Computing That Serves

A Comparative Longitudinal Study of Two-factor Authentication

Ken Reese: MS Thesis Proposal

Friday, October 13, 1:00PM

3350 TMCB

Advisor: Kent Seamons

Passwords are the dominant form of authentication on the web today. However, many users choose weak passwords and reuse the same password on multiple sites, thus increasing their vulnerability to having their credentials leaked or stolen. Two-factor authentication strengthens existing password authentication schemes against impersonation attacks and makes it more difficult for attackers to reuse stolen credentials on other websites. Despite the added security benefits of two-factor authentication, there are still many open questions about its usability. Many two-factor systems in widespread usage today have not yet been subjected to adequate usability testing. Previous comparative studies have demonstrated significant differences in usability between various single-factor authentication systems. We hypothesize that there will also be significant differences in usability between two-factor authentication systems.
Our contributions will be threefold. First, we will describe a novel user behavior model that describes four phases of interaction between a user and an authentication system. This model is designed to inform the design of future usability studies and will enable researchers and those implementing authentication systems to have a more nuanced understanding of authentication system usability. Second, we will conduct a comparative usability study of some of the most common two-factor authentication systems. In contrast to previous authentication usability studies, we will have participants use the system for a period of two weeks and will collect SUS metrics on the systems under test. Finally, our testing system will be released under an open-source license, allowing future researchers to reproduce and expand on our work.