A qualitative study on usability and acceptability of Yubico security key

Individual concerns about account takeover and subversion are well-documented. Surveys indicate that concerns for the privacy and security of online accounts are widely shared. Adopting Two-Factor Authentication (2FA) is an action that individuals can take to secure their own accounts, including many popular consumer-facing services. Given that, why is two-factor hardware not more widely adopted? What usability and acceptability factors drive the adoption, or lack of adoption of 2FA in the form of trusted hardware? Passwords are inherently misaligned with human cognition, and hardware keys designed for ease of use are readily available in the marketplace. Yet passwords remain the dominant online authentication method. In order to better understand relevant issues driving or impinging adoption of Two-Factor Authentication, we implemented a two-phase study of the Yubico FIDO U2F security key. The Yubico security key is a 2FA device designed to be user friendly. We examined the usability of the device by implementing a think-aloud protocol, and documented the halt and confusion points. We provided this analysis to Yubico, who implemented many of the recommended changes. We then repeated the study in the same context; noting significant improvements in usability. However, increase in usability did not affect the acceptability of the device, affecting the prolonged usage of the device. In both phases we interviewed the study participants about the acceptability of the device, finding similar concerns about lack of benefits and the invisibility of risk. A source of opposition to adoption is the concern for loss of access, with participants prioritizing availability over confidentiality. Another concern is that these do not lessen or simplify interaction with services as passwords are still required. We close with open questions for additional research, and further recommendations to encourage online safety through the adoption of 2FA.