"It's Just a Lot of Prerequisites": A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator

Two-factor authentication (2FA) overcomes the insecurity of passwords by adding a second factor to the authentication process. A variant of 2FA, which is even phishing-resistant unlike, e.g., SMS-based implementations, is offered by the FIDO2 protocol. In 2018 its compatibility with eID, the German electronic identification system, which is built into every German ID card, was published. Thus, users who own a German ID card may use it as a second factor to secure their online accounts. We conducted a qualitative study with n = 20 participants to collect users' impressions of the usability when utilizing an ID as a second factor, their perception of security, and the overall acceptance. After showing participants an introductory video to familiarize them with the procedure, they completed a hands-on task for which they first set up an ID as a second factor and then used it to log in. Users' opinions, thoughts, and concerns were collected through multiple-choice questions and structured interviews. We find that most non-tech-savvy users struggle with the setup but generally perceive the login to be easy. Users with a tech background faced fewer issues when setting up the ID as a second factor but pointed out to prefer other alternatives. Finally, we observe a misconception regarding the transmission of personal information to the authenticating service despite several indicators of privacy-conform data handling. Based on our findings, we depict which aspects need to be addressed in order to provide a competitive alternative to established second factors

"I Knew It Was Me": Understanding Users' Interaction with Login Notifications

Login notifications are intended to inform users about recent sign-ins and help them protect their accounts from unauthorized access. The notifications are usually sent if a login occurs from a new location or device, which could indicate malicious activity. They mostly contain information such as the location, date, time, and device used to sign in. Users are challenged to verify whether they recognize the login (because it has been them or someone they know) or to proactively protect their account from unwanted access by changing their password. In two user studies, we explore users' comprehension, reactions, and expectations of login notifications. We utilize two treatments to measure users' behavior in response to login notifications sent for a login they initiated themselves or based on a malicious actor relying on statistical sign-in information. Users feel relatively confident identifying legitimate logins but demonstrate various risky and insecure behaviors when it comes to malicious sign-ins. We discuss the identified problems and give recommendations for service providers to ensure usable and secure logins for everyone

"I have no idea what they're trying to accomplish:" Enthusiastic and Casual Signal Users' Understanding of Signal PINs

We conducted an online study with $n = 235$ Signal users on their understanding and usage of PINs in Signal. In our study, we observe a split in PIN management and composition strategies between users who can explain the purpose of the Signal PINs (56%; enthusiasts) and users who cannot (44%; casual users). Encouraging adoption of PINs by Signal appears quite successful: only 14% opted-out of setting a PIN entirely. Among those who did set a PIN, most enthusiasts had long, complex alphanumeric PINs generated by and saved in a password manager. Meanwhile more casual Signal users mostly relied on short numeric-only PINs. Our results suggest that better communication about the purpose of the Signal PIN could help more casual users understand the features PINs enable (such as that it is not simply a personal identification number). This communication could encourage a stronger security posture.Comment: To appear at Symposium on Usable Privacy and Security (SOUPS) 202

Knock, Knock. Who's There? On the Security of LG's Knock Codes

Knock Codes are a knowledge-based unlock authentication scheme used on LG smartphones where a user enters a code by tapping or "knocking" a sequence on a 2x2 grid. While a lesser used authentication method, as compared to PINs or Android patterns, there is likely a large number of Knock Code users; we estimate, 700,000--2,500,000 in the US alone. In this paper, we studied Knock Codes security asking participants to select codes on mobile devices in three settings: a control treatment, a blocklist treatment, and a treatment with a larger, 2x3 grid. We find that Knock Codes are significantly weaker than other deployed authentication, e.g., PINs or Android patterns. In a simulated attacker setting, 2x3 grids offered no additional security, but blocklisting was more beneficial, making Knock Codes' security similar to Android patterns. Participants expressed positive perceptions of Knock Codes, but usability was challenged. SUS values were "marginal" or "ok" across treatments. Based on these findings, we recommend deploying blacklists for selecting a Knock Code because it improves security but has limited impact on usability perceptions

Mechanical Stability of PV Modules: Analyses of the Influence of the Glass Quality

A significant increase in reported glass breakages from the field was recognized during the past three years, where a disproportionately high number of modules were affected by glass breakage. Different substructures and module designs are affected, framed and unframed modules, tracked and fixed systems. What all inquiries have in common, however, is that modules with a double-glazed design with ≤ 2.5 mm glass thicknesses are affected and the problems were observed after just a few months in field operation. Various factors such as heavy weather events, faulty installation or errors in the structural design could be excluded as root causes and our experience points on additional, more fundamental problems that are associated in particular with the continuing trend towards larger modules > 3 m2 and thinner module glass ≤ 2mm. Furthermore, it seems that the residual compressive surface stress of the glass as one major parameter that determines the stability of glass panes has not been considered in this context in the PV module industry yet. In this work, we focus on the glass thickness in combination with the compressive surface stress. Besides qualitative methods, one possibility to investigate the surface stress quantitatively is a scattered light polariscope (SCALP), previously used in the glass industry. In particular, the aim is to validate the SCALP measurement method for the use on PV modules. Furthermore, a potential correlation between the surface compressive stress and the mechanical stability of various common module designs with 2 mm and 1.6 mm glass is investigated

Towards Quantum Large-Scale Password Guessing on Real-World Distributions

Password-based authentication is a central tool for end-user security. As part of this, password hashing is used to ensure the security of passwords at rest. If quantum computers become available at sufficient size, they are able to significantly speed up the computation of preimages of hash functions. Using Grover\u27s algorithm, at most, a square-root speedup can be achieved, and thus it is expected that quantum password guessing also admits a square-root speedup. However, password inputs are not uniformly distributed but highly biased. Moreover, typical password attacks do not only compromise a random user\u27s password but address a large fraction of all users\u27 passwords within a database of millions of users. In this work, we study those quantum large-scale password guessing attacks for the first time. In comparison to classical attacks, we still gain a square-root speedup in the quantum setting when attacking a constant fraction of all passwords, even considering strongly biased password distributions as they appear in real-world password breaches. We verify the accuracy of our theoretical predictions using the LinkedIn leak and derive specific recommendations for password hashing and password security for a quantum computer era

A note on comonotonicity and positivity of the control components of decoupled quadratic FBSDE

In this small note we are concerned with the solution of Forward-Backward Stochastic Differential Equations (FBSDE) with drivers that grow quadratically in the control component (quadratic growth FBSDE or qgFBSDE). The main theorem is a comparison result that allows comparing componentwise the signs of the control processes of two different qgFBSDE. As a byproduct one obtains conditions that allow establishing the positivity of the control process.Comment: accepted for publicatio

Event-shape engineering for inclusive spectra and elliptic flow in Pb-Pb collisions at root(NN)-N-S=2.76 TeV

Peer reviewe

Production of He-4 and (4) in Pb-Pb collisions at root(NN)-N-S=2.76 TeV at the LHC

Results on the production of He-4 and (4) nuclei in Pb-Pb collisions at root(NN)-N-S = 2.76 TeV in the rapidity range vertical bar y vertical bar <1, using the ALICE detector, are presented in this paper. The rapidity densities corresponding to 0-10% central events are found to be dN/dy4(He) = (0.8 +/- 0.4 (stat) +/- 0.3 (syst)) x 10(-6) and dN/dy4 = (1.1 +/- 0.4 (stat) +/- 0.2 (syst)) x 10(-6), respectively. This is in agreement with the statistical thermal model expectation assuming the same chemical freeze-out temperature (T-chem = 156 MeV) as for light hadrons. The measured ratio of (4)/He-4 is 1.4 +/- 0.8 (stat) +/- 0.5 (syst). (C) 2018 Published by Elsevier B.V.Peer reviewe