The balancing act between security and usability is hard to achieve. Inevitably, compromises are made either by system designers or wily users who find ways to circumvent complex rules and processes. But researchers from the University of Pretoria in South Africa have been conducting research and designed a new approach to authentication.
Gamification uses the constructs and tools game designers employ in solving non-game problems. By providing motivation to users to follow particular rules - in much the same way as players accumulate points or other rewards in games - researchers Christien Kroeze and Martin S Olivier posit that it's possible to motivate users to follow security procedures.
Kroeze and Olivier say, "It is difficult for security experts to understand users, and for users to understand security policies. This results in users being treated as the weakest link, and inadequate technologies exist to unite the two fields".
They point to research that demonstrated experts could configure a system in five minutes while the users took an average in excess of two hours. As a result, the researchers suggest that security experts may favour security over usability and they choose to protect the system’s resources at the expense of the user’s experience.
As part of their research, Kroeze and Olivier reviewed the work of many other scholars and found that, for users, security is often a secondary goal behind completing their assigned work and that the feedback they received with regards to security was not connected to their work.
They also pointed to the weaknesses associated with text-based passwords. Although they are easy to implement, they lead to practices such as password re-use and recording passwords in unsecure ways such as notes.
Read more: How gamification drives business objectives
"Guidelines given to users on password creation often confuse the matter more. They suggest that passwords should be memorable, but not easy to guess; they should be as long as possible, but should never be reused; they should contain as many special characters as possible, but still be meaningful to the user. Randomly generated passwords that are assigned to users are the most secure, but also the hardest to remember".
Part of the key to addressing these issues, according to Kroeze and Olivier, is the need to make security meaningful to users and provide them with feedback. This is where they see gamification can offer benefits.
Interestingly, they note that the rewards provided through gamification to users don’t need to have value in the physical world. They point to World of Warcraft as an example.
"Players of the online role playing game World of Warcraft (Wow) will complete numerous “raids”, at the risk of complete failure (which happens 50% of the time) and an uneven distribution of rewards in the form of treasure. These raids are also repetitive and perhaps even tedious. But players pay subscription to be able to do this repetitive work, because the feedback is instant, making players feel productive".
It's the need to show progress and productivity that Kroeze and Olivier say is important. They point to the password strength indicator many sites now employ when users are setting passwords. This provides a visual cue that lets the user know when they have achieved a satisfactory outcome when it comes to password strength.
A substantial part of the research paper reviews existing literature regarding game design and how to influence player behaviour. Using this research, Kroeze and Olivier suggest a game based on the use of graphical passwords as these have been found by some researchers to be more memorable for users.
Part of the basis for their game design comes from the game Pokemon. As players accumulate points, their Pokemon characters gain more abilities and change form. Players have a strong ability to remember the 646 different Pokemon names and their images as the names and images are related.
Kroeze and Olivier suggest that a computer-generated name associated with an image would be memorable to users but extremely robust against a dictionary attack.
Kroeze and Olivier conclude that gamification has a place in improving user. They intend to do further work that will focus on developing a game that does not rely on text-based passwords as a basis.
You can read the full paper here.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
- Firms must muster the will to change security as username-password combos fall
- IT Security - “Failure to see” or Failure to Act?