"If I could do this, I feel anyone could:" The Design and Evaluation of a Secondary Authentication Factor Manager

Authors: 

Garrett Smith, Tarun Yadav, and Jonathan Dutson, Brigham Young University; Scott Ruoti, University of Tennessee Knoxville; Kent Seamons, Brigham Young University

Abstract: 

Two-factor authentication (2FA) defends against account compromise by protecting an account with both a password—the primary authentication factor—and a device or resource that is hard to steal—the secondary authentication factor (SAF). However, prior research shows that users need help registering their SAFs with websites and successfully enabling 2FA. To address these issues, we propose the concept of a SAF manager that helps users manage SAFs through their entire life cycle: setup, authentication, removal, replacement, and auditing. We design and implement two proof-of-concept prototypes. In a between-subjects user study (N=60), we demonstrate that our design improves users' ability to correctly and quickly setup and remove a SAF on their accounts. Qualitative results show that users responded very positively to the SAF manager and were enthusiastic about its ability to help them rapidly replace a SAF. Furthermore, our SAF manager prevented fatal errors that users experienced when not using the manager.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {291261,
author = {Garrett Smith and Tarun Yadav and Jonathan Dutson and Scott Ruoti and Kent Seamons},
title = {"If I could do this, I feel anyone {could:}" The Design and Evaluation of a Secondary Authentication Factor Manager},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {499--515},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/smith},
publisher = {USENIX Association},
month = aug
}

Presentation Video