Security and Privacy Mechanisms for Users with Cognitive or Physical Impairments

superfluitysmackoverSecurity

Feb 23, 2014 (3 years and 7 months ago)

73 views

Cognitive and Physical Disabilities





Security and Privacy Mechanisms for Users with Cognitive or
Physical Impairments


Jinjuan Feng

Towson University

Computer and Information Scie
nces Department

Towson, MD 21252


jfeng
@towson.edu


Cognitive and Physical Disabilities

Lecture
5

Security and Privacy Mechanisms for Users with
Cognitive or Physical Impairments

At a Glance

Instructor’s Manual Table of Contents



Lecture

Overview



Lecture Outline



Lecture

Objectives



Lecture

Notes



Teaching Tips




Discussion Topics



Key Terms



Additional Project Ideas

Cognitive and Physical Disabilities

Lecture

Overview

In this lecture
,
we
will discuss how cognitive and physical disabilities affect a user’s
ability to complete security or privacy related activities. Cognitive disabilities have
substantial impact on a variety of skills needed to understand and interact with security
related a
pplications such as authentication methods. Physical disabilities mainly affect
the user

s ability to enter information to the computer. Design guidelines will be
discussed to meet the special needs of both types of disabilities.

Lecture

Outline

Lecture T
opics

Introduction

IA applications and cognitive impairments

Authentication mechanisms and cognitive capability

HIPs and cognitive capability

Design
guidelines

for users with cognitive disabilities

Computer skills affected by physical disabilities

S
olutions to accommodate physical disabilities

IA design for physical disabilities


Lecture

Objectives

When you complete this material, you will be able to:



Understand the impact of cognitive and physical disabilities on the use of IA
applications



Underst
and the s
pecial issues that need to be considered when designing
authentication mechanisms



Understand
Human Interaction Proofs (HIPs) and

the challenges that users with

cognitive disabilities

experience when using HIPs

Cognitive and Physical Disabilities



Understand the limitations of alterna
tive interaction solutions for users with
physical disabilities



Apply the design guidelines to accommodate the special needs of users with
cognitive or physical disabilities

Setup Notes

This lecture could be completed in a single
class session, if there is

sufficient time to
cover the material. The subject matt
er
from the existing
powerpoint

slides
c
an be covered
in approximately 1.5

hour
s
. The class discussion and exercises will take approximately
0.5 to 1 hour.

Lecture Notes and
Teaching Tips

Introductio
n

Both cognitive disabilities and physical disabilities affect a user’s
cap
ability to interact
with IA applications

(Newell et al. 2008
;
Sears et al. 2008)
.
Cognitive abilities are needed
for a broad range of activities: understand the need for security an
d privacy related
applications, learn to use those applications, accurately retrieve and recognize specific
information, accurately enter the required information in a timely manner, organize and
manage specific information, etc.
Physical disabilities main
ly affect a user’s ability to
enter information into the IA applications. Alternative interaction solutions adopted by
users with physical disabilities have special features that need to be considered. Existing
research in related fields is limited. This l
ecture discusses interaction characteristics of
users with cognitive or physical disabilities. In addition, design guidelines to
accommodate the special needs of these individuals are summarized.

IA applications and Cognitive disabilities


Cognitive capab
ilities are involv
ed

in a variety of activities related to

IA applications
.
Typically, three major types of cognitive abilities are needed:



M
emory
: Human memory is needed for almost all computer related activities. But
the usage of IA applications
has much

higher requirement on memory compared
to the majority of everyday interaction activities. The typical example is the use of
authentication methods such as user name and password
, which frequently require
the recall of information
.



R
eading and recognition
: Reading and recognition
skills are required for many IA
applications. One very unique example is the Human Interaction Proofs (HIPs),
which presents distorted texts that the users need to recognize.

Cognitive and Physical Disabilities



Understanding and learning:
The use of IA mechanisms in

general requires the
ability to understand why those mechanisms are needed and to learn how they can
be used
.

A variety of conditions or diseases can affect an individual’s cognitive abilities. Typical
examples include:



Genet
ic diseases such as Down syndr
ome and Williams syndrome



Memory loss and dementia



Conditions or diseases associated with aging such as Alzheimer’s disease



Brain diseases or injuries


Authentication mechanisms and
strategies

User authentication is the entry point for users to
access

syst
em
s or applications that
provide

specific services or secure
d

information. Once authenticated, the

user will be
granted
access

to

the system with specific authority. For example, with
an
online banking
system, the user can transfer the money in the account

once
having
been authenticated by
the system.

A variety of authentication mechanisms are

currently

available
, such as the traditional
text
-
based passwords, the g
raphical passwords
, a
uthentication with challenging
questions
, and b
iometrics authentication

techniques. Among them, the traditional
a
uthentication

method

using

text
-
based user name and password
is s
till the dominant
technique
. But other techniques are gaining popularity.

Text
-
based authentication methods

When using the traditional text
-
based auth
entication method,

m
ost users have to
remember multiple sets of user names and passwords

for numerous accounts that they
have
.

Users are
always
recommended or enforced to use ‘strong’ passwords that are
typically hard to remember

(
Microsoft Corporation
,
20
05
)
.

S
ample rules include but are
not limited to:



At least 8 digits long



Contain both letters, numbers, and even better, symbols



Contain both uppercase and lowercase letters



Passwords need to be changed every 2 or 3 months


Cognitive and Physical Disabilities

T
here are t
wo ways to generate t
ext
-
based user

names and passwords:

user

generated or
machine generated. U
ser generated

user names and passwords are normally less robust
but easy

to remember

because they typically contain meaningful words, phrases, or
number
s

that can be relate
d

to somet
hing familiar to the user (e.g., birthday, pet’s name,
etc.).
Machine generated password
s

contain ran
dom

letters, numbers, or symbols. They
are usually
more robust

than user generated passwords. But they

are

also
normally

much

harder to remember
.

Text
-
base
d passwords
can be very hard to remember for the
neurotypical users.
They present much higher challenge for users with cognitive
disabilities who ha
ve

limited memory and analytical capabilities.


Password generation strategies:

Different strategies
can be
used by the users to create passwords. Typical examples
include:



Meaningful word
s
: Examples include ‘cat’, ‘wonderful’
,

etc. They are typically
vulnerable to attacks.



Meaningful phrase
s
: Examples include ‘gonewiththewind’, ‘ruleofthumb’, etc.
They are typi
cally vulnerable to attacks.



Numbers
with specific patterns
: Examples include ‘1234567’, ‘01012010’ etc.
They are also

vulnerable to attacks.



Word
s

strengthened with numbers
: Examples include ‘cat2010’, ‘johndoe99’, etc.
They are typically vulnerable to at
tacks.



Mnemonic password:
Mnemonic passwords are passwords that are short form
s

of
the pass
-
sentence or pass
-
phrase used for authentication
,

e.g.
,

‘OUATIA’ for

Once
upon a time in America

.

It is often assumed that mnemonic passwords
will be stronger than

“regular” passwords
.
In the mean while,
m
nemonic
passwords are easier to remember than random passwords.

(Kuo et al. 2006)



Ran
dom letters and numbers: Such as

xbz8tyx

. They are typically more robust
than previously mentioned strategies. But they are ver
y difficult to remember.


Text
-
based authentication and memorability

User studies suggest that even the neurotypical users have difficulty remembering user
names and passwords. Therefore, they tend to use less secure passwords that are easier to
remembe
r o
r
to
write down their passwords.
The problem of memorability is much more
severe for individuals with limited memory skills
. For example, a

survey on computer
usage by children with
Down syndrome (
DS
)
found that many children can not access
online resource
s due to authent
ication mechanisms (Feng et al.

2010
)
.

Cognitive and Physical Disabilities

The mnemonic phrase strategy
may

be a potentially useful approach for individuals with
cognitive disabilities.
Mnemonic passwords are passwords that are
a
short form of the
pass
-
sentence or pass
-
phrase

used for authentication.

A simple example is using the
initial letters of each word in the pass
-
sentence to form the password
,

e.g.
,

‘OUATIA’ for
‘Once
upon a time in America’.

A more complex way is using numbers or special
characters to replace some word
s in the pass
-
sentence or using upper letters and
punctuation in the password. For example, a pass
-
sentence “I ate my oatmeal today” can
become “I8myo2day”. It is often assumed that mnemonic passwords will be stronger than
“regular” passwords for three rea
sons. First, mnemonic passwords do not appear in any
password cracking dictionary. Second, the phrases will help users incorporate different
character classes, such as upper case letters or punctuation, into their passwords. Last, the
space of possible phr
ases is virtually infinite.

In the mean while,
m
nemonic passwords
are easier to remember than random passwords.

User studies conducted by
Yan et al.
(2005) suggest that:



passwords based on mnemonic phrases are harder to crack than the naively
selected pass
words



passwords based on mnemonic phrases are as robust as the randomly generated
passwords



passwords based on mnemonic phrases are as easy to remember as the naively
selected passwords



The mnemonic phrase strategy may be recommended for individuals with l
imited
memory


Other authentication methods

Graphical passwords

Graphical passwords use graphs for the purpose of authentication.
Types of graphical
passwords

include:



Image recognition: e.g., art, cartoons, photos of human faces



Tapping or drawing
:, e.g.,

tap specific area of an image, draw an image

(
Monrose
and Reiter 2005
)



Image interpretation

The
major

advantage of graphical based password is that
a
graphical password is easier to
remember than
a
text password. For example, a study found that the login
failure rate of
passfaces was one third of that of the text
-
based
passwords

(Brostoff, Sasse 2000),

despite the fact that the participants used the passface to access the system less
frequently. The disadvantage is that
a
graphical password is more vulnera
ble to brute
force attack.
User studies
also
suggest that
a
user has to pick specific types of pictures in
order to remember the graphical passwords
.
Graphical passwords that require the correct
order
are

much harder to remember than

those that don’t requi
re order.


Cognitive and Physical Disabilities

Challenging questions

Many websites use challenging questions as an additional authentication method to
passwords
.
Challenging questions can be difficult for users with cognitive impairments
for several reasons:



Users may forget the answer to a
specific question



Users may spell the answer in a different way (e.g., no space vs. with space)



Users can mixed up uppercase or lowercase letters


Biometric methods

Biometric methods authenticate a

person’s identity by verifying personal characteristic
s

(V
acca, 2007)
. Examples of

biometric authentication methods

include:



Signature identification



Voice verification



Iris recognition



Face recognition



Finger print verification



Hand geometry system

Biometric authentication is more accessible for

users with cogni
tive disabilitie
s because
they do not require substantial memory. However, currently the cost of
adopting a
biometric authentication method is still high and the techniques are not widely adopted


HIPs and cognitive capability

CAPTCHA stands for Completel
y Automated Public Turing test to tell Computers and
Humans Apart), also called HIP (Human Interaction Proof)
.
It is a program that can
generate and grade tests that most humans can pass, but curre
nt computer programs can't
pass

(Chellapilla et al. 2005)
.
Major types of HIPs include:



Character
-
based HIPs: A string of characters is presented to the user. This string
can contain either words or random alphanumeric characters.



Image
-
based HIPs:

This is normally in the form of an identifiable real
-
world
object
, but can also be presented in the form of shapes



Audio
-
based HIPs:

The user is presented with an audio version of a HIP


In order to successfully solve a HIP, users need the following abilities



Reading



Visual perception skills for visual HIPs



Audio proces
s skills for audio HIPs



Memory skills in specific cases



Typing


Cognitive and Physical Disabilities

There is a fundamental dilemma between the goal of HIPs and the special needs of
individuals with cognitive disabilities.

HIPs are highly challenging for individuals with
cognitive disabilitie
s due to limited reading, understanding, and typing skills.

Due to the
recent breakthroughs in artificial intelligence, major websites increased the distortion
rates in order to fight automated ‘bots’ attacks. The i
ncreasing distortion rates make the
task
even harder

for users with cognitive disabilities
.

To date, there is no reported
satisfactory solution that makes HIPs fully accessible for individuals with cognitive
disabilities.


Design guidelines for users with cognitive disabilities

Our understanding

is rather limited regarding how to design and develop accessible and
usable IA applications for users with cognitive disabilities. Based on the existing
knowledge and the general design guidelines, we propose the following guidelines for
consideration:



Au
tomatically generated passwords do not work well for individuals with
cognitive disabilities



The mnemonic phrase strategy may be recommended for individuals with limited
memory



Graphical passwords that require the correct order is not appropriate for
indiv
iduals with limited memory



Biometric authentication methods are recommended for individuals with
cognitive disabilities



HIPs with high distortion rate
s

are not appropriate



Instructions of security and privacy software need to be written with simple
languag
e and delivered in a consistent way



Allow longer time for the user to react to the system


Computer skills affected by physical disabilities

Not all physical disabilities affect the ability to use computers. In this lecture, we focus
on the physical disa
bilities in hands and arms that hinder the use of traditional input
devices such as keyboard and mouse
. Many types of physical disabilities
affect the user

s
ability to enter information into the computer
. Examples include:



Complete loss of motor disabilit
ies in hands or arms: e.g., high level sp
inal cord
injury (SCI)
, Amyotrophic Lateral Sclerosis (ALS), missing limbs, etc.



Limited capabilities: e.g., Repetitive Strain Injury (RSI), shaking hands caused by
Parkinson’s disease or stroke, etc.


Most users ha
ve some remaining capabilities in their hands and arms and still depend on
keyboard and mouse or modified keyboard and mouse or software to interact with
computers
. Typical modified keyboard and mouse solutions include:



One hand keyboard

Cognitive and Physical Disabilities



Keyguard



Predicti
ve software



Software filter for common errors



Keyboard optimizer to adapt to users’ needs

The modified devices or software can reduce errors but substantial amount of errors still
exist
.
The data entry rate also remains
rather
low
.


Solutions to accommodat
e to physical disabilities

To fully address the challenges of physical disabilities, a
lte
rnative solutions were
proposed that employ other human abilities that are not affected by the condition or
disease. These solutions
allow the users to interact with
computers without keyboard and
mouse
. Typical examples include:



Speech
-
based interaction



Eye
-
controlled interaction



Head
-
controlled interaction



Electrophysiological solutions


Speech
-
based interaction
has many
advantages
. This method is e
asy to learn
, the
interaction style is quite natural, the technique is c
omparatively mature
, and the
applications bear low cost and are

easily accessible
. However, s
peech
-
based interaction
also has notable
disadvantages
. One of the most challenging problems is the substanti
al
amount of recognition errors
. The e
rror correction
process is
tedious and slow
. There are
also security and privacy concerns related to speech techniques. For example, if a user
dictate
s

his password to the computer using speech recognition software, ot
her people
nearby can easily overhear his password.


Eye
-
controlled interaction

and head
-
controlled interaction also have

h
igh error rate
s
. It
may also

cause fatigue
. In order to achieve satisfactory accuracy, the application needs
constant calibration
.
El
ectrophysiological solutions

allow the user to interact with
computers via electophysiological signals. Currently, th
ese

type
s

of techniques have v
ery
high error rate
s

and a
re not m
ature enough for real life tasks.


IA design for physical disabilities

Sinc
e both the modified keyboard and mouse solutions and the alternative solutions have
high error rate
,

IA design for physical disabilities need
s

to consider

recognition

errors
.
Re
cognition errors

are very different from typos in that they are all correctly s
pelled
words and therefore, are impossible to detect by spelling software.

Users who use recognition
-
based techniques need to see the output to tell whether the
input was correctly recognized, but the passwords were typically shown as specific
symbols. So
the user could not tell whether the password was entered correctly. The users
Cognitive and Physical Disabilities

could
only
tell whether the entry is correct after submitting it. Therefore, the user can be
easily locked out of his
/her

account
.


IA design for physical disabilities
also
need
s

to consider low entry speed
.
Users of both
modified entry methods and alternative techniques have much lower data entry rate
s

compared to the typical users
.
For speech technique
s
, the speed is even lower when it
comes to the entry of letters, numbers, and

symbols
. Therefore, t
he system needs to allow
longer time for the user to enter passwords or deal with other security or privacy
mechanisms
.


Take Home Messages

The essential take home messages of this lecture are summarized into the following
checklist:

1.

Cognitive disabilities affect a variety of activities involved in the use of IA
applications. Physical disabilities mainly affect information entry to the IA
applications.

2.

The design of IA applications needs to consider the possibility of lowering the
cogn
itive demand in general.

3.

Automatically generated passwords do not work well for individuals with
cognitive disabilities
.

4.

The mnemonic phrase strategy may be recommended for individuals with limited
memory
.

5.

Graphical passwords that require the correct order

is not appropriate for
individuals with limited memory
.

6.

Biometric authentication methods are recommended for individuals with
cognitive disabilities
.

7.

HIPs with high distortion rate
s

are not appropriate

8.

The design of IA applications for users with physical

disabilities need
s

to consider
recognition errors and low data entry speed.

Discussion Topics

1.

How do cognitive disabilities affect the use of IA applications?

2.

What kinds of cognitive capabilities are needed when using authentication
applications?

3.

What are

the major types of authentication methods?

4.

What are the two ways to generate passwords?

5.

What are the typical strategies that users adopt to create their passwords?

6.

What is the appropriate password generation strategy for users with cognitive
disabilities?

7.

What are the major types of graphical passwords?

8.

Are graphical passwords appropriate for users with cognitive disabilities? Why?

9.

What are the major types of biometric authentication methods?

Cognitive and Physical Disabilities

10.

Are biometric authentication methods appropriate for users with

cognitive
disabilities? Why?

11.

Why are HIPs challenging for users with cognitive disabilities?

12.

How do physical disabilities affect the use of IA applications?

13.

What are the alternative interaction solutions for users with physical disabilities?

14.

What are the
advantages and disadvantages for speech
-
based interaction
techniques?

15.

What should you consider when designing IA applications for users who use
recognition
-
based solutions?


Project Ideas

1.

Ask the students to work as a group

and

imagine that they are design
ing a website for a
online group of young adults with Down syndrome. The website will have a discussion
board and requires user authentication. The students need to decide what kind of
authentication methods would be appropriate, whether HIPs need to be ad
opted, and
other questions that might be related.

2.

Ask the student
s

to work as a group

and

imagine that they are hired by a bank to improve
the existing user authentication method of the bank website. One problem they need to
address is to accommodate to th
e users who access their personal accounts via
recognition
-
based techniques (e.g., speech recognition software). The student
s

need to
come up with a design plan that fits the special characteristics of recognition
-
based
solutions.

K
ey Terms


Cognitive disa
bilities


Physical disabilities


Authentication methods


Human Computer Proofs


Biometric authentication methods


Recognition
-
based techniques


References

Brostoff, S. and Sasse, A. (2010) Are Passfaces More Usable Than Passwords? A Field
Trial Investigat
ion”. Last retrieved on February 7, 2010 at
http://hornbeam.cs.ucl.ac.uk/hcs/publications/Brostoff+Sasse_Are%20Passfaces%20
more%20usable%20than%20passwords_HCI%202000.pdf

CHELLAPILLA, K., LARSON, K., SIMARD, P., AND CZERWINSKI, M. 2005.
Designing human

fri
endly

huma
n interaction proofs (HIPs).
Proceedings of the ACM
SIGCHI Conference on Human Factors in Computing Systems.

711
-
720.

Feng, J., Lazar, J., K
umin, L., and Ozok, A. (2010
) Computer Usage by Children with
Down Syndrome: Challenges

and Future Researc
h.
ACM Transactions on Accessible
Computing.

Vol. 2 (3).

Cognitive and Physical Disabilities

Kuo, C., Romanosky, S., and Cranor, L. (2006)

Human selection of mnemonic phrase
-
based passwords,
Proceedings of SOUPS

2006. 67
-
68.

Microsoft Corporation. (2005). Strong Passwords: How to Create and
Use Them.

M
onrose,

F.
and

R
eiter
, M. K.
(
2005
)
. Graphical passwords.
In
L.

F.
Cranor and S.
Garfinkel, Eds.O’Reilly,
Security and Usability
,
Designing Secure Systems that
People Can Use
.

O’Reilly Media, Inc.
147

164.

Newell, A., Carmichael, A., Gregor, P.,

Alm, N., and Waller, A. (2008) Information
technology for cognitive support.
In Sears A. and Jacko, J. eds. The Human
-
Computer Interaction Handbook.

Mahwah, NJ: Lawrence Erlbaum and Associates.

811
-
828.

Sears, A., Young, M., and Feng, J. (2008) Physical D
isabilities and Computing
Technologies: An Analysis of Impairments. I
n

A. Sears and J.
Jacko, (eds) The
Human
-
Computer Interaction Handbook.
Mahwah, NJ: Lawrence Erlbaum and
Associates.

829
-
852.

Vacca, J. (2007) Biometric Technologies and Verification Sy
stems. Butterworth
-
Heinemann, 2007.

Y
an,

J., B
lackwell
, A., A
nderson
, R.,
and Grant
, A.
(
2005
)
. The memorability and
security of passwords. In L. F. Cranor and S. Garfinkel eds.
Security and Usability,
Designing Secure Systems that People Can Use
.

O’Reilly

Media, Inc. 129
-
142.