How Mandatory Second Factor Affects the Authentication User Experience
- 21 April 2020
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
Recent years have seen growing organizational adoption of two-factor authentication as organizations seek to limit the damage caused by password breaches. However, research on the user experience of two-factor authentication in a real-world setting is relatively scant. To fill this gap, we conducted multiple waves of an online survey of users at a large public university during its multi-phase rollout of mandatory two-factor authentication for faculty, staff, and students. In addition, we examined multiple months of logs of all authentication events at the university. We found no significant changes in user experience and acceptance of two-factor authentication when it was mandatory for select systems that dealt with sensitive information. However, these factors degraded when users were forced to use two-factor authentication for logging into every single university resource. Our findings can serve as important guidance for the implementation of two-factor authentication in organizations in a way that can help achieve a balance between security and user experience.Keywords
This publication has 23 references indexed in Scilit:
- Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on AdoptionPublished by Internet Society ,2015
- A Comparative Usability Study of Two-Factor AuthenticationPublished by Internet Society ,2014
- Authentication at ScaleIEEE Security & Privacy, 2012
- User perceptions of security and usability of single-factor and two-factor authentication in automated telephone bankingComputers & Security, 2011
- Usable security: User preferences for authentication methods in eBanking and the effects of experienceInteracting with Computers, 2010
- A large-scale study of web password habitsPublished by Association for Computing Machinery (ACM) ,2007
- Security in the wild: user strategies for managing security as an everyday, practical problemPersonal and Ubiquitous Computing, 2004
- The domino effect of password reuseCommunications of the ACM, 2004
- Comparing passwords, tokens, and biometrics for user authenticationProceedings of the IEEE, 2003
- Biometric recognition: security and privacy concernsIEEE Security & Privacy, 2003