Sabrina Amft
ABSTRACT
Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps.
However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use.
In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages.
We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience.
We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated.
Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.
- 2factorauth. 2023. 2FA Directory. https: //2fa.directory/int/(visited on 09/06/2023). (2023).Google Scholar
- 2factorauth. 2023. 2fa.directory Excluded Categories and Websites. https://gith ub.com/2factorauth/twofactorauth/blob/master/EXCLUSION.md (visited on 09/06/2023). (2023).Google Scholar
- 2factorauth. 2023. Contributing to 2fa.directory. https://github.com/2factorau th/twofactorauth/blob/master/CONTRIBUTING.md (visited on 09/06/2023). (2023).Google Scholar
- 2factorauth. 2023. Issue: Add Site with 2FA. https://github.com/2factorauth/tw ofactorauth/issues/new?assignees=&labels=addsite&template=01-add-site-with-2fa.yml&title=Add%5Bsitename%5D (visited on 09/06/2023). (2023).Google Scholar
- Jacob Abbott and Sameer Patil. 2020. How Mandatory Second Factor Affects the Authentication User Experience. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, 1--13.Google ScholarDigital Library
- Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In Proc. 22nd Usenix Security Symposium (SEC'13). USENIX Association.Google Scholar
- Fatma Al Maqbali and Chris J Mitchell. 2018. Email-Based Password Recovery-Risking or Rescuing Users? In 2018 International Carnahan Conference on Security Technology (ICCST). IEEE, 1--5.Google ScholarCross Ref
- FIDO Alliance. 2023. FIDO Security Key UX Guidelines. https://fidoalliance.or g/ux-guidelines/security-key-ux-guidelines/ (visited on 09/06/2023). (2023).Google Scholar
- Sabrina Amft, Sandra Höltervennhoff, Nicolas Huaman, Alexander Krause, Lucy Simko, Yasemin Acar, and Sascha Fahl. 2023. Website: "We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. https://publications.teamusec.de/2023-ccs-multi-factor-recovery/ (visited on 09/06/2023). (2023).Google Scholar
- Daniel V. Bailey, Philipp Markert, and Adam J. Aviv. 2021. "I Have No Idea What They're Trying to Accomplish:" Enthusiastic and Casual Signal Users' Understanding of Signal PINs. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, (Aug. 2021), 417--436. isbn: 978-1-939133-25-0. https://www.usenix.org/conference/soups2021/presentati on/bailey.Google Scholar
- Brian Barrett. 2019. Wired: How Twitter CEO Jack Dorsey's Account Was Hacked. https://www.wired.com/story/jack-dorsey-twitter-hacked/ (visited on 09/06/2023). (2019).Google Scholar
- Erick Bauman, Yafeng Lu, and Zhiqiang Lin. 2015. Half a Century of Practice: Who is Still Storing Plaintext Passwords? In International Conference on Information Security Practice and Experience. Springer, 253--267.Google ScholarCross Ref
- Joseph Bonneau. 2012. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In 2012 IEEE Symposium on Security and Privacy. IEEE, 538--552.Google ScholarDigital Library
- Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web, 141--150.Google ScholarDigital Library
- Xander Bouwman, Harm Griffioen, Jelle Egbers, Christian Doerr, Bram Klievink, and Michel van Eeten. 2020. A different Cup of TI? The Added Value of Commercial Threat Intelligence. In 29th USENIX Security Symposium (USENIX Security. USENIX Association, (Aug. 2020), 433--450. isbn: 978-1-939133-17-5. https: //www.usenix.org/conference/usenixsecurity20/presentation/bouwman.Google Scholar
- John Brainard, Ari Juels, Ronald L Rivest, Michael Szydlo, and Moti Yung. 2006. Fourth-Factor Authentication: Somebody You Know. In Proceedings of the 13th ACM Conference on Computer and Communications Security, 168--178.Google ScholarDigital Library
- Brian Dean. 2019. We Analyzed 5 Million Google Search Results - Here's What We Learned About Organic Click Through Rate. https://backlinko.com/google-ctr-stats (visited on 01/04/2022). (2019).Google Scholar
- Stéphane Ciolino, Simon Parkin, and Paul Dunphy. 2019. Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019).Google Scholar
- Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Cranor, and Nicolas Christin. 2018. "It's Not Actually that Horrible" Exploring Adoption of Two-Factor Authentication at a University. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 1--11.Google ScholarDigital Library
- Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The Second-Generation Onion Router. Tech. rep. Naval Research Lab Washington DC.Google ScholarCross Ref
- D Dittrich and E Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. https://catalog.caida.org/paper/2012_menlo_report_actual_formatted (visited on 09/06/2023). (2012).Google Scholar
- Paul Ducklin. 2022. Slack Admits to Leaking Hashed Passwords for Five Years. https://nakedsecurity.sophos.com/2022/08/08/slack-admits-to-leaking-hashed-passwords-for-three-months/ (visited on 09/06/2023). (2022).Google Scholar
- erdgeist. 2022. Chaos Computer Club Hacks Video-Ident. https://www.ccc.de/en/updates/2022/chaos-computer-club-hackt-video-ident (visited on 09/06/2023). (2022).Google Scholar
- Florian M Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Dürmuth. 2020. ?You Still Use the Password After All"-Exploring FIDO2 Security Keys in a Small Company. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), 19--35.Google Scholar
- SelfKey Foundation. 2022. All Data Breaches in 2019 - 2022 - An Alarming Timeline. https://selfkey.org/data-breaches-in-2019/ (visited on 09/06/2023). (2022).Google Scholar
- Eva Gerlitz, Maximilian Häring, Charlotte Theresa Mädler, Matthew Smith, and Christian Tiefenau. 2023. Adventures in Recovery Land: Testing the Account Recovery of Popular Websites When the Second Factor is Lost. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023). USENIX Association, 227--243.Google Scholar
- Eva Gerlitz, Maximilian Häring, and Matthew Smith. 2021. Please do not use!? _ or your License Plate Number: Analyzing Password Policies in German Companies. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), 17--36.Google Scholar
- Sanam Ghorbani Lyastani, Michael Backes, and Sven Bugiel. 2023. A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites. In 30th Annual Network & Distributed System Security Symposium (NDSS'23). The Internet Society.Google ScholarCross Ref
- Conor Gilsenan, Fuzail Shakir, Noura Alomar, and Serge Egelman. 2023. Security and Privacy Failures in Popular 2FA Apps. In 32nd USENIX Security Symposium (USENIX Security 23).Google Scholar
- Alina Hang, Alexander De Luca, Emanuel Von Zezschwitz, Manuel Demmler, and Heinrich Hussmann. 2015. Locked Your Phone? Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual Concepts. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, 295--305.Google ScholarDigital Library
- Nadjla Hariri. 2011. Relevance Ranking on Google: Are Top Ranked Results Really Considered more Relevant by the Users? Online Information Review.Google Scholar
- Helene Hembrooke, Bing Pan, Thorsten Joachims, Geri Gay, and Laura Granka. 2005. In Google we Trust: Users Decisions on Rank, Position and Relevancy. Journal of Computer-Mediated Communication, Special Issue on Search Engines.Google Scholar
- Cormac Herley. 2009. So long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In Proceedings of the 2009 Workshop on New Security Paradigms Workshop, 133--144.Google ScholarDigital Library
- Roger Piqueras Jover. 2020. Security Analysis of SMS as a Second Factor of Authentication. Communications of the ACM, 63, 12, 46--52.Google ScholarDigital Library
- Sowmya Karunakaran, Kurt Thomas, Elie Bursztein, and Oxana Comanescu. 2018. Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), 217--234.Google Scholar
- Johannes Kunke, Stephan Wiefling, Markus Ullmann, and Luigi Lo Iacono. 2021. Evaluation of Account Recovery Strategies with FIDO2-Based Passwordless Authentication. In Roßnagel, Schunck et al.(Eds.): Open Identity Summit 2021 (OID'21), Lyngby, Denmark, June 1st and 2nd, 2021. Gesellschaft für Informatik eV, 59--70.Google Scholar
- Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS 2019). (Feb. 2019). doi: 10.14722/ndss.2019.23386.Google ScholarCross Ref
- Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An Empirical Study of Wireless Carrier Authentication for SIM Swaps. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, (Aug. 2020), 61--79. isbn: 978-1-939133-16-8. https://www.usenix.org/conferen ce/soups2020/presentation/lee.Google Scholar
- Kevin Lee, Sten Sjöberg, and Arvind Narayanan. 2022. Password Policies of Most Top Websites Fail to Follow Best Practices. In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), 561--580.Google Scholar
- Yue Li, Haining Wang, and Kun Sun. 2018. Email as a Master Key: Analyzing Account Recovery in the Wild. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, 1646--1654.Google ScholarDigital Library
- Pratyusa K. Manadhata and Jeannette M. Wing. 2011. An Attack Surface Metric. IEEE Transactions on Software Engineering, 37, 3, 371--386. doi: 10.1109/TSE.20 10.60.Google ScholarDigital Library
- Karola Marky, Kirill Ragozin, George Chernyshov, Andrii Matviienko, Martin Schmitz, Max Mühlhäuser, Chloe Eghtebas, and Kai Kunze. 2022. ?Nah, it's just annoying!" A Deep Dive into User Perceptions of Two-Factor Authentication. ACM Transactions on Computer-Human Interaction, 29, 5, 1--32.Google ScholarDigital Library
- Peter Mayer, Yixin Zou, Florian Schaub, and Adam J Aviv. 2021. "Now I'm a bit {angry:}" Individuals' Awareness, Perception, and Responses to Data Breaches that Affected Them. In 30th USENIX Security Symposium (USENIX Security 21), 393--410.Google Scholar
- Philipp Mayring. 2014. Qualitative Content Analysis: Theoretical Foundation, Basic Procedures and Software Solution. Social Science Open Access Repository (SSOAR), Klagenfurt, 143.Google Scholar
- Allison McDonald, Catherine Barwulor, Michelle L Mazurek, Florian Schaub, and Elissa M Redmiles. 2021. "It's stressful having all these phones": Investigating Sex Workers' Safety Goals, Risks, and Practices Online. In 30th USENIX Security Symposium. USENIX, 375--392.Google Scholar
- Allison McDonald, Carlo Sugatan, Tamy Guberek, and Florian Schaub. 2021. The Annoying, the Disturbing, and the Weird: Challenges with Phone Numbers as Identifiers and Phone Number Recycling. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, 1--14.Google ScholarDigital Library
- Nora McDonald, Sarita Schoenebeck, and Andrea Forte. 2019. Reliability and Inter-Rater Reliability in Qualitative Research: Norms and Guidelines for CSCW and HCI Practice. ACM on Human-Computer Interaction, 3, CSCW, Article 72, 23 pages.Google Scholar
- Lorenzo Neil, Elijah Bouma-Sims, Evan Lafontaine, Yasemin Acar, and Bradley Reaves. 2021. Investigating Web Service Account Remediation Advice. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), 359--376.Google Scholar
- William Newhouse, Brian Johnson, Sarah Kinling, Jason Kuruvilla, Blaine Mulugeta, and Kenneth Sandlin. 2019. NIST SPECIAL PUBLICATION 1800-17 Multifactor Authentication for E-Commerce Risk-Based, FIDO Universal Second Factor Implementations for Purchasers. https://doi.org /10.6028/NIST.SP.1800-17. (July 2019).Google Scholar
- Marten Oltrogge, Nicolas Huaman, Sabrina Amft, Yasemin Acar, Michael Backes, and Sascha Fahl. 2021. Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications. In Proc. 30th Usenix Security Symposium (SEC'21). USENIX Association.Google Scholar
- Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. 2017. Let's Go in for a Closer Look: Observing Passwords in Their Natural Habitat. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 295--310.Google ScholarDigital Library
- Vilius Petkauskas. 2022. Thomson Reuters Collected and Leaked at Least 3TB of Sensitive Data. https://cybernews.com/security/thomson-reuters-leaked-ter abytes-sensitive-data/ (visited on 09/06/2023). (2022).Google Scholar
- Ariel Rabkin. 2008. Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook. In Proceedings of the 4th Symposium on Usable Privacy and Security, 13--23.Google ScholarDigital Library
- Simone Raponi and Roberto Di Pietro. 2020. A Longitudinal Study on Websites Password Management (in)Security: Evidence and Remedies. IEEE Access, 8, 52075--52090.Google ScholarCross Ref
- Elissa M Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L Mazurek. 2020. A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. In 29th USENIX Security Symposium (USENIX Security 20), 89--108.Google Scholar
- Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019).Google Scholar
- Joshua Reynolds, Nikita Samarin, Joseph Barnes, Taylor Judd, Joshua Mason, Michael Bailey, and Serge Egelman. 2020. Empirical Measurement of Systemic 2FA Usability. In 29th USENIX Security Symposium (USENIX Security 20), 127--143.Google Scholar
- Joshua Reynolds, Trevor Smith, Ken Reese, Luke Dickinson, Scott Ruoti, and Kent Seamons. 2018. A Tale of Two Studies: The Best and Worst of Yubikey Usability. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 872--888.Google ScholarCross Ref
- Stuart Schechter, AJ Bernheim Brush, and Serge Egelman. 2009. It's No Secret. Measuring the Security and Reliability of Authentication via ?Secret" Questions. In 2009 30th IEEE Symposium on Security and Privacy. IEEE, 375--390.Google ScholarDigital Library
- Stuart Schechter, Serge Egelman, and Robert W Reeder. 2009. It's Not What You Know, But Who You Know: A Social Approach to Last-Resort Authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 1983--1992.Google ScholarDigital Library
- Hossein Siadati, Toan Nguyen, Payas Gupta, Markus Jakobsson, and Nasir Memon. 2017. Mind Your SMSes: Mitigating Social Engineering in Second Factor Authentication. Computers & Security, 65, 14--28.Google ScholarDigital Library
- Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 179--194.Google ScholarDigital Library
- Christian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar, and Sascha Fahl. 2022. 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. In 43rd IEEE Symposium on Security and Privacy, IEEE S&P 2022, May 22-26, 2022. IEEE Computer Society, (May 2022).Google ScholarCross Ref
- Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proc. 18th Usenix Security Symposium (SEC'09). USENIX Association.Google Scholar
- Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2020. Practi-cal Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 1407--1426.Google ScholarDigital Library
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. ?I Added ?!'at the End to Make It Secure": Observing Password Creation in the Lab. In Symposium on Usable Privacy and Security (SOUPS).Google Scholar
- Ke Coby Wang and Michael K. Reiter. 2019. How to End Password Reuse on the Web. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. https://www.ndss-symposium.org/ndss-paper/how-to-end-password-reuse-on-the-web/.Google ScholarCross Ref
- Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. 2016. Understanding Password Choices: How Frequently Entered Passwords are Re-used Across Websites. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), 175--188.Google Scholar
- Joel Weinberger and Adrienne Porter Felt. 2016. A Week to Remember: The Impact of Browser Warning Storage Policies. In Proc. 12th Symposium on Usable Privacy and Security (SOUPS'16). USENIX Association.Google Scholar
- Dominik Wermke, Noah Wöhler, Jan H Klemmer, Marcel Fourné, Yasemin Acar, and Sascha Fahl. 2022. Committed to trust: a qualitative study on security & trust in open source software projects. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1880--1896.Google ScholarCross Ref
- Davey Winder. 2019. Forbes: Collection 1: More Than 770M People Pwned In Biggest Stolen Data Dump Yet. https://www.forbes.com/sites/daveywinder/20 19/01/17/collection-1-more-than-770m-people-pwned-in-biggest-stolen-dat a-dump-yet/ (visited on 09/06/2023). (2019).Google Scholar
- Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. In Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work & Social Computing, 1095--1106Google ScholarDigital Library
Index Terms
- "We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments
Recommendations
Cryptanalysis and Security Enhancement of Three-Factor Remote User Authentication Scheme for Multi-Server Environment
Recently, Om et al. proposed three-factor remote user authentication protocol using ElGamal cryptosystem and ensured that it is withstands to various kinds of security attacks. But, the authors review carefully Om et al.'s scheme and discover that it ...
Design of a lightweight two-factor authentication scheme with smart card revocation
Smart card based authentication schemes present user-friendly and secure communication mechanism over insure public channel. Recently, Li et al. designed an authentication scheme with pre-smart card authentication to present efficient login phase and ...
A two-factor authentication scheme with anonymity for multi-server environments
In a multi-server environment, remote user authentication is essential for secure communication. Recently, Liao and Wang, Hsiang and Shih, and Lee et al. have successively proposed various remote user authentication schemes for multi-server ...
Comments