TY - GEN
T1 - Empirical measurement of systemic 2FA usability
AU - Reynolds, Joshua
AU - Samarin, Nikita
AU - Barnes, Joseph
AU - Judd, Taylor
AU - Mason, Joshua
AU - Bailey, Michael
AU - Egelman, Serge
N1 - Publisher Copyright:
© 2020 by The USENIX Association. All Rights Reserved.
PY - 2020
Y1 - 2020
N2 - Two-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations' mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs and records kept at two public universities, we quantify the at-scale impact on organizations and their employees during a mandatory 2FA implementation. We show the multiplicative effects of device remembrance, fragmented login services, and authentication timeouts on user burden. We find that user burden does not deviate far from other compliance and risk management time requirements already common to large organizations. We investigate the cause of more than one in twenty 2FA ceremonies being aborted or failing, and the variance in user experience across users. We hope our analysis will empower more organizations to protect themselves with 2FA.
AB - Two-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations' mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs and records kept at two public universities, we quantify the at-scale impact on organizations and their employees during a mandatory 2FA implementation. We show the multiplicative effects of device remembrance, fragmented login services, and authentication timeouts on user burden. We find that user burden does not deviate far from other compliance and risk management time requirements already common to large organizations. We investigate the cause of more than one in twenty 2FA ceremonies being aborted or failing, and the variance in user experience across users. We hope our analysis will empower more organizations to protect themselves with 2FA.
UR - http://www.scopus.com/inward/record.url?scp=85091908062&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85091908062&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85091908062
T3 - Proceedings of the 29th USENIX Security Symposium
SP - 127
EP - 143
BT - Proceedings of the 29th USENIX Security Symposium
PB - USENIX Association
T2 - 29th USENIX Security Symposium
Y2 - 12 August 2020 through 14 August 2020
ER -