Hackers of India

Two-Factor Authentication, Usable or Not? A Two-Phase Usability Study of the FIDO U2F Security Key

By  Sanchari Das  , Andrew C Dingman  , Gianpaolo Russo  , L Jean Camp  on 09 Aug 2018 @ Blackhat

Presentation Material

Abstract

Why do people choose to use (or not use) Two Factor Authentication (2FA)? We report on some surprising results from a two-phase study on the Yubico Security Key working with Yubico. Despite the Yubico Security Key being among the best in class for usability among hardware tokens, participants in a think-aloud protocol encountered surprising difficulties, with none in the first round able to complete enrollment without guidance. For example, a website demo, built to make adoption simple, instead resulted in profound confusion when participants fell into an infinite loop of inadvertently only playacting the installation. We report on this and other findings of a two phase experiment that analyzed acceptability and usability of the Yubico Security Key, a 2FA hardware token implementing Fast Identity Online (FIDO). We made recommendations, and then tested the new interaction. A repeat of the experiment showed that these recommendations enhanced ease of use but not necessarily acceptability. The second stage identified the remaining primary reasons for rejecting 2FA: fear of losing the device, illusions of personal immunity to risk on the internet, and confidence in personal risk perceptions. Being locked out of an account was something every participant had suffered while losing control of their account was a distant, remote, and heavily discounted risk. The presentation will surprise and inform the practitioners, showing them that usability is not just common sense, in fact, sometimes you need to think sideways to align yourself with your potential users.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

Identity and Purpose

The speaker is an expert in content summarization, discussing the importance of effective risk communication in the context of security and technology.

Key Points

  1. Risk Communication: Communicating the benefits and risks associated with security measures,<|begin_of_text|>
  2. Motivating Users: Providing clear and urgent risk communication to motivate users to adopt secure practices.
  3. Password Behavior: Research shows significant password reuse and sharing, highlighting the need for effective risk communication.
  4. Qualitative Studies: Conducting qualitative studies to understand user behavior and identify areas for improvement.

Takeaways

  1. Providing Technology is Not Enough: Communicating the importance of security measures is crucial for adoption.
  2. Motivating Users: Communicating why security is needed, rather than how it works, is key to motivating users.
  3. Periodic Feedback: Providing regular feedback to users and researchers can improve motivation and outcomes.

Challenges

  1. Balancing Usability and Security: Finding a balance between making technology usable and secure is essential.
  2. Keeping Up with Changing Instructions: Collaborations and changing instructions from companies like Google can make it difficult to keep up with effective risk communication strategies.

Overall, the speaker emphasizes the importance of effective risk communication in promoting security and motivating users to adopt secure practices.