VR and User-Centered Security
In this edition of the Edify Fireside Chat, we were joined by Dr. Mohamed Khamis, Reader in the School of Computing Science at the University of Glasgow. Originally from Egypt, where he studied at the German University in Cairo, Dr. Khamis received his PhD from Ludwig-Maximilians-Universität-München (LMU) in Germany, where he researched creating eye tracking methods and user interfaces (UIs) that respond to eye movement. Since moving to Glasgow in 2018, Dr. Khamis’s research has focused on User-Centered Security and creating VR-based security systems that use eye-tracking as part of their authentication methods.
Why is security important for VR settings?
The eyes are the window to the soul, it’s said, and they’re the window to a lot of information about a person, as well. Dr Khamis points out that by examining various aspects of people’s eyes and how their eyes move and behave, you can tell a lot about them: from their age and gender and biometric identity — who they are — to their physical and mental health, how tired or well-rested they are, their emotional state and much more. And by the same token, technology like augmented reality (AR) glasses can be used to glean a lot of information.
You might think the PIN you use to unlock your phone is pretty secure: after all, only you know it and you’re careful not to unlock your phone with anyone looking over your shoulder. But Dr. Khamis’s research shows that fingers leave residual heat traces on a phone screen and that those heat traces are visible using easily obtained thermal cameras that might be built into AR glasses. Dr Khamis created an AI system that detects and prevents these ‘thermal attacks.’ It's clear that advances in imaging and eye-tracking technology pose security risks but also provide opportunities for developing new user-centered security methods. Developing user-centered security means more than just ensuring that the programs and the connections between devices we use are secure but ensuring that the tools and technologies we interact with are not vulnerable.
VR might seem distant from this but there is nonetheless an overlap: VR devices use an array of different sensors and different input methods to record and process users’ interactions, and each of these has different security implications.
But sensors aren’t the only security challenge. One important security issue Dr. Khamis’s research focuses on is what bystanders are doing while people use VR around them. In his talk, he describes the results of a survey he ran, asking 100 bystanders how they interacted with people using VR. He found three main behaviour types:
- Coexisting: Bystanders who exhibited this behaviour tended not to interact with each other very much.
- Demoing: Here, the VR user tended to show the bystander how the VR technology they were using at the time worked.
- Interrupting: Bystanders in this group actively intervened with the VR user.
Of the 100 bystanders Dr. Khamis polled, 19 said they intervened to ensure the safety of the VR user — stopping them tripping over things or hurting themselves, for example, and they perceived the user of VR technology as vulnerable to dangerous situations. 12 bystanders took the opportunity to improvise or take novel action: ten bystanders teased or scared the VR users, one surprised the VR user by feeding them a cookie and one performed acts that are decidedly not PG-13 with their VR-using partner. The conclusion that Dr Khamis drew from this survey is that bystanders tended to hold positions of power, and that these positions were potentially open to abuse: none of the 100 people polled abused that power but the possibility was always there.
One possibility for bystanders to act maliciously is for them to observe VR users as they authenticate or log on. For example, if a VR user enters a PIN by physically pointing to numbers on a virtual keypad, it would be easy for a bystander to watch and guess the user’s PIN from their gestures, meaning that their security would be compromised.
Improving the security and privacy of VR experiences
Mohamed Khamis’s latest research focuses on creating user-centered authentication mechanisms that aren’t vulnerable in these ways, which requires developing genuinely novel methods to authenticate as many ways that are familiar to us now still have vulnerabilities. One way of bypassing the scenario discussed above might be to use biometrics — think FaceID or fingerprint authentication. But these aren’t foolproof and often require users to have a traditional PIN or password set up: two years into a pandemic that has seen the lower halves of our faces covered up, FaceID is not quite as effective as it used to be, while fingerprint readers are easily flummoxed by gloves or damp fingers.
Eye-tracking could be used to create authentication methods that can’t be observed by bystanders, Khamis says. But gaze-based methods of authentication are slow and can be quite cumbersome for users who aren’t used to the technology. They’re not necessarily user-friendly and aren’t necessarily brilliant examples of user-centered security.
Why is user-centered security important?
To illustrate the importance of user-centered security systems, Dr Khamis told us about a hospital that invested in mobile computer terminals that medical professionals could use to access patient records away from their desks. As the data that could be accessed through the terminals was highly sensitive, the hospital took the decision to embed proximity sensors into them. The terminals would only stay logged in when they detected someone – the terminal’s intended user – close by, and they would log out automatically when they detected people moving away from them. This meant that if a professional brought the terminal to a patient’s bed and logged in, but then had to step away from the terminal, even if just to the other side of the bed, the terminal would automatically log out. The terminals were designed to keep the sensitive data secure but not in a user-friendly way. Rather than logging in every time, the professionals found a workaround – they covered the proximity sensor so that it wouldn’t log out.
With every security system, there’s a trade-off between usability and security. You don’t need to work in a hospital to see this in action: think about every time you’ve been asked to create a strong password with a combination of capital letters, numbers and special characters. It’s common in this scenario for users to reuse the same password across multiple different websites and accounts, meaning that if one of those websites’ security is compromised then a hacker or malicious actor can easily exploit every other account that uses that password. The requirement to create strong passwords makes sense but it doesn’t necessarily lead to greater security because it’s not user-friendly.
Dr Khamis quoted an axiom from the UK’s National Cyber Security Centre: ‘Security must work for people. If it doesn’t work for people, it doesn’t work.’
User-centered security methods in VR
Bearing all this in mind, what methods can be used to keep VR experiences secure? Dr Khamis and his team have developed a VR security tool called Rubikauth, which generates a cube with different coloured sides and numbers on each side. Users authenticate by turning the cube in VR and selecting numbers from different sides of the cube – the number 2 on the red side of the cube is different to the number 2 on the blue side, and so on. VR users make smaller motions turning the cube than they would pointing to numbers on a virtual PIN pad, so it is harder for a bystander to observe their movements, and there are over a million different potential combinations of colours and numbers.
VR also offers opportunities for user-centered security researchers to improve their experimental methods acting as a testbed for user-centered security research. Rather than building security systems in real life for users to test, researchers can create VR versions of those systems cheaply and efficiently. These VR experiments are far more easily replicated as researchers looking to replicate the experiment in another setting do not have to recreate equipment used in the original experiment: they only have to download the programme that the first researchers developed. VR has the potential to radically transform the way security researchers perform experiments.
But equally, there is a growing need to anticipate how VR will impact on privacy, security and safety, and to proactively design methods that protect VR users from negative impacts and security threats. This work cannot be done without empirical studies like those of Dr Khamis and his colleagues, which quantify the security needs of VR users, the threats that users of VR technology face, but equally, the opportunities for creating new and user-centric paradigms for security and authentication that VR offers.