"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps.However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use.In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages.We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience.We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated.Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.

show abstract

Advancing Cybersecurity

Burton

2024

Advances in Human Resources Management and Organizational Development

View full text Add to dashboard Cite

This research investigates the efficacy and challenges of Multifactor Authentication (MFA) in enhancing cybersecurity within organizational settings. Employing a qualitative design, this study integrates a comprehensive literature review with case studies to examine the deployment and impact of MFA technologies. Key findings reveal that over 57% of global businesses have adopted MFA, significantly reducing unauthorized access and breaches by 99.9% when correctly implemented. However, challenges such as user resistance, implementation costs, and the complexity of MFA systems persist, affecting overall effectiveness and adoption rates. This research concludes that while MFA substantially improves security, its success hinges on strategic deployment and user compliance. The significance of this research lies in its potential to guide organizations in refining their cybersecurity measures and in informing policy on secure authentication practices, ultimately contributing to enhanced organizational and data security in an increasingly digital world.

show abstract

"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Cited by 3 publications

References 42 publications

More Than Just a Random Number Generator! Unveiling the Security and Privacy Risks of Mobile OTP Authenticator Apps

More Than Just a Random Number Generator! Unveiling the Security and Privacy Risks of Mobile OTP Authenticator Apps

"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Advancing Cybersecurity

Contact Info

Product

Resources

About