Home > Refereed Conference Papers > Neither Access nor Control: A Longitudinal Investigation of the Efficacy of User Access-Control Solutions on Smartphones |
LERSSE-RefConfPaper-2022-004 |
Masoud Mehrabi Koushki ; Yue Huang ; Julia Rubin ; Konstantin Beznosov
2022-09-10-2022-09-10-2022-09-10
Abstract: The incumbent all-or-nothing model of access control on smartphones has been known to dissatisfy users, due to high overhead (both cognitive and physical) and lack of device-sharing support. Several alternative models have been proposed. However, their efficacy has not been evaluated and compared empirically, due to a lack of detailed quantitative data on users' authorization needs. This paper bridges this gap with a 30-day diary study. We probed a near representative sample (N = 55) of US smartphone users to gather a comprehensive list of tasks they perform on their phones and their authorization needs for each task. Using this data, we quantify, for the first time, the efficacy of the all-or-nothing model, demonstrating frequent unnecessary or missed interventions (false positive rate (FPR) = 90%, false negative rate (FNR) = 21%). In comparison, we show that app- or task-level models can improve the FPR up to 88% and the FNR up to 20%, albeit with a modest (up to 15%) increase in required upfront configuration. We also demonstrate that the context in which phone sharing happens is consistent up to 75% of the time, showing promise for context-based solutions.
Keyword(s): Smartphone security ; Access control ; User experience ; Longitudinal study
Published in: Masoud Mehrabi Koushki, Yue Huang, Julia Rubin, and Konstantin Beznosov. Neither Access nor Control: A Longitudinal Investigation of The Efficacy of User Access Control Solutions on Smartphones. In Proceedings of the 31st USENIX Security Symposium, 2022.:
The record appears in these collections:
Refereed Conference Papers