Empirical Measurement of Systemic 2FA Usability
Joshua Reynolds, University of Illinois at Urbana-Champaign and University of California, Berkeley and International Computer Science Institute; Nikita Samarin, University of California, Berkeley and International Computer Science Institute; Joseph Barnes, Taylor Judd, Joshua Mason, and Michael Bailey, University of Illinois at Urbana-Champaign; Serge Egelman, University of California, Berkeley and International Computer Science Institute
Two-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations’ mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs and records kept at two public universities, we quantify the at-scale impact on organizations and their employees during a mandatory 2FA implementation. We show the multiplicative effects of device remembrance, fragmented login services, and authentication timeouts on user burden. We find that user burden does not deviate far from other compliance and risk management time requirements already common to large organizations. We investigate the cause of more than one in twenty 2FA ceremonies being aborted or failing, and the variance in user experience across users. We hope our analysis will empower more organizations to protect themselves with 2FA.
View the full USENIX Security '20 program at https://www.usenix.org/conference/usenixsecurity20/technical-sessions