User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking

This paper describes an experiment to investigate user perceptions of the usability and security of single-factor and two-factor authentication methods in automated telephone banking. In a controlled experiment with 62 banking customers a knowledge-based, single-factor authentication procedure, based on those commonly used in the financial services industry, was compared with a two-factor approach where in addition to the knowledge-based step, a one-time passcode was generated using a hardware security token. Results were gathered on the usability and perceived security of the two methods described, together with call completion rates and call durations for the two methods. Significant differences were found between the two methods, with the two-factor version being perceived as offering higher levels of security than the single-factor authentication version; however, this gain was offset by significantly lower perceptions of usability, and lower ratings for convenience and ease of use for the two-factor version. In addition, the two-factor authentication version took longer for participants to complete. This research provides valuable empirical evidence of the trade-off between security and usability in automated systems.