Two-Factor Authentication, Usable or Not? A Two-Phase Usability Study of the FIDO U2F Security Key

Presented at Black Hat USA 2018, Aug. 9, 2018, 9 a.m. (25 minutes).

Why do people choose to use (or not use) Two Factor Authentication (2FA)? We report on some surprising results from a two-phase study on the Yubico Security Key working with Yubico. Despite the Yubico Security Key being among the best in class for usability among hardware tokens, participants in a think-aloud protocol encountered surprising difficulties, with none in the first round able to complete enrollment without guidance. For example, a website demo, built to make adoption simple, instead resulted in profound confusion when participants fell into an infinite loop of inadvertently only playacting the installation. We report on this and other findings of a two phase experiment that analyzed acceptability and usability of the Yubico Security Key, a 2FA hardware token implementing Fast Identity Online (FIDO). We made recommendations, and then tested the new interaction. A repeat of the experiment showed that these recommendations enhanced ease of use but not necessarily acceptability. The second stage identified the remaining primary reasons for rejecting 2FA: fear of losing the device, illusions of personal immunity to risk on the internet, and confidence in personal risk perceptions. Being locked out of an account was something every participant had suffered while losing control of their account was a distant, remote, and heavily discounted risk. The presentation will surprise and inform the practitioners, showing them that usability is not just common sense, in fact, sometimes you need to think sideways to align yourself with your potential users.


Presenters:

  • Sanchari Das - PhD Student, Indiana University Bloomington
    <span>Sanchari Das is a PhD Student in the School of Informatics, Computing, and Engineering at Indiana University Bloomington. A security track researcher, her work includes studies in Usable Privacy and Security, User Experience, Social Media Research, and Human-Computer Interaction. Her dual Masters degrees were received from Jadavpur University, Kolkata, India and Indiana University Bloomington. She received her Bachelor's in Computer Applications from The Heritage Academy, Kolkata, India and was a Gold-medalist in her batch. She has also interned in prestigious organizations including Infosys Limited and HCL Technologies.</span>
  • Gianpaolo Russo - Applied Researcher, MITRE Corporation
    Gianpaolo Russo is an applied researcher solving hard cyber problems at the MITRE Corporation.&nbsp; His interdisciplinary research experience has spanned the reverse engineering and analysis of embedded and cyber-physical systems, the development of distributed sensor networks, mobile network communications analysis, vulnerability disclosure policy, and applied behavioral science.&nbsp; His background further includes work with Lawrence Livermore National Laboratory, the Federal Trade Commission, and Microsoft as an Eric T. Werner Global Cybersecurity Policy Advancement Fellow.
  • L Jean Camp - Professor, Indiana University
    L Jean Camp focuses on the intersection of human and technical trust. She is a Professor at the School of Informatics and Computing at Indiana University. She joined Indiana after eight years at Harvard’s Kennedy School where her courses were also listed in Harvard Law, Harvard Business, and the Engineering Systems Division of MIT. She spent the year after earning her doctorate from Carnegie Mellon as a Senior Member of the Technical Staff at Sandia National Laboratories. She began her career as an engineer at Catawba Nuclear Station and with a MSEE at University of North Carolina at Charlotte.

Links:

Similar Presentations: