Can Johnny be a whistleblower? A qualitative user study of a social authentication Signal extension in an adversarial scenario

Authors: 

Maximilian Häring and Julia Angelika Grohs, University of Bonn; Eva Tiefenau, Fraunhofer FKIE; Matthew Smith, University of Bonn and Fraunhofer FKIE; Christian Tiefenau, University of Bonn

Abstract: 

To achieve a higher level of protection against person-in-the-middle attacks when using common chat apps with end-to-end encryption, each chat partner can verify the other party's key material via an out-of-band channel. This procedure of verifying the key material is called an authentication ceremony (AC) and can consist of, e.g., comparing textual representations, scanning QR codes, or using third party social accounts. In the latter, a user can establish trust by proving that they have access to a particular social media account. A study has shown that such social authentication's usability can be very good; however, the study focused exclusively on secure cases, i.e., the authentication ceremonies were never attacked. To evaluate whether social authentication remains usable and secure when attacked, we implemented an interface for a recently published social authentication protocol called SOAP. We developed a study design to compare authentication ceremonies, conducted a qualitative user study with an attack scenario, and compared social authentication to textual and QR code authentication ceremonies. The participants took on the role of whistleblowers and were tasked with verifying the identities of journalists. In a pilot study, three out of nine participants were caught by the government due to SOAP, but with an improved interface, this number was reduced to one out of 18 participants. Our results indicate that social authentication can lead to more secure behavior compared to more traditional authentication ceremonies and that the scenario motivated participants to reason about their decisions.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {298870,
author = {Maximilian H{\"a}ring and Julia Angelika Grohs and Eva Tiefenau and Matthew Smith and Christian Tiefenau},
title = {Can Johnny be a whistleblower? A qualitative user study of a social authentication Signal extension in an adversarial scenario},
booktitle = {Twentieth Symposium on Usable Privacy and Security (SOUPS 2024)},
year = {2024},
isbn = {978-1-939133-42-7},
address = {Philadelphia, PA},
pages = {259--278},
url = {https://www.usenix.org/conference/soups2024/presentation/haring},
publisher = {USENIX Association},
month = aug
}

Presentation Video