“Nah, it’s just annoying!” A Deep Dive into User Perceptions of Two-Factor Authentication

Marky, Karola; Ragozin, Kirill; Chernyshov, George; Matviienko, Andrii; Schmitz, Martin; Mühlhäuser, Max; Eghtebas, Chloe; Kunze, Kai

doi:10.1145/3503514

Cited by 16 publications

(5 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In most cases, users could only use hardware tokens with another MFA method -a requirement we did not find for other MFA options. While websites did not justify this decision, we suspect known usability issues of hardware tokens and a perceived higher likelihood of becoming inaccessible [24,31,57,76].…”

Section: Resultsmentioning

confidence: 99%

"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Amft,

Höltervennhoff,

Huaman

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps.However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use.In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages.We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience.We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated.Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.

show abstract

Section: Resultsmentioning

confidence: 99%

"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Amft,

Höltervennhoff,

Huaman

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…In most computer systems, identification and authentication are combined into a single step, where the user sequentially enters a username for identification and a password as an authentication factor. The combination of a username and password is the most common way to prove identity, especially in web environments (Marky et al, 2022).…”

Section: The Concept Of Authenticationmentioning

confidence: 99%

Implementation of two-factor user authentication in computer systems

Tomić,

Radojević

2024

Vojnotehnički glasnik

View full text Add to dashboard Cite

Introduction/purpose: The paper explores the implementation of two-factor authentication (2FA) in computer systems, addressing the increasing need for enhanced security. It highlights the vulnerabilities of password-based authentication and emphasizes the advantages of 2FA in mitigating digital threats. The development of the VoiceAuth application, integrating 2FA through a combination of password and voice authentication, serves as a practical illustration. Methods: The research adopts a three-tier architecture for the VoiceAuth application, encompassing a database, server-side REST API, and client-side single-page application. Speaker verification is employed for voice authentication, analyzing elements like pitch, rhythm, and vocal tract shapes. The paper also discusses possibilities for future upgrades, suggesting enhancements such as real-time voice verification and additional 2FA methods. Results: The application's implementation involves a detailed breakdown of the REST API architecture, Single Page Applications (SPAs), and the Speaker Verification service. Conclusion: The research underscores the crucial role of two-factor authentication (2FA) in bolstering the security of computer systems. The VoiceAuth application serves as a practical demonstration, showcasing the successful integration of 2FA through a combination of password and voice authentication. The modular architecture of the application allows for potential upgrades.

show abstract

“…Apart from a growing number of studies concerned with too often discriminatory implementations of facial recognition-based authentication (Buolamwini and Gebru 2018; Raji et al, 2020; Scheuerman et al, 2020), the study of access control in the HCI community primarily focuses on functional security or general efficacy and usability (e.g., Bonneau et al, 2012; Marky et al, 2022; Routi et al 2015; Sirivianos et al, 2014; Somayaji et al, 2013). The scant studies that address access control in digital games similarly tend to examine functional security for game software or services (Assiotis & Tzanov 2006; Dotan 2010; GauthierDickey et al, 2004), or games used as access control (Boella et al, 2005).…”

Section: Related Workmentioning

confidence: 99%

“…Studies of the effectiveness and usability of authentication are especially common (e.g., Bonneau et al, 2012; Marky et al, 2022; Routi et al 2015; Sirivianos et al, 2014; Somayaji et al, 2013). Although the findings in these studies provide insights on immediate transactional interactions, how authentication systems integrate into users’ lives more long-term is reasonably beyond their scope.…”

Section: Related Workmentioning

confidence: 99%

The access control double bind: How everyday interfaces regulate access and privacy, enable surveillance, and enforce identity

Gardner,

Tanenbaum

2023

Convergence: The International Journal of Research into New Med

View full text Add to dashboard Cite

Access controls are an inescapable and deceptively mundane requirement for accessing digital applications and platforms. These systems enable and enforce practices related to access, ownership, privacy, and surveillance. Companies use access controls to dictate and enforce terms of use for digital media, platforms, and technologies. The technical implementation of these systems is well understood. However, this paper instead uses digital game software and platforms as a case study to analyze the broader socio-technical, and often inequitable, interactions these elements regulate across software systems. Our sample includes 200 digital games and seven major digital gaming platforms. We combine close reading and content analysis to examine the processes of authentication and authorization within our samples. While the ubiquity of these systems is a given in much academic and popular discourse, our data help empirically ground this understanding and examine how these systems support user legibility and surveillance, and police identities in under-examined ways. We suggest changes to the policies and practices that shape these systems to drive more transparent and equitable design.

show abstract

“Nah, it’s just annoying!” A Deep Dive into User Perceptions of Two-Factor Authentication

Cited by 16 publications

References 48 publications

"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Implementation of two-factor user authentication in computer systems

The access control double bind: How everyday interfaces regulate access and privacy, enable surveillance, and enforce identity

Contact Info

Product

Resources

About