Usable Mobile Multi-Factor Authentication       


Rachel Bellamy photo Pau-Chen Cheng photoLarry Koved photo Jacquelyn Martino photoKapil Singh photo Calvin B. (Cal) Swart photoShari Trewin photo

Usable Mobile Multi-Factor Authentication - Risk Perception

As people conduct more of their online transactions through mobile devices, what security risks do they perceive? We are studying risk perception in mobile transactions, focusing on applications with high security requirements: mobile banking, employee access to company data, and access to medical data.

We are conducting psychometric studies of risk perception and attitudes towards mobile authentication. Our studies to date have included information technology workers, doctors and individuals accessing personal data (contacted through Amazon Mechanical Turk).

radar chart showing risks perceived for personal financial transactions and IT company employee transactions.

Differences in perceived risks between individuals performing personal banking transactions, and IT company employees. Each spoke represents a broad risk area, and the position of the data point indicates the percentage of respondents mentioning each type of risk.

The scenarios presented included the use of an app and the web to do personal banking, accessing confidential company information, accessing medical information, and using a credit card with an unknown online retailer. Participants were asked to imagine themselves in situations such as their office, a quiet train at night, and a busy cafe. Open questions were asked about security risks they perceived, and factors affecting their decision whether to perform the transaction at that time and place. Information technology workers accessing company information were more concerned about device-level security risks and observation risks than individuals accessing personal financial information.

Each of the general risk areas in the figure above comprises a set of related risks. For example, the 'Network' category includes man-in-the-middle attacks, network snooping, insecure data transmission, and unsafe WiFi or cellular networks. None of these individual risks was mentioned by more than 33% of participants. Only 46% of participants locked their phones. The most commonly cited risks were shoulder surfing and network snooping. Device theft, loss, hacking and malware were not prominent concerns.

All of the identified risk factors relate to the loss of personal or confidential information, including passwords. Larger consequences of loss, including access to personal or company accounts, financial loss, identity theft, and publication of private information, were also identified. Some participants also cited risks associated with using a mobile device in a particular situation, e.g. personal safety. Future studies using other scenarios and locations may expose further perceived risks.

We are now comparing these findings with actual risk as perceived by organizations, and identifying areas of mismatch between the users’ perceptions and the organization. Where there is a mismatch, risk communication with the user offers a way to align user and system perceptions of risk. When user and system perceptions are aligned, there is greater likelihood that users will accept and comply with organizational security requirements such as multi-factor authentication methods.