The (Un)suitability of Passwords and Password Managers in Virtual Reality

TL;DR

This study systematically investigates authentication in virtual reality by combining a diverse VR user survey (n=$126$) with expert PM evaluations (n=$91$ cognitive walkthroughs). It finds that while PMs can substantially improve VR usability, current solutions lack essential VR-wide autofill across apps and robust VR-specific features, leaving them not yet ready for prime-time. The results highlight strong user demand for biometric options and VR-tailored authentication, and they propose integrating PMs with VR biometrics and passkeys, plus OS-level autofill support, to achieve practical, secure VR authentication. The work provides actionable guidance for researchers and practitioners to advance VR authentication toward secure, seamless user experiences.

Abstract

As Virtual Reality (VR) expands into fields like healthcare and education, ensuring secure and user-friendly authentication becomes essential. Traditional password entry methods in VR are cumbersome and insecure, making password managers (PMs) a potential solution. To explore this field, we conducted a user study (n=126 VR users) where participants expressed a strong preference for simpler passwords and showed interest in biometric authentication and password managers. On these grounds, we provide the first in-depth evaluation of PMs in VR. We report findings from 91 cognitive walkthroughs, revealing that while PMs improve usability, they are not yet ready for prime time. Key features like cross-app autofill are missing, and user experiences highlight the need for better solutions. Based on consolidated user views and expert analysis, we make recommendations on how to move forward in improving VR authentication systems, ultimately creating more practical solutions for this growing field.

Figures (13)

• Figure 1: Authentication methods used by participants (in percentages and absolute numbers), sorted from highest to lowest.
• Figure 2: Perceived ease and security of authentication methods rated by participants on a Likert scale from 1 (very hard to use/not secure) to 5 (very easy to use/very secure), sorted by ease scores (highest to lowest).
• Figure 4: Steps required to authenticate into Reddit using the LastPass VR app. Autofill is not available. 1) Logging into the password manager with credentials. 2) Vault overview and copying the username. 3) Launching the website. 4) Opening the website in the browser and pasting in the username. 5) Going back to LastPass to copy password. 6) Switching back to the browser for pasting in the password and log in.
• Figure 5: Steps required to authenticate into Reddit using the Meta Quest Browser password manager. Autofill is available. 1) Activating the password manager in the browser settings, no login required. 2) Manually entering the URL in the browser to launch the website. 3) Clicking into the username field to get the autofill request by the PM. 4) Once the stored credentials are selected, the fields are filled, and the user is ready to log in.
• Figure 6: Steps required to authenticate into Reddit using the LastPass browser extension. Autofill is available. 1) Logging into the extension with credentials, after clicking on the extension icon in the browser menu bar. 2) Vault overview and launching the website of the stored credentials. 3) The website is launched with the credentials already autofilled in the fields.