Why Johnny Doesn't Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key

Why do individuals choose to use (or not use) Two Factor Authentication (2FA)? We sought to answer this by implementing a two-phase study of the Yubico Security Key. We analyzed acceptability and usability of the Yubico Security Key, a 2FA hardware token implementing Fast Identity Online (FIDO). This token has notable usability attributes: tactile interaction, convenient form factor, physical resilience, and ease of use. Despite the Yubico Security Key being among best in class for usability among hardware tokens, participants in a think-aloud protocol still encountered several difficulties in usage. Based on these findings, we proposed certain design changes, some of which were adopted by Yubico. We repeated the experiment, showing that these recommendations enhanced ease of use but not necessarily acceptability. With the primary halt points mitigated, we could identify the remaining principle reasons for rejecting 2FA, like fear of losing the device and perceptions that there is no individual risk of account takeover. Our results illustrate both the importance and limits of usability on acceptability, adoption, and adherence in Two-Factor Authentication.

[1]  Alessandro Acquisti,et al.  When 25 Cents is Too Much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information , 2007, WEIS.

[2]  L. Jean Camp,et al.  CPasswords: Leveraging Episodic Memory and Human-Centered Design for Better Authentication , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[3]  Alexei Czeskis,et al.  Security Keys: Practical Cryptographic Second Factors for the Modern Web , 2016, Financial Cryptography.

[4]  Lujo Bauer,et al.  A user study of policy creation in a flexible access-control system , 2008, CHI.

[5]  G. Loewenstein,et al.  Privacy and human behavior in the age of information , 2015, Science.

[6]  Emiliano De Cristofaro,et al.  "They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking , 2015, ArXiv.

[7]  Robert W. Reeder,et al.  User interface dependability through goal-error prevention , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[8]  David M'Raïhi,et al.  HOTP: An HMAC-Based One-Time Password Algorithm , 2005, RFC.

[9]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[10]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[11]  L. Jean Camp,et al.  Why Johnny Can't Blow the Whistle: Identifying and Reducing Usability Issues in Anonymity Systems , 2014 .

[12]  L. Jean Camp,et al.  What Can Johnny Do?–Factors in an End-User Expertise Instrument , 2016, HAISA.

[13]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[14]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[15]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[16]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[17]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[18]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[19]  L. Jean Camp,et al.  Heuristics and Biases: Implications for Security Design , 2013, IEEE Technology and Society Magazine.

[20]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[21]  Frank Stajano Pico: No More Passwords! , 2011, Security Protocols Workshop.

[22]  David M'Raïhi,et al.  TOTP: Time-Based One-Time Password Algorithm , 2011 .