Two-Factor or not Two-Factor? A Comparative Usability Study of Two-Factor Authentication

Decades of research and numerous incidents have demonstrated the weaknesses of text passwords and prompted the need for more secure alternatives. In recent years, two-factor authentication (2F) has emerged as the most used solution to strengthen passwords. By requiring users to provide more than one authentication factor – e.g., a code generated by a security token, along with the password – 2F aims to enhance resilience against guessing attacks and breaches of password databases. Alas, it also introduces non-negligible costs for service providers and requires users to carry out additional actions during the authentication process, nevertheless, little research has focused on its usability. This paper presents a comparative usability study of twofactor authentication. First, we report on a preliminary interview-based study involving 9 participants, identifying the most popular 2F technologies as well as the contexts and motivations in which they are used. Then, we design and administer a survey to 219 Mechanical Turk users, aiming to explore the landscape of 2F technologies and measure the usability of three popular solutions: codes generated by security tokens, one-time PINs received via email or SMS, and dedicated smartphone apps (e.g., Google Authenticator). We record contexts and motivations, and study their impact on perceived usability. We also present an exploratory factor analysis that captures some key factors affecting usability of 2F and highlight interesting findings that call for further research in the field.