TY - GEN
T1 - Can unicorns help users compare crypto key fingerprints?
AU - Tan, Joshua
AU - Bauer, Lujo
AU - Bonneau, Joseph
AU - Cranor, Lorrie Faith
AU - Thomas, Jeremy
AU - Ur, Blase
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/5/2
Y1 - 2017/5/2
N2 - Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.
AB - Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.
KW - Authentication
KW - Key fingerprints
KW - Secure messaging
KW - Usability
UR - http://www.scopus.com/inward/record.url?scp=85038934323&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85038934323&partnerID=8YFLogxK
U2 - 10.1145/3025453.3025733
DO - 10.1145/3025453.3025733
M3 - Conference contribution
AN - SCOPUS:85038934323
T3 - Conference on Human Factors in Computing Systems - Proceedings
SP - 3787
EP - 3798
BT - CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems
PB - Association for Computing Machinery
T2 - 2017 ACM SIGCHI Conference on Human Factors in Computing Systems, CHI 2017
Y2 - 6 May 2017 through 11 May 2017
ER -