The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies

We evaluate website authentication measures that are designed to protect users from man-in-the-middle, 'phish- ing', and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we re- moved HTTPS indicators. Next, we removed the par- ticipant's site-authentication image—the customer-selected image that many websites now expect their users to ver- ify before entering their passwords. Finally, we replaced the bank's password-entry page with a warning page. Af- ter each clue, we determined whether participants entered their passwords or withheld them. We also investigate how a study's design affects partic- ipant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused in- structions. We confirm prior findings that users ignore HTTPS in- dicators: no participants withheld their passwords when these indicators were removed. We present the first empiri- cal investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 23 of the 25 (92%) participants who used their own accounts en- tered their passwords. We also contribute the first empirical evidence that role playing affects participants' security be- havior: role-playing participants behaved significantly less securely than those using their own passwords.