Hi! I'm Florian, a joint PhD candidate
at the University of Glasgow / University of Edinburgh.

I'm researching in Usable Security and Privacy.


About Me


A picture of Florian Mathis

As of October 2019, I am a PhD candidate in the Glasgow Interactive SysTems group (GIST) at the University of Glasgow, UK and a member of the Technology Usablity Lab in Privacy and Security (TULiPS) at the University of Edinburgh, UK. I research in human-computer interaction (HCI) and human-centred security (HCS).

I am holding a bachelor's degree in Media Informatics and Human-Computer Interaction (first class, GPA: 4.0) and a master's degree in Human-computer Interaction (first class, GPA: 4.0) from the LMU Munich, Germany.

University of Munich Aarhus University University of Glasgow University of Edinburgh

Publications


RubikAuth: Fast and Secure Authentication in Virtual Reality

Florian Mathis, John H Williamson, Kami Vaniea, Mohamed Khamis
In Proceedings of the 2020 CHI Conference Extended Abstracts on Human Factors in Computing Systems
Honolulu, Hawaiʻi, USA, April 2020 (CHI 2020)

There is a growing need for usable and secure authentication in virtual reality (VR). Established concepts (e.g., 2D graphical PINs) are vulnerable to observation attacks, and proposed alternatives are relatively slow. We present RubikAuth, a novel authentication scheme for VR where users authenticate quickly by selecting digits from a virtual 3D cube that is manipulated with a handheld controller. We report two studies comparing how pointing using gaze, head pose, and controller tapping impacts RubikAuth’s usability and observation resistance under three realistic threat models. Entering a four-symbol RubikAuth password is fast: 1.69 s to 3.5 s using controller tapping, 2.35 s to 4.68 s using head pose, and 2.39 s to 4.92 s using gaze and highly resilient to observations; 97.78% to 100% of observation attacks were unsuccessful. Our results suggest that providing attackers with support material contributes to more realistic security evaluations.



Knowledge-driven Biometric Authentication in Virtual Reality

Florian Mathis, Hassan Ismail Fawaz, Mohamed Khamis
In Proceedings of the 2020 CHI Conference Extended Abstracts on Human Factors in Computing Systems
Honolulu, Hawaiʻi, USA, April 2020 (CHI 2020)

With the increasing adoption of virtual reality (VR) in public spaces, protecting users from observation attacks is becoming essential to prevent attackers from accessing context-sensitive data or performing malicious payment transactions in VR. In this work, we propose RubikBiom, a knowledge-driven behavioural biometric authentication scheme for authentication in VR. We show that hand movement patterns performed during interactions with a knowledgebased authentication scheme (e.g., when entering a PIN) can be leveraged to establish an additional security layer. Based on a dataset gathered in a lab study with 23 participants, we show that knowledge-driven behavioural biometric authentication increases security in an unobtrusive way. We achieve an accuracy of up to 98.91% by applying a Fully Convolutional Network (FCN) on 32 authentications per subject. Our results pave the way for further investigations towards knowledge-driven behavioural biometric authentication in VR.



Privacy, Security and Safety Concerns of using HMDs in Public and Semi-Public Spaces

Florian Mathis, Mohamed Khamis
In Proceedings of the CHI 2019 Workshop on Challenges Using Head-Mounted Displays in Shared and Social Spaces
Glasgow, Scotland, UK, May 2019 (CHI 2019)

Head-Mounted Displays (HMDs) are increasingly used in public and semi-public spaces nowadays. However, this development comes with implications on the privacy, security, and safety of the HMD user. Based on prior work on interaction in public space, usable privacy and security, and Head-Mounted Displays, this position paper discusses the implications of HMD usage in public on the user’s privacy, security and safety. We provide examples of said threats and present potential solutions that are promising for future work.



Can Privacy-Aware Lifelogs Alter Our Memories?

Passant ElAgroudy, Mohamed Khamis, Florian Mathis, Diana Irmscher, Andreas Bulling, Albrecht Schmidt
In Proceedings of the 2019 CHI Extended Abstracts Conference on Human Factors in Computing Systems
Glasgow, Scotland, UK, May 2019 (CHI 2019)

The abundance of automatically-triggered lifelogging cameras is a privacy threat to bystanders. Countering this by deleting photos limits relevant memory cues and the informative content of lifelogs. An alternative is to obfuscate bystanders, but it is not clear how this impacts the lifelogger’s recall of memories. We report on a study in which we compare viewing 1) unaltered photos, 2) photos with blurred people, and 3) a subset of the photos after deleting private ones, on memory recall. Findings show that obfuscated content helps users recall a lot of content, but it also results in recalling less accurate details, which can sometimes mislead the user. Our work informs the design of privacyaware lifelogging systems that maximizes recall and steers discussion about ubiquitous technologies that could alter human memories.



The Bird is the Word: A Usability Evaluation of Emojis inside Text Passwords

Tobias Seitz, Florian Mathis, Heinrich Hussmann
In Proceedings of the 29th Australian Conference on Human-Computer Interaction
Brisbane, QLD, Australia, November 2017 (OzCHI 2017)

Passwords still represent an annoying burden for millions of Internet users. Helping people create memorable and secure credentials is therefore an important goal for web-service providers to satisfy user needs. Due to the good memorability of pictures, emojis may be a suitable tool to create memorable and secure passwords. These small pictograms have seen an enormous rise in recent years, but their usage in regular passwords has not been explored for the Web. In a two-part user study with 40 participants we investigated if and how emojis are suitable in this context. We asked users to create passwords that contained both regular alphanumeric characters and emojis. The study shows that users’ primary selection strategy was to create meaningful relationships between the emoji and the rest of the password. We also found that platform dependent renderings of emojis do not necessarily reduce usability, if the object represented by the emoji is distinctive enough. As websites are already starting to allow emojis in passwords, it is important to evaluate this step carefully. Our results can inform this decision and provide pointers to the usability implications.



For an up-to-date record, please also refer to my Google Scholar page.

Professional Services


I am an external reviewer for a variety of human-computer interaction conferences, with a focus on usable security and privacy, and virtual reality (VR). For example, I reviewed for ACM TVX 2019/IMX 2020, ACM EICS 2019, ACM IDC 2019/2020, ACM CHI 2019/2020, ACM ETRA 2020andIEEE VR 2020, in the research areas of Usable Security and Privacy, Virtual Reality, User Experience and Usability and many more.


I received a special recognition award for providing outstanding reviews at CHI 2020.

Reviews 2020

  • CHI 2020 IEEE VR ETRA 2020 IDC 2020 IMX 2020

Reviews 2019

  • CHI 2019TVX 2019IDC 2019EICS 2019

Teaching and Supervision


I am supervised by Dr. Mohamed Khamis (University of Glasgow) and Dr. Kami Vaniea (University of Edinburgh).

If you are a researcher or practitioner and interested in a collaboration, or an undergraduate or postgraduate student interested in a research internship in Human-computer Interaction (HCI), Usable Security and Privacy, or Virtual Reality (VR), please do not hesitate to get in touch with me: florian.mathis(at)glasgow.ac.uk.