User interaction refers to whether another user (other than the attacker) is required to participate in a successful attack. The metric has possible values of required or none.
Required (R) is defined as follows:
Imagine that a vulnerability exists which allows an attacker to print their own ID card so that they can pretend to be from the local utilities company. The attacker shows up at a victim's door and asks for access. The victim is required to open the door in order for the attacker to gain access.
None (N) is defined as follows:
If the system had automatic ID card recognition, an attacker could walk straight in.
The following diagram demonstrates the difference between complete automation and human interaction. A computerized (even AI) system allows choices based on rules rather than with any context or ability to question actions:
Two-factor authentication is the classic method of demanding user interaction in a security system. The person attempting to gain access has to provide a code for different means. From a home access point of view, the homeowner could ring the utility firm directly and ensure that they had sent someone with those credentials before opening the door, hence defeating the attack.