"I Want the Payment Process to be Cool'': Understanding How Interaction Factors into Security and Privacy Perception of Authentication in Virtual Reality

Users embrace the rapid development of virtual reality (VR) technology. We are witnessing a widespread adoption of VR technology in more routine settings, such as gaming, social interactions, shopping, and commerce. VR systems access sensitive user data and assets when handling these routine activities, including payment, which raises the need for user authentication in VR. However, there is a limited understanding of how users perceive user authentication in VR, in particular, how users' interaction experiences factor into their perception of security and privacy. Our work adopts a ``technology probe'' approach to understand this question. We design technology probes of authentication in VR based on existing authentication interactions in both VR and the physical world. Further, we embed these probes in the routine payment of a VR game. Our qualitative analysis reveals that users face unique usability challenges in VR authentication, e.g., in motion control. Such challenges also hinder users from accessing security and privacy accurately in VR authentication. Users' expectations for VR authentication mainly center on improvements in interaction. However, their expectations could appear nonspecific and conflicting. We provide recommendations to accommodate users' expectations and resolve conflicts between usability and security.