Current mobile devices are becoming the primary means of accessing information services for a significant part of the world population, and many of the services are or will become security-critical. In addition to mobile payment, ticketing, and physical access control applications, we expect virtual identity documents (passports, driving licenses, etc.), personal medical data processing, and industrial control to move towards integration into mobile devices such as smartphones or smart wrist watches.

There are two direct implications of these trends for future mobile device usage: First, many users will use their mobile phone as their only device for performing security-relevant tasks without any form of prior training or exposure to more traditional computing systems, and the services and applications will therefore need to be intuitively usable. Second, at the same time, these application scenarios will require higher security than currently available on mobile device platforms. Besides, the trade-off between usability and security is aggravated because of the highly different requirements between applications running on the same device and the intrinsic context dependency: using a device within one’s own office requires a di fferent trade-off than using it while crossing a busy road.

We hence suggest to add an intermediate layer between the physical device platform on the lower and applications on the upper end of the stack to provide users with a small number of well-defined and understandable security zones. Each zone holds a different set of applications and associated user data, and can apply different – potentially context-aware – security policies (such as authentication or networking restrictions). As motivating examples for applications with different security/usability requirements, we used mobile banking, accessing sensitive company email, and mobile gaming.

In this work, we focused only on usability and compared multiple visualization and interaction mechanisms in terms of zone distinguishability, error rate, cognitive overhead, satisfaction, and time spent in the context of our motivating examples. We implemented four different visualization methods (three in software, one with additional hardware) for conveying the current security zone information to the user, and four different interaction methods (two different gesture-based approaches, selection via lock screen, and hardware switch) for switching between the zones. Based on an online and a laboratory user study, we evaluated these concepts from a usability point of view. For the onoline study, our logging toolkit from the AUToMAte project has been used.

One important result is that in the tension field between security and usability, additional hardware can support the user’s awareness towards their zone context.

Images

Publications

2015 P. Riedl, R. Mayrhofer, A. Möller, M. Kranz, F. Lettner, C. Holzmann, M. Koelle – Only Play in Your Comfort Zone – Interaction Methods for Improving Security Awareness on Mobile Devices – PERSONAL AND UBIQUITOUS COMPUTING, Vol. 19, No. 3, 2015, pp. 1-14. [springer] [pdf]

Partners

Josef Ressel Center u’smile, University of Applied Sciences Upper Austria, Austria
Institute for Embedded Systems, University of Passau, Germany
Technical University of Munich, Germany

Researchers

Peter Riedl, Rene Mayrhofer, Florian Lettner, Clemens Holzmann
Department of Mobile Computing, University of Applied Sciences Upper Austria, Austria
{peter.riedl, rene.mayhorfer, clemens.holzmann} [at] fh-hagenberg.at

Matthias Kranz, Marion Kölle
Institute for Embedded Systems, University of Passau, Germany
matthias.kranz [at] uni-passau.de

Andreas Möller
Technical University of Munich, Germany