Elham Vaziripour, Devon Howard, Jake Tyler, Mark O’Neill, Justin Wu, Kent Seamons, Daniel Zappala, I Don’t Even Have to Bother Them! Using Social Media to Automate the Authentication Ceremony in Secure Messaging, ACM Conference on Human Factors in Computing Systems (CHI), May 2019.
The privacy guaranteed by secure messaging applications relies on users completing an authentication ceremony to verify they are using the proper encryption keys. We examine the feasibility of social authentication, which partially automates the ceremony using social media accounts. We implemented social authentication in Signal and conducted a within-subject user study with 42 participants to compare this with existing methods. To generalize our results, we conducted a Mechanical Turk survey involving 450 respondents. Our results show that users found social authentication to be convenient and fast. They particularly liked verifying keys asynchronously, and viewing social media profiles naturally coincided with how participants thought of verification. However, some participants reacted negatively to integrating social media with Signal, primarily because they distrust social media services. Overall, automating the authentication ceremony and distributing trust with additional service providers is promising, but this infrastructure needs to be more trusted than social media companies.