User Evaluations of an App Interface for Cloud-Based Identity Management

  • Farzaneh KaregarEmail author
  • Daniel Lindegren
  • John Sören Pettersson
  • Simone Fischer-Hübner
Conference paper
Part of the Lecture Notes in Information Systems and Organisation book series (LNISO, volume 26)


Within a project developing cloud technology for identity access management, usability tests of the mock-up of a mobile app identity provider were conducted to assess Internet users’ consciousness of data disclosures in consent forms and their comprehension of the flow of authentication data. Results show that using one’s fingerprint for giving consent was easy, but most participants did not have a correct view of where the fingerprint data is used and what entities would have access to it. Familiarity with ID apps appeared to aggravate misunderstanding. In addition, participants could not well recall details of personal data releases and settings for disclosure options. An evaluation with a confirmation screen improved the recall rate slightly. However, some participants voiced a desire to have control over their data and expressed a wish to manually select mandatory information. This can be a way of slowing users down and make them reflect more.


Cloud computing Identity management Data disclosure Usable privacy Smartphone 



This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement number 653454. The authors want to thank Caroline Kayser and Manuel Gawert who conducted the data collection for the second user test (Farzaneh Karegar and Daniel Lindegren made the original prototypes and conducted the first user test, and Lindegren conducted the third user test), Charlotte Bäccman who reviewed a project report and helped with an initial set of participants, and Dan Larsson who discussed how to compare proportions.


  1. 1.
    Hörandner, F., Krenn, S., Migliavacca, A., Thiemer, F., Zwattendorfer, B.: CREDENTIAL: a framework for privacy-preserving cloud-based data sharing. In: 11th International Conference on Availability, Reliability and Security (ARES), pp. 742–749 (2016)Google Scholar
  2. 2.
    Karegar, F., Striecks, Ch., Krenn, S., Hörandner, F., Lorünser, T., Fischer-Hübner, S.: Opportunities and challenges of CREDENTIAL. Towards a metadata-privacy respecting identity provider. In: Lehmann A., et al. (eds.) Privacy and Identity 2016, IFIP AICT 498, pp. 76–91. Springer, Berlin (2016)Google Scholar
  3. 3.
    Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (eds.) EUROCRYPT’98, vol. 1403 of LNCS, pp. 127–144. Springer, Berlin (1998)Google Scholar
  4. 4.
    Kostopoulos, A., Sfakianakis, E., Chochliouros, I., Pettersson, J.S., Krenn, S., Tesfay, W., Migliavacca, A., Hörandner, F.: Towards the adoption of secure cloud identity services. In: Proceedings of the 12th International Conference on Availability, Reliability and Security (ARES’17), Article 90, 7 p. ACM (2017)Google Scholar
  5. 5.
    Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N.: Information sharing and user privacy in the third-party identity management landscape. In: IFIP International Information Security Conference, pp. 174–188. Springer International (2015)Google Scholar
  6. 6.
    Besmer, A., Lipford, A.H.: Users’ (mis)conceptions of social applications. In: Proceedings of Graphics Interface 2010, pp. 63–70. Canadian Information Processing Society (2010)Google Scholar
  7. 7.
    Robinson, N., Bonneau. J.: Cognitive disconnect: understanding facebook connect login permissions. In: Proceedings of the Second ACM Conference on Online Social Networks, pp. 247–258. ACM (2014)Google Scholar
  8. 8.
    Egelman, S.: My profile is my password, verify me!: the privacy/convenience tradeoff of Facebook connect. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2369–2378. ACM (2013)Google Scholar
  9. 9.
    Bauer, L., Bravo-Lillo, C., Fragkaki, E., Melicher, W.: A comparison of users’ perceptions of and willingness to use Google, Facebook, and Google+ single-sign-on functionality. In: Proceedings of the 2013 ACM Workshop on Digital Identity Management, pp. 25–36. ACM (2013)Google Scholar
  10. 10.
    Liccardi, I., Pato, J., Weitzner, D.J., Abelson, H., De Roure, D.: No technical understanding required: helping users make informed choices about access to their personal data. In: Proceedings of the 11th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services, pp. 140–150. ICST (2014)Google Scholar
  11. 11.
    Van Kleek, M., Liccardi, I., Binns, R., Zhao, J., Weitzner, D.J., Shadbolt, N.: Better the devil you know: exposing the data sharing practices of smartphone apps. In: CHI’17. ACM (2017) (forthcoming)Google Scholar
  12. 12.
    Javed, Y., Shehab, M.: Investigating the animation of application permission dialogs: a case study of Facebook. In: International Workshop on Data Privacy Management, pp. 146–162. Springer International Publishing (2016)Google Scholar
  13. 13.
    Javed, Y., Shehab. M.: Look before you authorize: using eye-tracking to enforce user attention towards application permissions. Proc. Priv. Enhancing Technol. 2017(2), 23–37 (2017)Google Scholar
  14. 14.
    Wang, N., Grossklags, J., Xu, H.: An online experiment of privacy authorization dialogues for social applications. In: Proceedings of the 2013 Conference on Computer Supported Cooperative Work, pp. 261–272. ACM (2013)Google Scholar
  15. 15.
    Wang, N., Xu, H., and Grossklags, J.: Third-party Apps on Facebook: privacy and the illusion of control. In: Proceedings of the 5th ACM Symposium on Computer human Interaction for Management of Information Technology, p. 4. ACM (2011)Google Scholar
  16. 16.
    Sun, S.-T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on?: An empirical investigation of OpenID. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, pp. 4:1–20. ACM (2011)Google Scholar
  17. 17.
    Arianezhad, M., Jean Camp, L., Kelley, T., Stebila, D.: Comparative eye tracking of experts and novices in web single sign-on. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 105–116. ACM (2013)Google Scholar
  18. 18.
    Rubin, J., Chisnell, D.: Handbook of Usability Testing: How to Plan, Design and Conduct Effective Tests. Wiley, NJ (2008)Google Scholar
  19. 19.
    Brooke, J.: SUS: a “quick and dirty” usability scale. In: Jordan, P.W., Thomas, B., Weerdmeester, B.A., McClelland, I.L. (eds.) Usability Evaluation in Industr, pp. 189–194. Taylor and Francis, London (1996)Google Scholar
  20. 20.
    Onwuegbuzie, A.J., Leech, N.L.: Validity and qualitative research: an oxymoron? Qual. Quant. 41(2), 233–249 (2007)CrossRefGoogle Scholar
  21. 21.
    Karegar, F., Pulls, T., Fischer-Hübner, S.: Visualizing exports of personal data by excercising the right of data portability in the data track—are people ready for this? In: Lehman, A., et al. (eds.) Privacy and Identity Management. Facing up to Next Steps, pp. 164.181. Springer, Berlin (2016)Google Scholar
  22. 22.
    D3.1 UI Prototypes V1.: Deliverable from the project CREDENTIAL (2017). Available at: Scholar
  23. 23.
    Bangor, A., Kortum, P., Miller, J.: Determining what individual SUS scores mean: adding an adjective rating scale. J. Usability Stud. 4(3), 114–123 (2009)Google Scholar
  24. 24.
    Ronen, S., Riva, O., Johnson, M., Thompson, D.: Taking data exposure into account: how does it affect the choice of sign-in accounts? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems CHI’13, pp. 3423–3426. ACM (2013)Google Scholar
  25. 25.
    Art. 29 Data Protection Working Party: Opinion 10/2004 on More Harmonised Information Provisions. (November 25th, 2004). 11987/04/EN WP 100. European Commission (2004)Google Scholar
  26. 26.
    Bhagavatula, C., Ur, B., Iacovino, K., Kywe, S.M., Cranor, L.F., Savvides, M.: Biometric authentication on iPhone and Android: usability, perceptions, and influences on adoption. In: Proceedings of USEC 2015 (2015)Google Scholar
  27. 27.
    Javed, Y., Shehab, M., Bello-Ogunu, E.: Investigating user comprehension and risk perception of Apple’s touch ID technology. In: Proceedings of the 12th International Conference on Availability, Reliability and Security (ARES’17). Article 35, 6 p. ACM (2017)Google Scholar
  28. 28.
    Lind, D., Marchal, W., Wathen, S.: Two-sample tests about proportions. In: Statistical Techniques in Business & Economics, 17th ed., pp. 550ff. McGraw-Hill (2017)Google Scholar
  29. 29.
    Davis, F.D.: Perceived Usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13(3), 319–339 (1989)CrossRefGoogle Scholar
  30. 30.
    Ruoti, S., Roberts, B. Seamons, K.: Authentication melee: a usability analysis of seven web authentication systems. In: Proceedings of the 24th International Conference on World Wide Web (Republic and Canton of Geneva, Switzerland), WWW’15, pp. 916–926. International World Wide Web Conferences Steering Committee, (2015)Google Scholar
  31. 31.
    Lenhard, J., Fritsch, L., Herold, S.: A literature study on privacy patterns research. In: 43rd Euromicro Conference on Software Engineering and Advanced Applications, pp. 194–201 (2017)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Farzaneh Karegar
    • 1
    Email author
  • Daniel Lindegren
    • 1
  • John Sören Pettersson
    • 1
  • Simone Fischer-Hübner
    • 1
  1. 1.Karlstad UniversityKarlstadSweden

Personalised recommendations