A number of security mechanisms are well understood from a technical point of view, but when applied in practice fail due to human factors. Our goal is to consider security mechanisms specifically specifically into account the human users that will use them. The following projects offer some overview of specific projects we are involved. (For more details see our publications page)
Usability of Risk-based Implicit Authentication
Internet services have realized that passwords will not be replaced in the near future. Thus, they came up with solutions to reinforce password-based authentication, mostly by considering additional factors other than passwords. Risk-based authentication is used to protect accounts if an unrecognized device or an unusual sign-in location is detected. In such cases, the website will ask for additional verification and notify the user via email.
Privacy of Self-Published Data: Revocation of Online Data
Once data is published on the Internet, there is little hope to successfully remove it at a later point. This negatively affects a user's privacy. We are looking at possibilities to remedy this problem, combining different views from a technological, legal, and sociological perspective.
Usable and Secure Online Authentication
Passwords are still the most widely used form of online authentication, despite being declared "dead" on a regular basis. Our goal is to make passwords more secure, without making them harder to use.
Authentication on Mobile Devices
Mobile devices offer a quite unique set of challenges for user authentication: Entering passwords or other authentication secrets on the small soft-keyboards is cumbersome at best, but touchscreens are well-suited for graphical passwords. Devices such as smart-phones and smart-watches offer a rich set of sensors, which can enable novel forms of user authentication. In this line of work we are interested in understanding the security and usability of the authentication methods on mobile devices.