A qualitative study on usability and acceptability of Yubico security key

Workshop on Socio-Technical Aspects in Security and Trust Pub Date : 2018-12-05 DOI:10.1145/3167996.3167997

Sanchari Das, Gianpaolo Russo, Andrew Dingman, Jayati Dev, O. Kenny, L. Camp

{"title":"A qualitative study on usability and acceptability of Yubico security key","authors":"Sanchari Das, Gianpaolo Russo, Andrew Dingman, Jayati Dev, O. Kenny, L. Camp","doi":"10.1145/3167996.3167997","DOIUrl":null,"url":null,"abstract":"Individual concerns about account takeover and subversion are well-documented. Surveys indicate that concerns for the privacy and security of online accounts are widely shared. Adopting Two-Factor Authentication (2FA) is an action that individuals can take to secure their own accounts, including many popular consumer-facing services. Given that, why is two-factor hardware not more widely adopted? What usability and acceptability factors drive the adoption, or lack of adoption of 2FA in the form of trusted hardware? Passwords are inherently misaligned with human cognition, and hardware keys designed for ease of use are readily available in the marketplace. Yet passwords remain the dominant online authentication method. In order to better understand relevant issues driving or impinging adoption of Two-Factor Authentication, we implemented a two-phase study of the Yubico FIDO U2F security key.\n The Yubico security key is a 2FA device designed to be user friendly. We examined the usability of the device by implementing a think-aloud protocol, and documented the halt and confusion points. We provided this analysis to Yubico, who implemented many of the recommended changes. We then repeated the study in the same context; noting significant improvements in usability. However, increase in usability did not affect the acceptability of the device, affecting the prolonged usage of the device. In both phases we interviewed the study participants about the acceptability of the device, finding similar concerns about lack of benefits and the invisibility of risk. A source of opposition to adoption is the concern for loss of access, with participants prioritizing availability over confidentiality. Another concern is that these do not lessen or simplify interaction with services as passwords are still required. We close with open questions for additional research, and further recommendations to encourage online safety through the adoption of 2FA.","PeriodicalId":262100,"journal":{"name":"Workshop on Socio-Technical Aspects in Security and Trust","volume":"47 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"36","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Workshop on Socio-Technical Aspects in Security and Trust","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3167996.3167997","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 36

Abstract

Individual concerns about account takeover and subversion are well-documented. Surveys indicate that concerns for the privacy and security of online accounts are widely shared. Adopting Two-Factor Authentication (2FA) is an action that individuals can take to secure their own accounts, including many popular consumer-facing services. Given that, why is two-factor hardware not more widely adopted? What usability and acceptability factors drive the adoption, or lack of adoption of 2FA in the form of trusted hardware? Passwords are inherently misaligned with human cognition, and hardware keys designed for ease of use are readily available in the marketplace. Yet passwords remain the dominant online authentication method. In order to better understand relevant issues driving or impinging adoption of Two-Factor Authentication, we implemented a two-phase study of the Yubico FIDO U2F security key. The Yubico security key is a 2FA device designed to be user friendly. We examined the usability of the device by implementing a think-aloud protocol, and documented the halt and confusion points. We provided this analysis to Yubico, who implemented many of the recommended changes. We then repeated the study in the same context; noting significant improvements in usability. However, increase in usability did not affect the acceptability of the device, affecting the prolonged usage of the device. In both phases we interviewed the study participants about the acceptability of the device, finding similar concerns about lack of benefits and the invisibility of risk. A source of opposition to adoption is the concern for loss of access, with participants prioritizing availability over confidentiality. Another concern is that these do not lessen or simplify interaction with services as passwords are still required. We close with open questions for additional research, and further recommendations to encourage online safety through the adoption of 2FA.

查看原文本刊更多论文

Yubico安全密钥可用性和可接受性的定性研究

个人对帐户接管和颠覆的担忧是有据可查的。调查显示，人们普遍担心网络账户的隐私和安全。采用双因素身份验证(2FA)是个人可以采取的一种操作，以保护自己的帐户，包括许多流行的面向消费者的服务。既然如此，为什么双因素硬件没有得到更广泛的采用?是什么可用性和可接受性因素促使采用或不采用可信硬件形式的2FA ?密码本质上与人类的认知不一致，而为易于使用而设计的硬件密钥在市场上很容易获得。然而，密码仍然是主要的在线认证方式。为了更好地理解驱动或影响双因素身份验证采用的相关问题，我们对Yubico FIDO U2F安全密钥进行了两阶段的研究。Yubico安全密钥是一种2FA设备，旨在方便用户使用。我们通过实现“有声思考”协议来检查设备的可用性，并记录了中断点和混淆点。我们将此分析提供给Yubico, Yubico实施了许多建议的更改。然后，我们在相同的背景下重复了这项研究;注意到可用性方面的重大改进。然而，可用性的提高并没有影响设备的可接受性，而是影响了设备的长期使用。在这两个阶段，我们采访了研究参与者关于设备的可接受性，发现了对缺乏益处和风险不可见的类似担忧。反对采用的一个原因是担心失去访问权限，参与者优先考虑可用性而不是保密性。另一个值得关注的问题是，由于仍然需要密码，这些功能并没有减少或简化与服务的交互。最后，我们提出了一些有待进一步研究的开放问题，并提出了进一步的建议，以通过采用2FA来鼓励在线安全。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Workshop on Socio-Technical Aspects in Security and Trust

自引率

0.00%

发文量