28
Ken Reese, Trevor Smith, Jonathan Dutson , Jonathan Armknecht, Jacob Cameron, and Kent Seamons A Usability Study of Five Two-Factor Authentication Methods

A Usability Study of Five Two-Factor Authentication [email protected]. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons

A Usability Study of Five Two-Factor Authentication Methods

Page 2: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Passwords: Everywhere, but…

https://media.giphy.com/media/dxfdvOobztBviVmYbM/giphy.gif

Page 3: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Two-Factor Authentication

Something you know

Something you have

Something you are

Page 4: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Five Two-Factor Authentication Methods

SMS

TOTP

Pre-generated codes

Push notifications

U2F security keys

Page 5: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Something you have…

Page 6: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Goal:Perform a comparative usability study of five 2FA methods

Page 7: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Previous 2FA User Studies

2FA banking studies

• Piazzalunga [2005], Weir [2009, 2010], Gunson [2011]

Security key setup

• Das [FC 2018]

Setup of four 2FA methods

• Acemyan [HFES 2018]

Day-to-day usability

• Krol [USEC 2015], Reynolds [S&P 2018]

Page 8: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Study DesignCompare five factors across a single application

Reduce confounding factors

Gather timing data

Examine setup and day-to-day usability independently

Avoid bias

Page 9: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Two Parts1. Two-week between-subjects usability study

2. Within-subjects laboratory setup study

Page 10: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Two Week Study Methodology

72 PARTICIPANTS

(6 GROUPS OF 12)

SIMULATED ONLINE BANKING WEBSITE

12 BANKING TASKS

Page 11: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Findings Quantitative

Qualitative

https://media.giphy.com/media/xGlmLbM8sOcSc/giphy.gif

Page 12: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Timing

Page 13: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Timing

Page 14: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

SUS

Page 15: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Qualitative Results

Page 16: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Security and Inconvenience

Page 17: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Availability of Second-factor Device

Page 18: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Not a Target

Page 19: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Day-to-day Usability?

https://media.giphy.com/media/cN3TDDF02WCT6/giphy.gif

Page 20: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Limitations

University population

Simulated banking environment

2FA for every authentication attempt

Page 21: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Setup Study Methodology30 participants

Setup each 2FA method

Used counterbalancing to account for ordering effects

Page 22: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Setup Study: Timing Data

Page 23: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Setup Study: SEQ Scores

Page 24: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Setup FailuresTOTP

Scanning QR code

U2FPop up permission

Page 25: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Setup Usability?

https://media.giphy.com/media/cXMbxzMdXdVGwDZbyS/giphy.gif

Page 26: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Limitations

University population

Provider-specific setup implementation

Unfamiliarity with provided phone

Page 27: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Conclusion

Well-implemented 2FA methods may be set up and used without major difficulty

Home users may not always have access to second-factor device

Users differentiate between high and low value accounts

Time to authenticate decreases with familiarity (U2F, TOTP)

Faster authentication does not necessarily mean higher usability

Page 28: A Usability Study of Five Two-Factor Authentication Methods...jonathan@isrl.byu.edu. Title: A Usability Study of Five Two-Factor Authentication Methods Author: Jonathan Dutson Created

Thank you

[email protected]


Usable Security - Computer Security Lecture 17Psychology and Usability Usability Background Research in Usability and Security Usable Authentication Password Authentication Challenge

Usable Security - Computer Security Lecture 17Psychology and Usability Usability Background Research in Usability and Security Usable Authentication Password Authentication Challenge

Documents
Biometric Authentication on iPhone and Android: · PDF fileBiometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption Chandrasekhar Bhagavatula,

Biometric Authentication on iPhone and Android: · PDF fileBiometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption Chandrasekhar Bhagavatula,

Documents
Biometric Authentication on iPhone and Android: … · Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption Chandrasekhar Bhagavatula,

Biometric Authentication on iPhone and Android: … · Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption Chandrasekhar Bhagavatula,

Documents
Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored

Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored

Documents
BIOMETRIC AUTHENTICATION SECURITY AND USABILITY · Biometric Authentication -Security and Usability 231 Most biometric techniques are based on something that cannot be lost or forgotten

BIOMETRIC AUTHENTICATION SECURITY AND USABILITY · Biometric Authentication -Security and Usability 231 Most biometric techniques are based on something that cannot be lost or forgotten

Documents
User-generated & multi-media content - challenges and opportunities for accessibility Jonathan Hassell Head of Audience Experience and Usability BBC UX&D

User-generated & multi-media content - challenges and opportunities for accessibility Jonathan Hassell Head of Audience Experience and Usability BBC UX&D

Documents
Mobile resource problems: Authentication and usability

Mobile resource problems: Authentication and usability

Education
Smartphone Fingerprint Authentication versus PINs: A ... · Smartphone Fingerprint Authentication versus PINs: A ... The study compares the usability of Apple’s iPhone 5S ... manufacturers

Smartphone Fingerprint Authentication versus PINs: A ... · Smartphone Fingerprint Authentication versus PINs: A ... The study compares the usability of Apple’s iPhone 5S ... manufacturers

Documents
Leveraging 3D Benefits for Authentication · 2017-09-04 · The 3D authentication scheme is designed to leverage 3D advantages to achieve superior security, memorability, and usability

Leveraging 3D Benefits for Authentication · 2017-09-04 · The 3D authentication scheme is designed to leverage 3D advantages to achieve superior security, memorability, and usability

Documents
Usability of authentication in web applications – a literature

Usability of authentication in web applications – a literature

Documents
The Usability of Usability

The Usability of Usability

Technology
Bridging the Usability Gap New models for secure and usable authentication APGridPMA Plenary Meeting Taipei, 8 March 2010

Bridging the Usability Gap New models for secure and usable authentication APGridPMA Plenary Meeting Taipei, 8 March 2010

Documents
Usability of PIV Smartcards for Logical Accessinformation system authentication, to support PKI, and as an identity card. Smartcard-based authentication is recognized as being one

Usability of PIV Smartcards for Logical Accessinformation system authentication, to support PKI, and as an identity card. Smartcard-based authentication is recognized as being one

Documents
Usability & Usability Engineering

Usability & Usability Engineering

Documents
Jonathan Rubin - The benefits of do it yourself usability testing

Jonathan Rubin - The benefits of do it yourself usability testing

Technology
Group Manager | Jonathan McKay Design | Linda Hong Le Usability Test | Alireza Bagheri Garakani Documentation | Nuo Yan

Group Manager | Jonathan McKay Design | Linda Hong Le Usability Test | Alireza Bagheri Garakani Documentation | Nuo Yan

Documents
Resilient Digital Image Watermarking for Document ...jblackledge/books_papers_and_reports/Papers... · Resilient Digital Image Watermarking for Document Authentication Jonathan Blackledge

Resilient Digital Image Watermarking for Document ...jblackledge/books_papers_and_reports/Papers... · Resilient Digital Image Watermarking for Document Authentication Jonathan Blackledge

Documents
AUTHENTICATION MELEE A Usability Analysis of Seven Web Authentication Systems Scott Ruoti, Brent Roberts, Kent Seamons Internet Security Research Lab Brigham

AUTHENTICATION MELEE A Usability Analysis of Seven Web Authentication Systems Scott Ruoti, Brent Roberts, Kent Seamons Internet Security Research Lab Brigham

Documents
Security and Usability of Password Based User Authentication Systems Hatim Alsuwat Sami Alsuwat

Security and Usability of Password Based User Authentication Systems Hatim Alsuwat Sami Alsuwat

Documents
EXPERIENCE SIMPLER, STRONGER AUTHENTICATION · 2019. 11. 16. · DEMO EXAMPLE STEP 3 . 26 UAF AUTHENTICATION DEMO EXAMPLE STEP 4 . USABILITY, SECURITY and PRIVACY 27. 28 No 3rd Party

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION · 2019. 11. 16. · DEMO EXAMPLE STEP 3 . 26 UAF AUTHENTICATION DEMO EXAMPLE STEP 4 . USABILITY, SECURITY and PRIVACY 27. 28 No 3rd Party

Documents
Portal Authentication: A Balancing Act Between Security Usability and Compliance

Portal Authentication: A Balancing Act Between Security Usability and Compliance

Software
Data Sheet CloudSOC Gateway - CCP Software GmbHSymantec DLP, authentication, encryption, threat protection, and secure web gateway solutions. Key Features Specifications Usability

Data Sheet CloudSOC Gateway - CCP Software GmbHSymantec DLP, authentication, encryption, threat protection, and secure web gateway solutions. Key Features Specifications Usability

Documents
1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

Documents
018 - Usability Geek - Website Usability Through Automated Usability Evaluation

018 - Usability Geek - Website Usability Through Automated Usability Evaluation

Documents
Authentication Melee: A Usability Analysis of Seven Web ...Brigham Young University BYU ScholarsArchive All Theses and Dissertations 2015-04-01 Authentication Melee: A Usability Analysis

Authentication Melee: A Usability Analysis of Seven Web ...Brigham Young University BYU ScholarsArchive All Theses and Dissertations 2015-04-01 Authentication Melee: A Usability Analysis

Documents
Voice Biometrics: Balancing Security, Usability and ... · Voice biometrics is the least intrusive of all biometric modalities used for authentication. Voice authentication can be

Voice Biometrics: Balancing Security, Usability and ... · Voice biometrics is the least intrusive of all biometric modalities used for authentication. Voice authentication can be

Documents
Transparency and Usability of Web Authentication

Transparency and Usability of Web Authentication

Documents
Utilizing Behind-the-Wheel Behavior for Driver Authentication ......Utilizing Behind-the-Wheel Behavior for Driver Authentication Jonathan Voris N. Sertac Artan Wenjia Li jvoris@nyit.edu

Utilizing Behind-the-Wheel Behavior for Driver Authentication ......Utilizing Behind-the-Wheel Behavior for Driver Authentication Jonathan Voris N. Sertac Artan Wenjia Li [email protected]

Documents
Bridging the Usability Gap New models for secure and usable authentication APGridPMA Plenary Meeting Taipei, 8 March 2010

Bridging the Usability Gap New models for secure and usable authentication APGridPMA Plenary Meeting Taipei, 8 March 2010

Documents
Usability 2004 J T Burns1 Usability & Usability Engineering

Usability 2004 J T Burns1 Usability & Usability Engineering

Documents