Masoud Mehrabi Koushki

26 September 2022

Abstract: The incumbent physical security system on smartphones is known to dissatisfy users. It comprises explicit authentication (e.g., passcode), which imposes high time and cognitive overhead, and all-or-nothing authorization, which limits flexibility. Consequently, an estimated 20% of users have decided to forgo physical security entirely. In response, alternative solutions have been proposed by researchers. These include implicit authentication (IA) solutions, which harnesses behavioural data for user identification, and finer-grain (e.g., app-level) authorization solutions, which are more accurate. However, several important aspects of these alternatives are understudied. Firstly, it is unclear how widely users would adopt IA, and whether they can understand its semantics well enough to avoid dangerous security errors when using it. Secondly, it is unknown how well can the proposed authorization schemes balance usability with security. These unknowns bring into question whether the alternatives can, in fact, improve the user experience (UX) or, conversely, disservice users by providing a false sense of security. This dissertation contributes insights from several studies that aim at bridging these knowledge gaps. Regarding IA, we took Smart Lock (SL)—currently the most-widely-available solution—as a case. We conducted cognitive walkthroughs, think-aloud sessions, and online surveys to understand how users perceive and understand SL. Regarding authorization, we conducted a longitudinal diary study to obtain a detailed view on users' needs and how well existing solutions meet them. Results show that SL is not widely adopted, which correlates to its perceived lack of usefulness and security. Regarding semantics, we found users often confused about IA's capabilities and the nature of the data it harnesses. To avoid these issues, we provide UX design recommendations for better communication of the value and intricacies of IA. Regarding authorization, we found app-level schemes to outperform other solutions; hence we argue for wider deployment of them. However, we also found that users' needs vary significantly based on individual preferences and the functionality being protected; hence we argue for adaptable granularity in authorization. Overall, our studies demonstrate the inadequacy of the incumbent system, show how current deployment of alternatives potentially disserves users, and provide recommendations for improved deployment in the future.

Keyword(s): smartphone security ; implicit authentication ; access control ; cognitive walkthrough ; think-aloud ; survey ; diary study ; longitudinal study

Published in: Masoud Mehrabi Koushki, "Toward understanding and improving the user experience with smartphone physical security", PhD Dissertation, Department of Electrical and Computer Engineering, THE UNIVERSITY OF BRITISH COLUMBIA, September, 2022: