and even interacted with, the authentication ceremony screen
without necessarily having performed the authentication cere-
mony. In total, 5 pairs of participants conducted the authenti-
cation ceremony while 27 participants reported having seen
the screen.
As predicted in our cognitive walkthrough, participants
were confused about what a safety number was or why it had
changed. For instance, one participant explained that “I hon-
estly wasn’t sure what it meant. I didn’t know that I had a
safety number with them in the first place so I was unaware
that it could change.” We also noted occasions where partici-
pants entered the authentication ceremony screen only to back
out without completing it. This may be due to poor communi-
cation regarding response cost—both conversation partners
should either be in the same physical location to execute the
QR-code ceremony or be willing to verify safety numbers
over another medium (such as a phone call).
Also as predicted, the verification toggle confused partic-
ipants. Of the 11 participants who reported having flipped
the toggle, not one participant correctly intuited its use. 7 of
these 11 toggled it purely as an exploratory action, unaware
that doing so would inadvertently and incorrectly clear the
warning state.
When asked to characterize the purpose of the authenti-
cation ceremony, participants did generally associate it with
verification, although their model for what it verifies was often
incorrect. Table 2 shows a qualitative analysis of participant
responses when asked the purpose of the ceremony, and the
meaning of a matching or non-matching result, with responses
coded and then categorized as correct, partially correct, or in-
correct. Only a few participants understood that the purpose
of the authentication ceremony is to verify the confidentiality
of the conversation. Instead, a number of participants mistak-
enly believed that it was about verifying the identity of the
individual, i.e., that “it makes sure the other person is who
you think they are”, as one participant explained. This threat
model does not account for a different type of attacker the
authentication ceremony is intended to detect: a passive man-
in-the-middle who simply decrypts and forwards messages
without interfering in the conversation.
These misconceptions naturally carried forward into re-
sponses about the significance of matching and non-matching
safety numbers. Perceptions of non-matching safety numbers
correctly assessed this result as indicative of interception oc-
curring, but again, participants often believed that this meant
that they had detected an impersonator, as with one participant
who remarked that, “Someone using another phone could
be posing as my brother, I guess.” Participants did almost
unilaterally understand that matching safety numbers were
indicative of a positive security/privacy outcome, although
several participants misinterpreted the role of the authentica-
tion ceremony as a mechanism that would actively prevent
interception, as opposed to detecting it.
4 Developing improvements
Based on the results of our cognitive walkthrough and sub-
sequent user study, we concluded that there were three main
areas for improvement worthy of focus: (1) the need for an
accessible, persistent visual indicator for verification state, (2)
the messaging used in warning notifications and dialogs, and
(3) the notification flow and all associated UI elements.
4.1 Visual indicator
Visual indicators, or icons, are important both as an accessible
measure for communicating security state to users with a
single glance as well as for enhancing the consistency of
warning notifications. While the authentication ceremony
screen in the original version of Signal does have a (somewhat
hidden) lasting representation of verification state, the verified
toggle switch, we believe that this indicator is inadequate
because it represents only two states (verified and unverified)
and because it confused users in our lab study who believed
that toggling the switch would verify their partner.
We decided to create a set of icons that would properly re-
flect all three verification states: (1) the default, assumed-safe
state of the conversation prior to a safety number change, (2)
a verified state that reflects matching key fingerprints, and (3)
an unsafe state that reflects having found non-matching fin-
gerprints in the authentication ceremony. Ideally, the icon for
the default state could have a small modification to represent
the other two states. By adding this visual indicator onto the
action bar, it becomes both an accessible indicator of state as
well as a shortcut to the authentication ceremony.
We began by designing a neutral icon to represent the de-
fault state. Our goal was to select an icon that would be in-
tuitively associated with privacy, and that would not evoke
unwarranted feelings of concern, since this state does not
signal a cause for concern. We selected a blank shield icon
for this purpose. We then created variants of this icon, as
shown in Table 1 to represent the success and failure states
post-authentication ceremony.
We evaluated our designs on Amazon’s Mechanical Turk
platform, with each icon being shown to at least 50 partic-
ipants. Each icon was shown occupying a position on the
action bar in a screenshot of Signal’s interface, next to the
call button. For positive-valenced icons we asked participants
to rate how strongly they associated the icon with privacy
on a scale from 1-10. For negative-valenced icons we asked
participants to rate how worried they would feel if they saw
the associated icon. We asked both questions for the blank
shield icon.
As shown in Table 1, the blank shield has a moderate asso-
ciation with privacy and a low association with worry, making
it a good fit for a default icon. We discounted any icons using
a lock because it is used elsewhere in the app to represent
encryption, and we wished to avoid conflating meanings. We
USENIX Association Fifteenth Symposium on Usable Privacy and Security 143