“You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company

Authors: 

Florian M. Farke, Ruhr University Bochum; Lennart Lorenz, tracekey solutions GmbH; Theodor Schnitzler, Philipp Markert, and Markus Dürmuth, Ruhr University Bochum

Abstract: 

The goal of the FIDO2 project is to provide secure and usable alternatives to password-based authentication on the Web. It relies on public-key credentials, which a user can provide via security tokens, biometrics, knowledge-based factors, or combinations. In this work, we report the results of a qualitative study accompanying the deployment of FIDO2-enabled security tokens for primary authentication in a web application of a small software company operating in the life sciences industry. We assisted the company in implementing and setting up FIDO2-enabled authentication on its public test and evaluation server. Over four weeks, we observed the authentication routine of 8 employees out of 10 employees regularly using the web application, including sales representatives, software developers, project managers, and account managers. We gathered data through login diaries, server logs, and semi-structured interviews to assess themes regarding usability, perceived security, and deployability. We found that participants had several concerns, like losing the security token and longer authentication times, while the security benefits were largely intangible or perceived as unnecessary.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {255646,
author = {Florian M. Farke and Lennart Lorenz and Theodor Schnitzler and Philipp Markert and Markus D{\"u}rmuth},
title = {{{\textquotedblleft}You} still use the password after {all{\textquotedblright}} {\textendash} Exploring {FIDO2} Security Keys in a Small Company},
booktitle = {Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)},
year = {2020},
isbn = {978-1-939133-16-8},
pages = {19--35},
url = {https://www.usenix.org/conference/soups2020/presentation/farke},
publisher = {USENIX Association},
month = aug
}

Presentation Video