Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

An Evaluation of Website Authentication & the Effect of Role Playing on Usability Studies

17 Feb 2011

Abstract

"We evaluate website authentication measures that are designed to protect users from man-in-the-middle, ‘phishing’, and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant’s site-authentication image—the customer-selected image that many websites now expect their users to verify before entering their passwords. Finally, we replaced the bank’s password-entry page with a warning page. After each clue, we determined whether participants entered their passwords or withheld them.

 

We also investigate how a study’s design affects participant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused instructions.

 

We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 23 of the 25 (92%) participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants’ security behavior: role-playing participants behaved significantly less securely than those using their own passwords."

 

A Disheartening Result

The experiment began with 67 participants. 19 participants were instructed to play a role and to login using the credentials of that role. 20 participants used the same role-playing scenario and were also given additional instructions to behave securely. 28 participants were required to complete tasks by logging into their own bank accounts.

 

First, we removed HTTPS indicators… 63 out of 67 (94%) participants entered their passwords despite the absence of HTTPS indicators on the password-entry page; 18 participants from the role playing group, 18 participants from the security primed group, and 27 participants from the personal account group.

 

Next, we removed the participant’s site-authentication image… 58 out of 60 participants (97%) entered their passwords despite the removal of the site-authentication image; 18 participants from the role playing group, all 17 participants from the security primed group, and 23 of 25 participants from the personal account group.

 

Finally, we replaced the bank’s password-entry page with a warning page… 30 of 57 participants (53%) entered their passwords; 10 participants from the role playing group, 12 participants from the security primed group, and 8 of 22 from the personal account group.

 

Some interesting finding…

The effect of role playing…

Our results should give pause to researchers designing studies that rely on role playing. Participants who may be vigilant in security themselves from real-life risks may be less motivated to behave securely when playing a role – especially if the risks are perceived as fictional.

 

The effect of security priming

Though the result was not statistically significant, we were surprised to find that participants assigned to the security primed group behaved less securely than those in the role playing group, who had no security-priming.

 

You can download the full paper here.

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed