Multi-factor authentication (MFA) — logging in with a combination of at least two of something you know, something you physically have, or something you are — has consistently been shown to drastically increase the security of online accounts compared to the use of a password alone. Though many online services offer one or more of the prevalent methods of MFA, adoption rates among consumers remain alarmingly low. Research into the security and usability of various MFA methods has consistently found that users are worried about account lockout in the event that they lose their primary authenticator (i.e., their phone or other device). To prevent legitimate users from getting locked out of their accounts, many sites recommend that users enable multiple different methods of MFA, which is both cumbersome and, counterintuitively, can negatively impact the overall security of the account. Our hypothesis is that MFA adoption can be increased through the deployment of more secure, private, and usable account recovery options. To that end, we are investigating the processes and tools that people use to recover in the real world, starting with the backup mechanisms in time-based one-time password (TOTP) authenticator apps, a widely deployed method of MFA.
Findings, Papers, and Presentations