-
"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments
Authors:
Sabrina Amft,
Sandra Höltervennhoff,
Nicolas Huaman,
Alexander Krause,
Lucy Simko,
Yasemin Acar,
Sascha Fahl
Abstract:
Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will…
▽ More
Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.
△ Less
Submitted 19 September, 2023; v1 submitted 16 June, 2023;
originally announced June 2023.
-
Privacy Rarely Considered: Exploring Considerations in the Adoption of Third-Party Services by Websites
Authors:
Christine Utz,
Sabrina Amft,
Martin Degeling,
Thorsten Holz,
Sascha Fahl,
Florian Schaub
Abstract:
Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website's visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied,…
▽ More
Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website's visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors' privacy.
We report results from an online survey with 395 participants involved in the creation and maintenance of websites. For ten common website functionalities we investigated if privacy has played a role in decisions about how the functionality is integrated, if specific efforts for privacy protection have been made during integration, and to what degree people are aware of data collection through third parties. We find that ease of integration drives third-party adoption but visitor privacy is considered if there are legal requirements or respective guidelines. Awareness of data collection and privacy risks is higher if the collection is directly associated with the purpose for which the third-party service is used.
△ Less
Submitted 4 October, 2022; v1 submitted 21 March, 2022;
originally announced March 2022.
-
"Get a Free Item Pack with Every Activation!" -- Do Incentives Increase the Adoption Rates of Two-Factor Authentication?
Authors:
Karoline Busse,
Sabrina Amft,
Daniel Hecker,
Emanuel von Zezschwitz
Abstract:
Account security is an ongoing issue in practice. Two-Factor Authentication (2FA) is a mechanism which could help mitigate this problem, however adoption is not very high in most domains. Online gaming has adopted an interesting approach to drive adoption: Games offer small rewards such as visual modifications to the player's avatar's appearance, if players utilize 2FA. In this paper, we evaluate…
▽ More
Account security is an ongoing issue in practice. Two-Factor Authentication (2FA) is a mechanism which could help mitigate this problem, however adoption is not very high in most domains. Online gaming has adopted an interesting approach to drive adoption: Games offer small rewards such as visual modifications to the player's avatar's appearance, if players utilize 2FA. In this paper, we evaluate the effectiveness of these incentives and investigate how they can be applied to non-gaming contexts. We conducted two surveys, one recruiting gamers and one recruiting from a general population. In addition, we conducted three focus group interviews to evaluate various incentive designs for both, the gaming context and the non-gaming context. We found that visual modifications, which are the most popular type of gaming-related incentives, are not as popular in non-gaming contexts. However, our design explorations indicate that well-chosen incentives have the potential to lead to more users adopting 2FA, even outside of the gaming context.
△ Less
Submitted 16 October, 2019;
originally announced October 2019.