtrusive and easily and routinely used, especially relative to passwords. The weaknesses of passwords have not been detrimental to their ubiquity because they are easy to administer, well understood, and require no additional hardware or software. Pico, on the other hand, is not currently easy to administer, is not widely understood, and does require additional hardware and software. The onus is on the Pico team to make our solution convenient and easy to use. If Pico is not sufficiently more convenient to use than passwords, it is likely to be rejected, regardless of improvements to security.

This is a particular challenge because we are not merely attempting to replace passwords as they are supposed to be used but as they are actually used by real people, which is more usable, though much less secure, than our current conception of Pico.

Small electronic devices worn by the user – typically watches, wristbands, or glasses – have had limited success (e.g. Rumba Time Go Watch and the Embrace+ Wristband). Reasons include issues with the accuracy of the data they collect, time spent having to manage data, the lack of control over appearance, the sense that these technologies are more gimmicks than useful, the monetary cost, and battery life (etc.). All of these issues need to be carefully considered to pass the user’s cost-benefit analysis of adoption.

To ensure the psychological acceptability of Pico, we have been conducting user studies from the very early design stages. The point of this research is to make sure we don’t impose any restrictive design decisions on users. We want users to be happy to adopt Pico and this requires a user-­centred approach to research and development based on early and frequent usability testing.

Thus far, we have qualitatively investigated user experiences of paper prototypes of Pico, which eventually informed the design of three-­dimensional plastic prototypes (Figure 1).

Figure 1a.
Figure 1. Left: Early paper and plasticine Pico prototypes; Right: Plastic (Polymorph) low-fidelity Pico prototypes

This exploratory research provided insight into whether early Pico designs were sufficient for allowing the user to navigate through common authentication tasks. We then conducted interviews with these plastic prototypes, asking participants which they preferred and why. In the same interviews, we presented participants with a range of pseudo-­Picosiblings (Figure 2) to get an idea of the feasibility of Picosiblings from the end­user’s perspective.

Figure 2.
Figure 2. The range of pseudo-Picosiblings including everyday items (watch, keys, accessories, etc.) and standalone options (magnetic clips and free-standing coins)

The challenge seems to be in finding a balance between cost, style, and usefulness. Consider, for example, the usefulness of a watch. While we expect a watch to tell us the time (to serve a function), what we really care about is its style and cost. This is the difference between my watch and your watch, and it is where we find its selling power. Most wearable electronic devices, such as smart-­watches and fitness gadgets, advertise function and usefulness first, and then style, which is often limited to one, or maybe two, designs. And cost? Well, you’ll just have to find a way to pay for it. Pico, like these devices, could provide the potential usefulness required for widespread and enduring adoption, which, if paired with low cost and user style, should have a greater degree of success than previous wearable electronic devices.

Initial analysis of the results reveals polarised opinions of how Pico and Picosiblings should look, from being fashionable and personalizable to being disguised and discrete. Interestingly, users seemed more concerned about the security of Pico than about the security of passwords. Generally, however, the initial research indicates that users do see the usefulness of Pico as a standalone device, providing it is reliable and can be used for a wide range of services; hardware is no benefit to people unless it replaces most, if not all, passwords, otherwise it becomes another thing that people have to remember.

A legitimate concern for users is loss or theft; we are working to ensure that such incidents do not cause inconvenience or pose threat to the user by making the system easily recoverable. Related concerns relevant to possessing physical devices are durability, physical ease-­of-­use, the awkwardness of having to handle and aim the Pico at a QR code, and the everyday convenience of remembering and carrying several devices.

To make remembering and carrying several devices easier and more worthwhile, interviews revealed that Picosiblings should have more than one function (e.g. watches, glasses, ID cards). By making Picosiblings practical, users are more likely to remember to take them, and to perceive the effort of carrying them around as being outweighed by the benefit. Typically, 3-­4 items were the maximum number of Picosiblings that users said they would be happy to carry; the aim would be to reduce the required number of Picosiblings to 1 or 2 (depending on what they are), allowing users to carry more on them as “backups” if they were going to use them anyway.

Though suggested by some, the same emphasis on dual-­function was not observed for Pico, since this device serves a sufficiently valuable function in itself. However, while many found it perfectly reasonable to carry a dedicated, secure device (given its function), some did express a preference for the convenience of an App on their smartphone. To create a more streamlined experience, we are currently working on such an App, which should give these potential Pico users the flexibility they seem to desire.

By taking into account these and other user opinions before committing to a single design and implementation, we are working to ensure Pico isn’t just theoretically secure – secure only if we can rely on users to implement it properly despite any inconvenience. Instead, we can make sure Pico is actually secure, because we will be creating an authentication scheme that requires users to do only what they would do (or better, want to do) anyway. We can achieve this by taking seriously the capabilities and preferences of the end-­user.

 

4 thoughts on “Pico part III: Making Pico psychologically acceptable to the everyday user

  1. How fingerprintable would you expect the “cryptographic aura” to be? From a privacy perspective, I’d be uncomfortable adopting a system like this if I ended up having an identifiable “aura” around me. Are you planning to address privacy as part of your overall system requirements?

    1. Pico was designed by a privacy advocate (yours truly) and the “overall system requirements” as laid out in the original 2011 paper already listed the following as the intended properties of the communication protocol between Pico and Picosiblings:

      – The Pico can ascertain the presence of any of its Picosiblings in the vicinity.
      – The Picosibling responds to its master Pico but not to any other Pico.
      – At each ping, the Picosibling sends its k-out-of-n share to the Pico, in a way
      that does not reveal it to eavesdroppers.
      – An eavesdropper can detect the bidirectional communications between Pico
      and Picosiblings but not infer identities or long-term pseudonyms.
      – The Pico can detect and ignore old replayed messages.
      – The Pico can detect and ignore relay attacks (e.g. with Hancke-Kuhn [13]).

      Note in particular the second, third and fourth items.

      Of course achieving all of the above, on wearables with not much of a processor, while preserving a battery life of several months and a cost of almost zero, is not going to be the easiest of challenges…

      We won’t get there in a single step, and the first few prototypes won’t do all of that, but that’s the asymptote we’re aiming for.

  2. Might pico siblings include existing RFID identifiable items such as Oyster travel cards, embedded stock taking tags in clothing, as well as the proposed items above? If RFIDs are feasible the cloud of picosiblings might already be available.

    Good luck with the project.

    1. Thanks for your good wishes!

      They might, although they’d be a different type of Picosibling than the ones in the original paper and referred to in my reply to the other blog post above. To guarantee the properties above, Picosiblings need to engage in a Pico-specific cryptographic protocol and would thus probably require more “brains” than the existing tags you mention (and would have to be reprogrammable).

      On the other hand, the tags you mention have the non-trivial advantage of being already deployed (and, as far as privacy goes, people wearing them have already voted with their feet on the privacy trade-off between having those gadgets and being identifiable by their radio signature). Even if they can’t run the proper Pico-to-Picosiblings protocol, they could be taken by the Pico as additional hints about the presence of the right human.

      Our latest paper, to be presented in a few days at the UPSIDE workshop of the UBICOMP conference, explores variations on the Picosiblings concept that may include assessing the presence of the owner via fuzzy hints instead of definite statements. Expect another blog post about it soon.

      My former MPhil student Cristian Toader recently completed an interesting dissertation on User Authentication for Pico: When to unlock a security token in which he developed a framework that unlocks the security token with a “risk-based authentication” approach, fusing the fuzzy inputs of several streams of “hints”. Existing RFID tags already worn by the person regardless of Pico could definitely be treated as additional hints.

Leave a Reply to Frank Stajano Cancel reply

Your email address will not be published. Required fields are marked *