New approach to compare the process of two-factor authentication on websites
A new study presents criteria for comparing the two-factor authentication (2FA) process on websites from a user perspective. The study of 85 top-ranked websites shows that there is no consistency in the user experience, even though this is a central principle in web design.
This runs counter to "Jakob's Law of Internet User Experience," according to which new security standards are only adopted if they align with existing user experiences.
CISPA-Faculty Dr. Sven Bugiel and his colleague Sanam Ghorbani Lyastani presented their paper, "A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites," at the Network and Distributed System Security Symposium (NDSS) 2023.
We humans are creatures of habit: the more similar processes and everyday actions are, the easier they seem to be implemented. The same goes for activities on the Internet. "When shopping online, we are generally used to the shopping cart being at the top right of the website," explains CISPA faculty member Dr. Sven Bugiel. This kind of experience allows users to switch quickly and easily between websites from different providers. This observation described by Bugiel is an important heuristic from the field of user experience, which is also known as "Jakob's Law of Internet User Experience." While the user experience regarding password-protected login is considered to be fairly consistent, there has not been any research on how this applies to the process of two-factor authentication (2FA) to date. " Many studies have already dealt with individual factors of 2FA," the CISPA researcher explains. "That is why we wanted to find out what the overall workflow of two-factor authentication looks like."
Two-factor authentication
But what exactly is it that makes two-factor authentication so interesting? "2FA is a technology that is becoming increasingly important when it comes to securing user accounts," Bugiel explains. "Creating secure and unique passwords is a very difficult task, so 2FA is a way of creating a second security barrier." That means users not only authenticate themselves with a password when logging in to a website, but also with an additional factor. There is a wide range of methods available for the second level of authentication. They include one-time passwords sent via a text message or generated via an app, as well as hardware add-ons that scan fingerprints, for example. Each of these methods comes with its own set of challenges. "A 'gold standard' for implementing 2FA has not yet been established," continues Bugiel.
The CISPA researchers' study design
In order to compare the process of two-factor authentication on websites, Bugiel and his colleague conducted their study based on the aforementioned "Jakob's Law of Internet User Experience." " To find out which websites actually use 2FA, we used the 2FA directory," explains Bugiel. " This is a community-led data set of websites that use 2FA in any way. Around 3000 websites are listed there. In order to effectively reduce the number of websites to be examined, Bugiel and his colleague used the Tranco dataset, a scientific dataset that ranks websites. "We then extracted the top-ranked websites in Tranco from the websites listed in 2FA," the CISPA researcher continues. " As a result, we had websites in our sample that most people are probably familiar with." These included websites such as google.com, amazon.com and icloud.com, which the majority of users might well know.
Comparison factors for 2FA user journeys
In a second step, the CISPA researchers developed comparison factors so they could compare the websites with each other. " For this, we manually investigated the 85 websites with two researchers and recorded the process on video. We wanted to know, for example, where users first encounter 2FA, where the 2FA settings are located and how the login and logout process works." Based on the data collected, Bugiel and his colleague identified a total of 22 comparison factors, classified into five main categories of two-factor authentication: Discovery, Education, Setup, Usage and Deactivation. The comparison factors for Discovery included, e.g., how the website indicates the 2FA option, if its usage is mandatory, and if there is a common naming. The category Setup included comparison factors such as the confirmation of a successful setup process and the offer of a recovery option.
Results show no consistency in user experience
"If you look at the user journey on these top-ranked websites, the key message is that there is no consistent strategy implemented by all websites or even the majority of websites," Bugiel explains. "Instead, there are different strategies that are implemented by groups of websites. These are clusters of usage strategies that we defined in the analysis. This means that the 2FA user journeys are not really consistent." In terms of Jakob's Law, there is a risk that users will not activate 2FA or use the website for these reasons. "The core contribution of our work was to show that these inconsistencies exist in fact," continues Bugiel. This leads to various new research questions. Our study only allows us to say whether the user experience on different websites is similar or different. However, that does not tell us whether a website is more or less user-friendly." Taking a closer look at these differences and investigating them directly with users would be the next step. We can therefore look forward to the next study conducted by the CISPA faculty member's research group.
More information:
Sanam Ghorbani Lyastani et al, A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites (Extended Version), arXiv (2022). DOI: 10.48550/arxiv.2210.09373
Provided by CISPA Helmholtz Center for Information Security