How do you design for trust and safety in the metaverse?

In the past year, concepts of the metaverse and immersive webscapes have taken root in the public discourse. While there is a lot of excitement about these environments, questions remain about what safety looks like in 3D environments that have the potential to be hacked, altered, or otherwise compromised. In this context, The Extended Mind wants to share a research project we did in 2020 in collaboration with Mozilla entitled Look Before You Leap: Trusted User Interfaces for the Immersive Web and illustrate one way of studying immersive trust and safety.

The premise for this Mozilla study was that in 2D browsing environments, people often rely on the URL bar to know they’re in the right place. But in 3D environments, they likely won’t have access to a URL bar and will need other ways of verifying that they’re on a trusted site. Given this, we tested three different immersive security concept prototypes.

These prototypes included an anthropomorphic agent, a sigil, and a browser logo. Each prototype had unique characteristics. The browser logo was a persistent UI element that would appear the same to all users, the sigil was a unique and randomly generated symbol assigned to the user by the browser, and the agent was randomly generated but had the ability to be customized by the user.

We walked our research subjects through each security concept by explaining how and when they would appear in the browsing process and made clear that their presence indicated that they were navigating to a safe site. We then tested the research subjects on their knowledge of each concept by walking them through multiple browsing scenarios using each concept, offering the trusted prototype as well as spoofing attempts (e.g., the loading symbol, an agent that was the wrong color, etc).

We found that each prototype had its own advantages and disadvantages. The agent and the sigil, for instance, both contained levels of nuance that made it more challenging for users to be certain the symbol they were looking at was the correct symbol. However, research subjects also thought that the ability to customize (as in the case of the agent) might help them better remember what their agent looked like. There’s also the possibility that remembering your unique security symbol might pose less of a problem as users spend more time familiarizing themselves with it.

Interestingly, the most popular security concept (the agent) was also the one that most research participants were successfully spoofed by. And while the logo was unpopular overall, it had the highest success rate amongst our research subjects.

The takeaway of the story is that there is no one answer to what security looks like in immersive environments, but it’s important for companies to spend designing, testing, and iterating on what will signify safety to users in the metaverse. If companies ultimately want people to feel safe performing sensitive activities such as banking in the metaverse, they need mechanisms to build that trust and overtime and potentially in more day-to-day situations such as immersive browsing rather than financial transactions.

Resources

Hosfelt, D., Outlaw, J., Snow, T., & Carbonneau, S. (2020). Look Before You Leap: Trusted User Interfaces for the Immersive Web. arXiv preprint arXiv:2011.03570. https://ui.adsabs.harvard.edu/abs/2020arXiv201103570H/abstract

Why Researchers Should Conduct User Testing Sessions in Virtual Reality (VR): On Using Hubs by Mozilla for Immersive, Embodied User Feedback. The Extended Mind Blog. Aug 28 2020.