Send email Copy Email Address

Felix Koltermann

CISPA researcher conducts a self-experiment: On the difficulties of performing authentication ceremonies

Messenger services offer a relatively high level of security through standard end-to-end encryption. However, that's only true as long as the real person is actually the one doing the chatting on the other end. Few people realize that authentication of chat partners is crucial to prevent attacks on the messaging process. In a self experiment, Matthias Fassl from the research group of CISPA Faculty Dr. Katharina Krombholz examined why people rarely take these extra steps. The results have now been published as a paper at the Conference on Human Factors in Computing Systems.

For many years now, messenger services such as Signal, Threema or WhatsApp have been among the most popular and widespread forms of digital exchange between people. Not only text messages can be exchanged, but also images, documents and voice messages – of both private and business nature. This highlights the importance of the security of these services. Today, end-to-end encryption is the norm for many messenger services. This means that "as soon as messages leave a device, they are encrypted in such a way that only the receiving device can decrypt them," explains CISPA researcher Matthias Fassl. "The big uncertainty is whether the right person is actually sitting at the other end," Fassl continues. "One of the possible vulnerabilities is a man-in-the-middle attack, where someone pretends to be your friend Paul, for example. To fend off such an attack, users need to check that the key used to decrypt the text belongs to the right recipient. This is done with the help of authentication ceremonies". In concrete terms, this means that two users meet and authenticate each other via QR codes displayed on their smartphones.

Unusual methodological approach covers a research gap

The challenge, however, is that users rarely perform authentication ceremonies. According to Fassl, one reason for this is that the concept behind end-to-end encryption is "trust-on-first-use." This assumes that users trust the contacts they add to a messenger and confirm this by contacting them via the messenger. The actual encryption of the chats then takes place in the background. For this reason, many people do not even know that only the actual authentication of the chat partners offers the greatest possible security. According to the CISPA researcher, there are hardly any figures or studies on how often users perform authentication ceremonies. This is precisely where Fassl's interest comes in: He wants to know what makes implementing the ceremony so difficult. "Over time, it occurred to me that maybe factors that don't affect the user interface, but how we interact with each other, can also play a role," he says.

For his study, Fassl chose the method of autoethnography. "Ethnographic approaches are relatively practical for studying social and cultural factors between multiple people interacting socially," he says. "An autoethnography is the same thing, but with your own person. It's a special case and not as popular because the person doing the study and the person being studied are the same." Nonetheless, he says, there are also advantages to an autoethnographic approach, since "you don't always have to record everything with pinpoint accuracy, because things can be added afterwards from memory." Challenging because of the choice of method, on the other hand, was the publication of the results. "Due to the fact that the method is not so popular, it was a bit difficult to publish. It was also only the second autoethnography I found in the cybersecurity field."

Step-by-step procedure to authenticate conversations in messengers

Underestimated effort to perform the ceremonies

All the more interesting - even in the eyes of the reviewers - were the results Fassl was able to compile over several months of self-observation. For example, he was able to prove that the biggest challenge of authentication ceremonies is the planning and organizational effort. "Not only do I have to meet with people, but I also have to figure out how to fit the ceremony into the conversation," the CISPA researcher explains. "Personally, for the study, I went through all my contacts in messengers and checked who already had a green check mark and who I still needed to authenticate. I then tried to work through that relatively systematically." In this process, even before the actual ceremony, he says there are several points where breaks can occur. "Those are moments when people drop out because they forget about the ceremony or more exciting conversation topics come up during the social interaction."

Also, he often had to explain to his conversation partners what the authentication ceremony was all about. Here it became apparent that personal factors play a decisive role, which can vary greatly from individual to individual. "In my case, the strongest influence was that my contacts know that I am a researcher in the field of cybersecurity," he says. "That means when I suggest trying a security mechanism, there's a lot of authority that comes with it. Disagreeing with me would express a lack of appreciation." The importance of framing one's own experience becomes apparent in an autoethnographic approach, as he continues: "What I described in the study was probably still a relatively positive outlook because of my personal factors. Other people probably would have had a much harder time performing these ceremonies."

Consequences and possible design changes

More fundamentally, Fassl is extremely keen to emphasize the way in which safety issues and human factors are closely connected. "I believe that behind every technical security there is always a human factor that wants to protect or avoid something." This is particularly important in authentication ceremonies, he adds. "The difference between normal security mechanisms and authentication ceremonies is that we often implement the former just for ourselves. The latter are a special case in that we need to work together to ensure our collective security." Technology is only ever part of the solution, which is what the term 'social-technical gap' attempts to describe. The social-technical gap describes the difference between what the technology allows and what users are able and willing to implement. "In this case, it means that the authentication ceremony must somehow be incorporated into everyday life and conversations" explains Fassl.

"My thoughts go in the direction of relieving the user of organizational effort," the CISPA researcher continues. "Technical support could help bridge the social-technical gap. This would be possible, among other things, with automated notifications on smartphones at appropriate times. Individuals could still opt out, of course. But it would be a convenient reminder." Fassl and his colleagues have many ideas for trying out new solutions themselves. And even if no concrete research project is currently linked to it, Fassl is sure: "I don't think that the topic is dead yet."