InfoSec Seminar: Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling

Speaker: Simon Parkin

Date/Time: 01-Aug-2019, 16:00 UTC

Venue: Roberts 309

Details

Abstract

Security keys are phishing-resistant two-factor authentication (2FA) tokens based upon the FIDO Universal 2nd Factor (U2F) standard. Prior research on security keys has revealed intuitive usability concerns, but there are open challenges to better understand user experiences with heterogeneous devices and to determine an optimal user experience for everyday Web browsing. In this paper we contribute to the growing usable security literature on security keys through two user studies: (i) a lab-based study evaluating the first-time user experience of a cross-vendor set of security keys and SMS-based one-time passcodes; (ii) a diary study, where we collected 643 entries detailing how participants accessed accounts and experienced one particular security key over the period of one week. In the former we discovered that user sentiment towards SMS codes was typically higher than for security keys generally. In the latter we discovered that only 28% of accesses to security key-enabled online accounts actually involved a button press on a security key. Our findings confirm prior work that reports user uncertainty about the benefits of security keys and their security purpose.We conclude that this can be partly explained by experience with online services that support security keys, but may nudge users away from regular use of those security keys.

Bio

Simon Parkin is a Senior Teaching & Research Fellow in the Human-Centred Security team, part of the Information Security Research Group at UCL. Following completion of his PhD at Newcastle University in 2007, he was a Research Associate on the inter-disciplinary Trust Economics project through to 2011, then a member of the Innovation Team at HP Enterprise Security Services until mid-2012 before joining UCL.

Add to Calendar

This page was last modified on 27 Mar 2014.