Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling

Authors: 

Stéphane Ciolino, OneSpan Innovation Centre & University College London; Simon Parkin, University College London; Paul Dunphy, OneSpan Innovation Centre

Abstract: 

Security keys are phishing-resistant two-factor authentication (2FA) tokens based upon the FIDO Universal 2nd Factor (U2F) standard. Prior research on security keys has revealed intuitive usability concerns, but there are open challenges to better understand user experiences with heterogeneous devices and to determine an optimal user experience for everyday Web browsing. In this paper we contribute to the growing usable security literature on security keys through two user studies: (i) a lab-based study evaluating the first-time user experience of a cross-vendor set of security keys and SMS-based one-time passcodes; (ii) a diary study, where we collected 643 entries detailing how participants accessed accounts and experienced one particular security key over the period of one week. In the former we discovered that user sentiment towards SMS codes was typically higher than for security keys generally. In the latter we discovered that only 28% of accesses to security key-enabled online accounts actually involved a button press on a security key. Our findings confirm prior work that reports user uncertainty about the benefits of security keys and their security purpose.We conclude that this can be partly explained by experience with online services that support security keys, but may nudge users away from regular use of those security keys.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {238317,
author = {St{\'e}phane Ciolino and Simon Parkin and Paul Dunphy},
title = {Of Two Minds about Two-Factor: Understanding Everyday {FIDO} U2F Usability through Device Comparison and Experience Sampling},
booktitle = {Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/soups2019/presentation/ciolino},
publisher = {{USENIX} Association},
month = aug,
}