Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2018: Financial Cryptography and Data Security pp 160–179Cite as

Why Johnny Doesn’t Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10957))

Abstract

Why do individuals choose to use (or not use) Two Factor Authentication (2FA)? We sought to answer this by implementing a two-phase study of the Yubico Security Key. We analyzed acceptability and usability of the Yubico Security Key, a 2FA hardware token implementing Fast Identity Online (FIDO). This token has notable usability attributes: tactile interaction, convenient form factor, physical resilience, and ease of use. Despite the Yubico Security Key being among best in class for usability among hardware tokens, participants in a think-aloud protocol still encountered several difficulties in usage. Based on these findings, we proposed certain design changes, some of which were adopted by Yubico. We repeated the experiment, showing that these recommendations enhanced ease of use but not necessarily acceptability. With the primary halt points mitigated, we could identify the remaining principle reasons for rejecting 2FA, like fear of losing the device and perceptions that there is no individual risk of account takeover. Our results illustrate both the importance and limits of usability on acceptability, adoption, and adherence in Two-Factor Authentication.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Acquisti, A., Brandimarte, L., Loewenstein, G.: Privacy and human behavior in the age of information. Science 347(6221), 509–514 (2015). http://science.sciencemag.org/content/347/6221/509.short. Accessed 04 May 2017

    Article  Google Scholar 

  2. Bauer, L., et al.: A user study of policy creation in a exible access-control system. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, pp. 543–552 (2008)

    Google Scholar 

  3. Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. (CSUR) 44(4), 19 (2012)

    Article  Google Scholar 

  4. Bonneau, J., et al.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (SP), May 2012, pp. 553–567. https://doi.org/10.1109/SP.2012.44, http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6234436

  5. Camp, L.J., Abbott, J., Chen, S.: CPasswords: leveraging episodic memory and human-centered design for better authentication. In: 2016 49th Hawaii International Conference on System Sciences (HICSS), January 2016, pp. 3656–3665. https://doi.org/10.1109/MTS.2013.2241294

    Article  Google Scholar 

  6. Fagan, M., Khan, M.M.H.: Why do they do what they do?: A study of what motivates users to (not) follow computer security advice. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016) (2016)

    Google Scholar 

  7. Garg, V., Camp, J.: Heuristics and biases: implications for security design. IEEE Technol. Soc. Mag. 32(1), 73–79 (2013). https://doi.org/10.1109/MTS.2013.2241294. ISSN 0278–0097

    Article  Google Scholar 

  8. Grossklags, J., Acquisti, A.: When 25 cents is too much: an experiment on willingness-to-sell and willingness-to-protect personal information. In: WEIS (2007)

    Google Scholar 

  9. Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, pp. 383–392 (2010)

    Google Scholar 

  10. Kelley, T., Rajivan, P., Camp, L.J.: An assessment of computer and security expertise. Technical report, March 2014

    Google Scholar 

  11. Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, pp. 2595–2604 (2011)

    Google Scholar 

  12. Krol, K., et al.: “They brought in the horrible key ring thing!" analysing the usability of two-factor authentication in uk online banking. arXiv preprint arXiv:1501.04434 (2015)

  13. Lang, J., Czeskis, A., Balfanz, D., Schilder, M., Srinivas, S.: Security keys: practical cryptographic second factors for the modern web. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 422–440. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_25. http://fc16.ifca.ai/preproceedings/25_Lang.pdf

    Chapter  Google Scholar 

  14. McDowell, B.: Strong Authentication Canine, June 2015. https://www.youtube.com/watch?v=sdJ47NFGlgk

  15. M’Raihi, D., et al.: Rfc 6238-totp: time-based one-time password algorithm (2011)

    Google Scholar 

  16. M’Raihi, D., et al.: RFC 4226: HOTP: an HMAC-based one-time password algorithm (2005)

    Google Scholar 

  17. New password guidelines say everything we thought about passwords is wrong. VentureBeat, 18 April 2017. https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/. Accessed 04 May 2017

  18. Norcie, G., et al.: Why Johnny can’t blow the whistle: identifying and reducing usability issues in anonymity systems. In: Internet Society (2014). https://doi.org/10.14722/usec.2014.23022, http://www.internetsociety.org/doc/why-johnny-cant-blow-whistle-identifying-and-reducing-usability-issues-anonymity-systems. Accessed 11 May 2017. ISBN 978-1-891562-37-2

  19. Rajivan, P., et al.: What can Johnny do?-Factors in an end-user expertise instrument. In: Proceedings of the Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016). Lulu.com, p. 199 (2016)

    Google Scholar 

  20. Reeder, R.W., Maxion, R.A.: User interface dependability through goal-error prevention. In: International Conference on Dependable Systems and Networks, DSN 2005, Proceedings. IEEE, pp. 60–69 (2005)

    Google Scholar 

  21. Srinivas, S., et al.: Universal 2nd factor (U2F) overview. In: FIDO Alliance Proposed Standard, pp. 1–5 (2015)

    Google Scholar 

  22. Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25867-1_6

    Chapter  Google Scholar 

  23. Use Security Key for 2-Step Verification - Android. https://support.google.com/accounts/answer/6103523?hl=en&ref_topic=6103521

  24. Wash, R., et al.: Understanding password choices: How frequently entered passwords are re-used across websites. In: Symposium on Usable Privacy and Security (SOUPS) (2016)

    Google Scholar 

  25. West, R.: The psychology of security. Commun. ACM 51(4), 34–40 (2008). http://dl.acm.org/citation.cfm?id=1330320. Accessed 05 Apr 2017

    Article  Google Scholar 

  26. Whitten, A., Tygar, J.D.: Why: Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: USENIX Security Symposium, vol. 99 (1999)

    Google Scholar 

  27. Zurko, M.E., Simon, R.T.: User-centered security. In: Proceedings of the 1996 workshop on New security paradigms. ACM, pp. 27–33 (1996)

    Google Scholar 

Download references

Acknowledgement

This research was supported in part by the National Science Foundation under CNS 1565375, Cisco Research Support #591000, and the Comcast Innovation Fund. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the the US Government, the National Science Foundation, Cisco, Comcast, or Indiana University.

Author information

Authors and Affiliations

  1. Indiana University Bloomington, Bloomington, USA

    Sanchari Das, Andrew Dingman & L. Jean Camp

Authors
  1. Sanchari Das
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew Dingman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. L. Jean Camp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sanchari Das .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University College London, London, UK

    Sarah Meiklejohn

  2. Security Research Laboratories, NEC, Kawasaki, Japan

    Kazue Sako

A Appendix

A Appendix

We have provided the correlation matrices of the halt and confusion points for different sets of instructions (Yubico and Google) across the Two Phases. Due to lack of space we have used abbreviations for the halt and confusion points. The abbreviation list are as follows:

  1. 1.

    D: Demo

  2. 2.

    S: Incorrect Settings

  3. 3.

    I: Instructions

  4. 4.

    F: Form Factor

  5. 5.

    B: Bio-metric

  6. 6.

    P: Pressing Button

1.1 10.1 Phase-I

Correlation Matrix of Halt Points for Phase-I participants who received Yubico Instructions.

Correlation Matrix of Halt Points for Phase-I participants who received Google Instructions.

Correlation Matrix of Confusion Points for Phase-I participants who received Yubico Instructions.

Correlation Matrix of Confusion Points for Phase-I participants who received Google Instructions.

1.2 10.2 Phase-II

Correlation Matrix of Halt Points for Phase-II participants who received Yubico Instructions.

Correlation Matrix of Halt Points for Phase-II participants who received Google Instructions.

Correlation Matrix of Confusion Points for Phase-II participants who received Yubico Instructions.

Correlation Matrix of Confusion Points for Phase-II participants who received Google Instructions.

Rights and permissions

Reprints and permissions

Copyright information

© 2018 International Financial Cryptography Association

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Das, S., Dingman, A., Camp, L.J. (2018). Why Johnny Doesn’t Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key. In: Meiklejohn, S., Sako, K. (eds) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-58387-6_9

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-58386-9

  • Online ISBN: 978-3-662-58387-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation