[messaging] between fingerprint transcription and comparison

Tom Ritter tom at ritter.vg
Mon Mar 10 10:22:32 PDT 2014 

I dislike having to ask the user to do the same thing multiple times -
that's tedious and (I think) on the verge of insulting.

I do like the idea of presenting it in multiple parts, with say the
last 3/4 ths blurred unintelligibly, then the first 1/4 and last 1/2,
etc.  You get a four-part question, but the user doesn't see it as the
same question.

-tom

On 10 March 2014 10:08, Stefan Birgmeier <e0725468 at student.tuwien.ac.at> wrote:
>
> On 10/03/14 17:44, Daniel Kahn Gillmor wrote:
>>
>> Hi folks--
>>
>> Thinking about Tom's proposed usability testing gave me another idea for
>> a fingerprint comparison UI, which i wanted to float here.  It might be
>> a terrible idea.
>>
>> I think we all agree that fingerprint transcription is more effective at
>> avoiding a false match than comparison with "click OK" -- but
>> transcription is also more tedious, prone to human error, and more time
>> consuming.
>>
>> I wonder if it's possible to split the difference from a UI/UX
>> perspective somehow.
>>
>> For example, if the application knows that the user is in a use case
>> where the user is trying to compare the current connection's fingerprint
>> with something they have received out of band, rather than displaying
>> the actual fingerprint received on the wire, the UI could display
>> several candidate fingerprints and have them choose the correct one from
>> the set, like a police lineup.  This could even be done more than once,
>> with the "correct" print listed in each of them (or with "the
>> fingerprint is not listed here" as an option).
>>
>> Care would have to be taken to present only subtle variations, or to
>> include the "not listed here" option with greater regularity, or to
>> present several pages of different choices so that people have to
>> consider each of them.  We want to avoid the "oh, it's the one that
>> starts with 6" response.
>>
>> Do you think this UX would be an improvement over either "click OK
>> comparison" or complete transcription?  Could we make it less tedious
>> than transcription, but more secure than "click the OK button to get
>> this out of my way and let me get to work" experience?
>>
>> What kind of security properties would this hybrid UX have?
>>
>>         --dkg
>>
> Hi,
>
> Maybe split the fingerprint into several parts (like 4), and do as suggested
> with the parts? That would maybe make it less tedious. It also makes it more
> suitable for mobile devices since the screens are not that wide. Your
> proposal sounds good for mobile devices - you do not have to use a virtual
> keyboard to type in the fingerprint while avoiding the let's-just-click-ok
> scenario.
>
> Stefan
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

More information about the Messaging mailing list