The Community for Technology Leaders
2018 IEEE Symposium on Security and Privacy (SP) (2018)
San Francisco, CA, US
May 21, 2018 to May 23, 2018
ISSN: 2375-1207
ISBN: 978-1-5386-4353-2
pp: 1090-1106
Joshua Reynolds , University of Illinois at Urbana-Champaign and Brigham Young University
Trevor Smith , Brigham Young University
Ken Reese , Brigham Young University
Luke Dickinson , Brigham Young University
Scott Ruoti , MIT Lincoln Laboratory
Kent Seamons , Brigham Young University
ABSTRACT
Two-factor authentication (2FA) significantly improves the security of password-based authentication. Recently, there has been increased interest in Universal 2nd Factor (U2F) security keys-small hardware devices that require users to press a button on the security key to authenticate. To examine the usability of security keys in non-enterprise usage, we conducted two user studies of the YubiKey, a popular line of U2F security keys. The first study tasked 31 participants with configuring a Windows, Google, and Facebook account to authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking themselves out of their operating system or thinking they had successfully enabled 2FA when they had not. In contrast, the second study had 25 participants use a YubiKey in their daily lives over a period of four weeks, revealing that participants generally enjoyed the experience. Conducting both a laboratory and longitudinal study yielded insights into the usability of security keys that would not have been evident from either study in isolation. Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts.
INDEX TERMS
two-factor-authentication, hardware-tokens, usability, longitudinal-study, YubiKey
CITATION

J. Reynolds, T. Smith, K. Reese, L. Dickinson, S. Ruoti and K. Seamons, "A Tale of Two Studies: The Best and Worst of YubiKey Usability," 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, US, , pp. 1090-1106.
doi:10.1109/SP.2018.00067
85 ms
(Ver 3.3 (11022016))