Intentionality and Agency in Security

  • Kat Krol
  • David Llewellyn-Jones
  • Seb Aebischer
  • Claudio Dettoni
  • Frank Stajano
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11286)


In this paper we explore the tension between automatic security and intentionality. During a user trial of Pico we offered two proximity authentication modalities: scanning a QR code, or pressing a button in the Pico app that is available only when the user is in Bluetooth range of a machine they can authenticate to. The feedback from this trial provides an insight into users’ expectations with regard to intentionality. We discuss how this relates to the Pico authentication solution, how it has informed future Pico design decisions, and we suggest some ways in which security and usability researchers could address the issue of intentionality in future security design.



We thank the European Research Council (ERC) for funding this research through grant StG 307224 (Pico).


  1. 1.
    Anderson, R.: Why information security is hard—An economic perspective. In: Computer Security Applications Conference (ACSAC 2001), pp. 358–365. IEEE (2001)Google Scholar
  2. 2.
    Apple Support: How to unlock your Mac with your Apple Watch, January 2018.
  3. 3.
    BBC: ‘Relay crime’ theft caught on camera, November 2017.
  4. 4.
    Currie, J., Walker, R.: Traffic congestion and infant health: Evidence from E-ZPass. Am. Econ. J.: Appl. Econ. 3(1), 65–90 (2011)Google Scholar
  5. 5.
    Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Conference on Computer and Communications Security (CCS), pp. 716–726. ACM (2014)Google Scholar
  6. 6.
    Emms, M., van Moorsel, A.: Practical attack on contactless payment cards. In: HCI2011 Workshop—Health, Wealth and Identity Theft (2011)Google Scholar
  7. 7.
    Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: Network and Distributed System Security Symposium (NDSS) (2011)Google Scholar
  8. 8.
    Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: New Security Paradigms Workshop (NSPW 2009), pp. 133–144. ACM (2009)Google Scholar
  9. 9.
    Herley, C.: More is not the answer. IEEE Secur. Priv. 12(1), 14–19 (2014)CrossRefGoogle Scholar
  10. 10.
    Hirose, M.: Newly Obtained Records Reveal Extensive Monitoring of E-ZPass Tags Throughout New York, April 2015.
  11. 11.
    Jia, H., Wu, M., Jung, E., Shapiro, A., Sundar, S.S.: Balancing human agency and object agency: An end-user interview study of the Internet of Things. In: ACM Conference on Ubiquitous Computing, pp. 1185–1188. ACM (2012)Google Scholar
  12. 12.
    Krol, K., Philippou, E., De Cristofaro, E., Sasse, M.A.: “They brought in the horrible key ring thing!” Analysing the usability of two-factor authentication in UK online banking. In: NDSS Workshop on Usable Security (USEC) (2015)Google Scholar
  13. 13.
    Krol, K., Rahman, M.S., Parkin, S., De Cristofaro, E., Vasserman, E.: An exploratory study of user perceptions of payment methods in the UK and the US. In: NDSS Workshop on Usable Security (USEC) (2016)Google Scholar
  14. 14.
    Payne, J., Jenkinson, G., Stajano, F., Sasse, M.A., Spencer, M.: Responsibility and tangible security: Towards a theory of user acceptance of security tokens. In: NDSS Workshop on Usable Security (USEC) (2016)Google Scholar
  15. 15.
    SAASPASS: About: What is SAASPASS? February 2018.
  16. 16.
    Sasse, M.A., Smith, M., Herley, C., Lipford, H., Vaniea, K.: Debunking security-usability tradeoff myths. IEEE Secur. Priv. 14(5), 33–39 (2016)CrossRefGoogle Scholar
  17. 17.
    Shin, D.-H., Jung, J., Chang, B.-H.: The psychology behind QR codes: User experience perspective. Comput. Hum. Behav. 28(4), 1417–1426 (2012)CrossRefGoogle Scholar
  18. 18.
    Stajano, F.: Pico: No more passwords! Talk at USENIX Security (2011).
  19. 19.
    Stajano, F.: Pico: No more passwords! In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). Scholar
  20. 20.
    Transport for London: Card clash, February 2018.
  21. 21.
    Ulatowski, L.M.: Recent developments in RFID technology: Weighing utility against potential privacy concerns. J. Law Policy Inf. Soc. 3, 623 (2007)Google Scholar
  22. 22.
    Weiser, M.: The computer for the 21st century. Sci. Am. Spec. Issue Commun. Comput. Netw. 265(September), 94–104 (1991)CrossRefGoogle Scholar
  23. 23.
    Windows Support: Lock your Windows 10 PC automatically when you step away from it, April 2018.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Kat Krol
    • 1
  • David Llewellyn-Jones
    • 1
  • Seb Aebischer
    • 1
  • Claudio Dettoni
    • 1
  • Frank Stajano
    • 1
  1. 1.Department of Computer Science and TechnologyUniversity of CambridgeCambridgeUK

Personalised recommendations