Evaluating Re-authentication Strategies for Smartphones

Abstract

Re-authenticating users may be necessary for smartphone authentication schemes that leverage user behavior, device context, or task sensitivity. However, due to the unpredictable nature of re-authentication, users may get annoyed when they have to use the default, non-transparent authentication prompt for re-authentication. We address this concern by proposing a few configurations with varying levels of screen transparency and time delays when displaying the authentication prompt. We conduct user studies with 30 participants to evaluate the usability and security of these configurations. We also study whether the user preferences of the configurations vary depending on the application the participants are using on their device or their surrounding environment. We find that the participants generally prefer the authentication configuration with a non-transparent background for sensitive applications, such as banking and photo apps. Our findings also indicate that the user preferences are inclined towards convenient, usable configurations while participants are using their devices at home. Though we did not observe any significant differences in the task completion overhead and context switch overhead among our proposed configurations, we find that participants utilize the time delay just before the authentication prompt is going to appear to complete their current task. We also provide implementation details of our Android lock library, FireLock, which developers can use to re-authenticate users while they are using their app. We conclude with suggestions to improve the design of the proposed configurations as well as a discussion of other mechanisms to notify the users in case of re-authentication.