Visible to the public Don't Punish all of us: Measuring User Attitudes about Two-Factor Authentication

TitleDon't Punish all of us: Measuring User Attitudes about Two-Factor Authentication
Publication TypeConference Paper
Year of Publication2019
AuthorsDutson, Jonathan, Allen, Danny, Eggett, Dennis, Seamons, Kent
Conference Name2019 IEEE European Symposium on Security and Privacy Workshops (EuroS PW)
Keywords2FA methods, authorisation, Brigham Young University, Duo 2FA, human factors, message authentication, password, pubcrawl, Remember Me setting, remote attacker, security, sentiment analysis, Two factor Authentication, two-factor authentication, usability, usable security, user attitude measurement, user sentiment
AbstractTwo-factor authentication (2FA) defends against password compromise by a remote attacker. We surveyed 4,275 students, faculty, and staff at Brigham Young University to measure user sentiment about Duo 2FA one year after the university adopted it. The results were mixed. A majority of the participants felt more secure using Duo and felt it was easy to use. About half of all participants reported at least one instance of being locked out of their university account because of an inability to authenticate with Duo. We found that students and faculty generally had more negative perceptions of Duo than staff. The survey responses reveal some pain points for Duo users. In response, we offer recommendations that reduce the frequency of 2FA for users. We also suggest UI changes that draw more attention to 2FA methods that do not require WiFi, the "Remember Me" setting, and the help utility.
Citation Keydutson_dont_2019