Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Evaluating the Influence of Multi-Factor Authentication and Recovery Settings on the Security and Accessibility of User Accounts (2403.15080v1)

Published 22 Mar 2024 in cs.CR

Abstract: Nowadays, most online services offer different authentication methods that users can set up for multi-factor authentication but also as a recovery method. This configuration must be done thoroughly to prevent an adversary's access while ensuring the legitimate user does not lose access to their account. This is particularly important for fundamental everyday services, where either failure would have severe consequences. Nevertheless, little research has been done on the authentication of actual users regarding security and the risk of being locked out of their accounts. To foster research in this direction, this paper presents a study on the account settings of Google and Apple users. Considering the multi-factor authentication configuration and recovery options, we analyzed the account security and lock-out risks. Our results provide insights into the usage of multi-factor authentication in practice, show significant security differences between Google and Apple accounts, and reveal that many users would miss access to their accounts when losing a single authentication device.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (27)
  1. ”We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pages 3138–3152.
  2. Beatriz Henríquez (2022). Mobile Theft and Loss Report - 2020/2021 Edition. https://preyproject.com/blog/mobile-theft-and-loss-report-2020-2021-edition.
  3. Bitkom (2021). Gestohlen oder verloren: Vier von zehn Personen ist schon mal das Handy abhandengekommen. https://www.bitkom.org/Presse/Presseinformation/Gestohlen-oder-verloren-Vier-von-zehn-Personen-ist-schon-mal-das-Handy-abhandengekommen.
  4. The beginning of the end of the password. https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/.
  5. MFA is a Waste of Time! Understanding Negative Connotation Towards MFA Applications via User Generated Content. arXiv preprint arXiv:1908.05902.
  6. Password Security: What Are We Doing Wrong? In 2022 IEEE International Conference on Electro Information Technology (eIT), pages 562–567. IEEE.
  7. European Commission (2023). eIDAS Levels of Assurance. https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/eIDAS+Levels+of+Assurance.
  8. A Study of Multi-Factor and Risk-Based Authentication Availability. In 32nd USENIX Security Symposium (USENIX Security’23). USENIX Association, Anaheim, CA, USA.
  9. Adventures in recovery land: Testing the account recovery of popular websites when the second factor is lost. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023), pages 227–243.
  10. Google (2022). Passwordless login with passkeys. https://developers.google.com/identity/passkeys.
  11. Digital Identity Guidelines: Authentication and Lifecycle Management.
  12. I’m Surprised So Much Is Connected. In CHI Conference on Human Factors in Computing Systems, pages 1–13.
  13. User account access graphs. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 1405–1422.
  14. A diary study of password usage in daily life. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2627–2630.
  15. An extensive formal analysis of multi-factor authentication protocols. ACM Transactions on Privacy and Security (TOPS), 24(2):1–34.
  16. Email as a master key: Analyzing account recovery in the wild. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications, pages 1646–1654. IEEE.
  17. Milka, G. (2018). Anatomy of Account Takeover. In Enigma 2018 (Enigma 2018), Santa Clara, CA. USENIX Association.
  18. Multi-factor authentication: A survey. Cryptography, 2(1):1.
  19. Two-factor authentication: is the world ready? Quantifying 2FA adoption. In Proceedings of the eighth european workshop on system security, pages 1–7.
  20. Multi-Account Dashboard for Authentication Dependency Analysis. In Proceedings of the 17th International Conference on Availability, Reliability and Security, pages 1–13.
  21. Prolific (2023). Prolific · Quickly find research participants you can trust. https://www.prolific.com.
  22. A usability study of five two-factor authentication methods. In Proceedings of the Fifteenth Symposium on Usable Privacy and Security.
  23. Empirical measurement of systemic 2fa usability. In Proceedings of the USENIX Conference.
  24. Risher, M. (2021). A simpler and safer future — without passwords. https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/.
  25. User practice in password security: An empirical study of real-life passwords in the wild. Computers & Security, 61:130–141.
  26. Systematic overview of password security problems. Acta Polytechnica Hungarica, 16(3):143–165.
  27. Is this really you? An empirical study on risk-based authentication applied in the wild. In ICT Systems Security and Privacy Protection: 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings 34, pages 134–148. Springer.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now