Why Johnny Doesn’t Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key

Das, Sanchari; Dingman, Andrew; Camp, L. Jean

doi:10.1007/978-3-662-58387-6_9

Cited by 57 publications

(40 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Das et al [12] evaluated 2FA usability using the Yubico security key with participants. The security key aims at low-tech users with interest in securing their online services' user accounts.…”

Section: Usability Of 2famentioning

confidence: 99%

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

Wiefling

Dürmuth

Iacono³

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance. CCS CONCEPTS• Security and privacy → Authentication; Usability in security and privacy.

show abstract

Section: Usability Of 2famentioning

confidence: 99%

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

Wiefling

Dürmuth

Iacono³

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…Securing single-party software-based solutions is hard [47,52,55,75]. Secure hardware [37,58,70] increases security but it is expensive, is not always available or not accessible to developers [5,59], is harmful to usability [32], or is not flexible enough to run advanced protocols.…”

Section: Related Workmentioning

confidence: 99%

Tandem: Securing Keys by Using a Central Server While Preserving Privacy

Lueks

Hampiholi

Alpár

et al. 2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Users’ devices, e.g., smartphones or laptops, are typically incapable of securely storing and processing cryptographic keys.We present Tandem, a novel set of protocols for securing cryptographic keys with support from a central server. Tandem uses one-time-use key-share tokens to preserve users’ privacy with respect to a malicious central server. Additionally, Tandem enables users to block their keys if they lose their device, and it enables the server to limit how often an adversary can use an unblocked key. We prove Tandem’s security and privacy properties, apply Tandem to attributebased credentials, and implement a Tandem proof of concept to show that it causes little overhead.

show abstract

“…Prior work has shown that phishing attacks often have a disparate impact on their targets, suggesting a need for personalizing defenses to protect the most at-risk users [9,46,51]. Such personalization becomes necessary since requiring additional defenses often means imposing additional usability costs on users [12,14,35]. Our study presents a first step towards designing a system that automatically identifies the subset of users requiring such heightened protections.…”

Section: Introductionmentioning

confidence: 99%

“…In response, tailored protections have started to emerge for "at-risk" individuals, including Google's Advanced Protection Program [22] and Microsoft's AccountGuard [40]. A key challenge in this space, however, is automatically identifying who is at-risk, as applying heightened protections to a broad user base incurs both a financial and usability cost [12,14,35].…”

Section: Introductionmentioning

confidence: 99%

Who is targeted by email-based phishing and malware?

Simoiu

Zand

Thomas

et al. 2020

Proceedings of the ACM Internet Measurement Conference

View full text Add to dashboard Cite

As technologies to defend against phishing and malware often impose an additional financial and usability cost on users (such as security keys), a question remains as to who should adopt these heightened protections. We measure over 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack. We find that attack campaigns are typically short-lived and at first glance indiscriminately target users on a global scale. However, by modeling the distribution of targeted users, we find that a person's demographics, location, email usage patterns, and security posture all significantly influence the likelihood of attack. Our findings represent a first step towards empirically identifying the most at-risk users.

show abstract

Why Johnny Doesn’t Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key

Cited by 57 publications

References 15 publications

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

Tandem: Securing Keys by Using a Central Server While Preserving Privacy

Who is targeted by email-based phishing and malware?

Contact Info

Product

Resources

About