2FA Might Be Secure,But It’s Not Usable: A Summative Usability Assessment of Google’s Two-factor Authentication (2FA) Methods

Abstract

Computer security experts recommend that people use two-factor authentication (2FA) on password protected systems to help keep hackers out. Providing two pieces of information to verify a person’s identity adds extra security to an account. However, it is not clear if the added security and procedures impact system usability. This paper aims to answer this question by assessing per ISO 9241-11’s suggested measurements the usability of Google’s optional 2FA methods. We found few differences across four different 2FA methods when comparing efficiency, effectiveness and satisfaction measures—illustrating that one method is not necessarily more or less usable then another. Overall, the measures indicated that the systems’ usability needed to be improved, especially with regard to the initial setup of 2FA. In conclusion, developers need to focus more attention on making 2FA easier and faster to use, especially since it is often optional for password users, yet makes accounts significantly more secure.

Get full access to this article

View all access options for this article.

References

Acemyan

C. Z.

Kortum

Byrne

M. D.

Wallach

D. S.

(2014). Usability of voter verifiable, end-to-end voting systems: Baseline data for Helios, Prêt à Voter, and Scantegrity II. USENIX Journal of Election Technology and Systems (JETS), 2(3), 26–56.

Acemyan

C. Z.

Kortum

Byrne

M. D.

Wallach

D. S.

(2015). From error to error: Why voters could not cast a ballot and verify their vote With Helios, Prêt à Voter, and Scantegrity II. USENIX Journal of Election Technology and Systems (JETS), 3(2), 1–25.

ArunPrakash

Gokul

T. R.

(2011). Network security-overcome password hacking through graphical password authentication. In Proceedings of National Conference on Innovations in Emerging Technology, NCOIET’11 (pp. 43–48). IEEE.

Bangor

Kortum

Miller

(2009). Determining what individual SUS scores mean: Adding an adjective rating scale. Journal of Usability Studies, 4(3), 114–123.

Bevan

(2009). Usability. In Liu

Özsu

M. T.

(Eds.), Encyclopedia of Database Systems (pp. 3247–3251). Boston, MA: Springer US.

Brandom

(2017, July). Two-factor Authentication Is a Mess: It was supposed to be a one-stop security fix. What happened? The Verge. Retrieved from https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess

Brooke

(1986). Usability engineering in office product development. In Proceedings of the Second Conference of the British Computer Society, Human Computer Interaction Specialist Group On People and Computers: Designing for usability (pp. 249–259). Cambridge University Press.

Byrne

Greene

Everett

(2007). Usability of voting systems: Baseline data for paper, punch cards, and lever machines. In Proceedings of the SIGCHI conference on Human factors in computing systems (pp. 171–180). ACM.

De Cristofaro

Freudiger

Norcie

(2013). A comparative usability study of two-factor authentication. arXiv preprint arXiv:1309.5344.

10.

Green

B. D.

(2012). Six Rules For Creating Products People Love. In Six Rules For Creating Products People Love (pp. 73–92). Bloomington: Author House.

11.

Gunson

Marshall

Morton

Jack

(2011). User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. Computers & Security, 30(4), 208-220.

12.

International Organization for Standardization. (1997). ISO 9241-16: Ergonomic Requirements for Office Work with Visual Display Terminals (VDTs)-Part 16: Direct-manipulation Dialogues.

13.

Kortum

(2016). Usability assessment: How to measure the usability of products, services, and systems. Human Factors and Ergonomics Society.

14.

Morley

(2016, February 10). Use the same password for everything? You’re fueling a surge in current account fraud. The Telegraph.

15.

Ong

(2018, January). Reddit now offers two-factor authentication to all. The Verge. Retrieved from https://www.theverge.com/2018/1/25/16931572/reddit-two-factor-authentication

16.

Weir

C. S.

Douglas

Carruthers

Jack

(2009). User perceptions of security, convenience and usability for ebanking authentication tokens. Computers & Security, 28(1-2), 47-62.

17.

Zetter

(2016, April). The Critical Hole at the Heart of Our Cell Phone Networks. Wired. Retrieved from https://www.wired.com/2016/04/the-critical-hole-at-the-heart-of-cell-phone-infrastructure/