Security, Usability, and User Authentication

Over a long period, I have been investigating the relationship between usability and security. More specifically, I have investigated issues related to user authentication. The background for this research is observational studies on hospitals, which revealed that clinicians spend lots of time and effort on getting access to electronic medical systems [1].

I have published results from these studies in the paper called “The Touble with Login”[2], which is accessible below. The core argument in this paper is that basically, most of the so-called ‘login’ problems are actually deeply rooted in the operating systems, software layers, and hardware systems of personal computers. Hence, the trouble of login is not easily “fixed”.

Proximity-based User Authentication

In order to mitigate some of these problems, I have designed technologies for easy user authentication, including systems for “Proximity-Based User Authentication” [3], and “Collective Login” [2]. Proximity-Based login is a technology which utilize context-aware computing which enables the computer to know what is going on around it, including who is – or wants to – use the computer. By utilizing this context information, the system is able to authenticate the user when he is approaching the computer. Hence, there is no need for explicit user authentication based on e.g. username and password.

The concepts of “Collective Login” addresses the problem that contemporary login systems are inherently personal – a fact which aligns very badly with the collaborative nature of work in e.g. hospitals. Hence, we are researching security models where users can have a shared login – i.e. a collective user authentication system.

Non-anonymous User Interaction on a Multitouch Display

Contemporary tabletop computers lack the ability to distinguish collaborating users apart as well as determining the identity of individual users. To address this problem, we have proposed a solution for collaborative sessions where the tabletop computer is able to distinguish and identify the individual users apart. The solution requires each tabletop user to bring his smartphone to the tabletop and use it when performing certain privileged actions.

The goal and focus of this project was to design and implement a framework that seamlessly integrates smartphones with a Microsoft Surface, so that a given application can rely on the identity of a user and his/her actions when needed. This work was done as a MSc Thesis by Thomas Berglund and Michael Thomassen [4]. The Non-anonymous User Interaction (NAI) Framework is available at Google Code.

Funding & Time Period

This research was funded byt the Danish Center for Information Technology (CIT) from 2002–2007.

References

[1] [pdf] J. E. Bardram, “Security in Context – Lessons Learned from Security Studies in Hospitals,” in Proceedings of the CHI 2007 Workshop on Security User Studies, S. E. et. al, Ed., , 2007.
[Bibtex]
@incollection{chi2007:awaremedia,
Author = {Jakob E. Bardram},
Title = {Security in Context - Lessons Learned from Security Studies in Hospitals},
Booktitle = {Proceedings of the CHI 2007 Workshop on Security User Studies},
Editor = {Serge Egelman et. al},
Pdf = {security.chi2007.pdf},
Tag = {login,workshop},
Url = {http://www.verbicidal.org/hcisec-workshop/},
Year = {2007},
Bdsk-Url-1 = {http://www.verbicidal.org/hcisec-workshop/}}
[2] [pdf] J. E. Bardram, “The Trouble with Login – On Usability and Computer Security in Ubiquitous Computing,” Personal and Ubiquitous Computing, vol. 9, iss. 6, pp. 357-367, 2005.
[Bibtex]
@article{puc2005:login,
Author = {Jakob E. Bardram},
Journal = {Personal and Ubiquitous Computing},
Number = {6},
Pages = {357--367},
Pdf = {printed.login.puc.2005.pdf},
Publisher = {ACM and Springer-Verlag},
Tag = {journal,login},
Title = {{The Trouble with Login - On Usability and Computer Security in Ubiquitous Computing}},
Url = {http://dx.doi.org/10.1007/s00779-005-0347-6},
Volume = {9},
Year = {2005},
Bdsk-Url-1 = {http://dx.doi.org/10.1007/s00779-005-0347-6}}
[3] [pdf] J. E. Bardram, R. E. Kjær, and M. Pedersen, “Context-Aware User Authentication – Supporting Proximity-Based Login in Pervasive Computing,” in Proceedings of UbiComp 2003, Seattle, Washington, USA, 2003, pp. 107-123.
[Bibtex]
@inproceedings{ubicomp2003:bardram,
Address = {Seattle, Washington, USA},
Author = {Jakob E. Bardram and Rasmus E. Kj{\ae}r and Michael Pedersen},
Booktitle = {Proceedings of UbiComp 2003},
Editor = {Anind Dey and Joe McCarthy and Albrecht Schmidt},
Month = oct,
Pages = {107--123},
Pdf = {prox.user.auth.pdf},
Publisher = {Springer Verlag},
Series = {Lecture Notes in Computer Science},
Tag = {jcaf,conference,login},
Title = {{Context-Aware User Authentication - Supporting Proximity-Based Login in Pervasive Computing}},
Url = {http://www.springerlink.com/index/Q1MCV12D4N0B5X4L},
Volume = 2864,
Year = 2003,
Bdsk-Url-1 = {http://www.springerlink.com/index/Q1MCV12D4N0B5X4L}}
[4] [pdf] T. Berglund and M. Thomassen, “Non-anonymous user interaction on tabletop displays,” Master Thesis, 2011.
[Bibtex]
@mastersthesis{msthesis:berglund,
Author = {Thomas Berglund and Michael Thomassen},
School = {IT University of Copenhagen, Denmark},
Title = {{Non-anonymous user interaction on tabletop displays}},
Year = {2011}
}