3rd TIPPI Workshop

An evaluation of website authentication and the effect of role playing on usability studies

Speaker: Rachna Dhamija, Harvard University

Title: The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies

Abstract:
In this talk, I will present the results of a usability study of new website authentication measures designed to protect users from "phishing" and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant's site-authentication image---the customer-selected image that users should verify before entering their passwords. Finally, we replaced the bank's login page with a warning page. After each clue, we measured whether participants entered their passwords or withheld them.

We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 92% participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role-playing affects participants' security behavior in usability studies: those who played a role behaved significantly less securely than those who used their own passwords.


Back to TIPPI workshop page