"It's Just a Lot of Prerequisites"  A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator

Markus Keil; Philipp Markert; Markus Dürmuth

doi:10.1145/3549015.3554208

Details

Original language	English
Title of host publication	Proceedings of the 2022 European Symposium on Usable Security
Subtitle of host publication	EuroUSEC '22
Place of Publication	New York, NY, United States
Publisher	Association for Computing Machinery (ACM)
Pages	172-188
Number of pages	17
ISBN (electronic)	9781450397001
Publication status	Published - 29 Sept 2022
Event	2nd European Symposium on Usable Security, EuroUSEC 2022 - Karlsruhe, Germany Duration: 29 Sept 2022 → 30 Sept 2022

Abstract

Two-factor authentication (2FA) overcomes the insecurity of passwords by adding a second factor to the authentication process. A variant of 2FA, which is even phishing-resistant unlike, e.g., SMS-based implementations, is offered by the FIDO2 protocol. In 2018 its compatibility with eID, the German electronic identification system, which is built into every German ID card, was published. Thus, users who own a German ID card may use it as a second factor to secure their online accounts. We conducted a qualitative study with n = 20 participants to collect users' impressions of the usability when utilizing an ID as a second factor, their perception of security, and the overall acceptance. After showing participants an introductory video to familiarize them with the procedure, they completed a hands-on task for which they first set up an ID as a second factor and then used it to log in. Users' opinions, thoughts, and concerns were collected through multiple-choice questions and structured interviews. We find that most non-tech-savvy users struggle with the setup but generally perceive the login to be easy. Users with a tech background faced fewer issues when setting up the ID as a second factor but pointed out to prefer other alternatives. Finally, we observe a misconception regarding the transmission of personal information to the authenticating service despite several indicators of privacy-conform data handling. Based on our findings, we depict which aspects need to be addressed in order to provide a competitive alternative to established second factors.

ASJC Scopus subject areas

Computer Science(all)
Human-Computer Interaction
Computer Science(all)
Computer Networks and Communications
Computer Science(all)
Computer Vision and Pattern Recognition
Computer Science(all)
Software

Cite this

"It's Just a Lot of Prerequisites" A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. / Keil, Markus; Markert, Philipp; Dürmuth, Markus.
Proceedings of the 2022 European Symposium on Usable Security: EuroUSEC '22. New York, NY, United States: Association for Computing Machinery (ACM), 2022. p. 172-188.

Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review

Keil, M, Markert, P & Dürmuth, M 2022, "It's Just a Lot of Prerequisites" A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. in Proceedings of the 2022 European Symposium on Usable Security: EuroUSEC '22. Association for Computing Machinery (ACM), New York, NY, United States, pp. 172-188, 2nd European Symposium on Usable Security, EuroUSEC 2022, Karlsruhe, Germany, 29 Sept 2022. https://doi.org/10.1145/3549015.3554208

Keil, M., Markert, P., & Dürmuth, M. (2022). "It's Just a Lot of Prerequisites" A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. In Proceedings of the 2022 European Symposium on Usable Security: EuroUSEC '22 (pp. 172-188). Association for Computing Machinery (ACM). https://doi.org/10.1145/3549015.3554208

Keil M, Markert P, Dürmuth M. "It's Just a Lot of Prerequisites" A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. In Proceedings of the 2022 European Symposium on Usable Security: EuroUSEC '22. New York, NY, United States: Association for Computing Machinery (ACM). 2022. p. 172-188 doi: 10.1145/3549015.3554208

Keil, Markus ; Markert, Philipp ; Dürmuth, Markus. / "It's Just a Lot of Prerequisites" A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. Proceedings of the 2022 European Symposium on Usable Security: EuroUSEC '22. New York, NY, United States : Association for Computing Machinery (ACM), 2022. pp. 172-188

Download

@inproceedings{5a3036fe42cf4b57936eb1fead2edac4,

title = "{"}It's Just a Lot of Prerequisites{"} A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator",

abstract = "Two-factor authentication (2FA) overcomes the insecurity of passwords by adding a second factor to the authentication process. A variant of 2FA, which is even phishing-resistant unlike, e.g., SMS-based implementations, is offered by the FIDO2 protocol. In 2018 its compatibility with eID, the German electronic identification system, which is built into every German ID card, was published. Thus, users who own a German ID card may use it as a second factor to secure their online accounts. We conducted a qualitative study with n = 20 participants to collect users' impressions of the usability when utilizing an ID as a second factor, their perception of security, and the overall acceptance. After showing participants an introductory video to familiarize them with the procedure, they completed a hands-on task for which they first set up an ID as a second factor and then used it to log in. Users' opinions, thoughts, and concerns were collected through multiple-choice questions and structured interviews. We find that most non-tech-savvy users struggle with the setup but generally perceive the login to be easy. Users with a tech background faced fewer issues when setting up the ID as a second factor but pointed out to prefer other alternatives. Finally, we observe a misconception regarding the transmission of personal information to the authenticating service despite several indicators of privacy-conform data handling. Based on our findings, we depict which aspects need to be addressed in order to provide a competitive alternative to established second factors.",

author = "Markus Keil and Philipp Markert and Markus D{\"u}rmuth",

note = "Funding Information: This research was supported by the research training group “Human Centered Systems Security” sponsored by the state of North Rhine-Westphalia and funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany{\textquoteright}s Excellence Strategy – EXC 2092 CASA – 390781972. ; 2nd European Symposium on Usable Security, EuroUSEC 2022 ; Conference date: 29-09-2022 Through 30-09-2022",

year = "2022",

month = sep,

day = "29",

doi = "10.1145/3549015.3554208",

language = "English",

pages = "172--188",

booktitle = "Proceedings of the 2022 European Symposium on Usable Security",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

}

Download

TY - GEN

T1 - "It's Just a Lot of Prerequisites" A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator

AU - Keil, Markus

AU - Markert, Philipp

AU - Dürmuth, Markus

N1 - Funding Information: This research was supported by the research training group “Human Centered Systems Security” sponsored by the state of North Rhine-Westphalia and funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC 2092 CASA – 390781972.

PY - 2022/9/29

Y1 - 2022/9/29

N2 - Two-factor authentication (2FA) overcomes the insecurity of passwords by adding a second factor to the authentication process. A variant of 2FA, which is even phishing-resistant unlike, e.g., SMS-based implementations, is offered by the FIDO2 protocol. In 2018 its compatibility with eID, the German electronic identification system, which is built into every German ID card, was published. Thus, users who own a German ID card may use it as a second factor to secure their online accounts. We conducted a qualitative study with n = 20 participants to collect users' impressions of the usability when utilizing an ID as a second factor, their perception of security, and the overall acceptance. After showing participants an introductory video to familiarize them with the procedure, they completed a hands-on task for which they first set up an ID as a second factor and then used it to log in. Users' opinions, thoughts, and concerns were collected through multiple-choice questions and structured interviews. We find that most non-tech-savvy users struggle with the setup but generally perceive the login to be easy. Users with a tech background faced fewer issues when setting up the ID as a second factor but pointed out to prefer other alternatives. Finally, we observe a misconception regarding the transmission of personal information to the authenticating service despite several indicators of privacy-conform data handling. Based on our findings, we depict which aspects need to be addressed in order to provide a competitive alternative to established second factors.

AB - Two-factor authentication (2FA) overcomes the insecurity of passwords by adding a second factor to the authentication process. A variant of 2FA, which is even phishing-resistant unlike, e.g., SMS-based implementations, is offered by the FIDO2 protocol. In 2018 its compatibility with eID, the German electronic identification system, which is built into every German ID card, was published. Thus, users who own a German ID card may use it as a second factor to secure their online accounts. We conducted a qualitative study with n = 20 participants to collect users' impressions of the usability when utilizing an ID as a second factor, their perception of security, and the overall acceptance. After showing participants an introductory video to familiarize them with the procedure, they completed a hands-on task for which they first set up an ID as a second factor and then used it to log in. Users' opinions, thoughts, and concerns were collected through multiple-choice questions and structured interviews. We find that most non-tech-savvy users struggle with the setup but generally perceive the login to be easy. Users with a tech background faced fewer issues when setting up the ID as a second factor but pointed out to prefer other alternatives. Finally, we observe a misconception regarding the transmission of personal information to the authenticating service despite several indicators of privacy-conform data handling. Based on our findings, we depict which aspects need to be addressed in order to provide a competitive alternative to established second factors.

UR - http://www.scopus.com/inward/record.url?scp=85138473881&partnerID=8YFLogxK

U2 - 10.1145/3549015.3554208

DO - 10.1145/3549015.3554208

M3 - Conference contribution

AN - SCOPUS:85138473881

SP - 172

EP - 188

BT - Proceedings of the 2022 European Symposium on Usable Security

PB - Association for Computing Machinery (ACM)

CY - New York, NY, United States

T2 - 2nd European Symposium on Usable Security, EuroUSEC 2022

Y2 - 29 September 2022 through 30 September 2022

ER -

Research@Leibniz University

"It's Just a Lot of Prerequisites" A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator

Authors

Research Organisations

External Research Organisations

Details

Abstract

ASJC Scopus subject areas

Cite this

By the same author(s)

A Representative Study on Human Detection of Artificially Generated Media Across Countries

A Comparative Long-Term Study of Fallback Authentication Schemes

Understanding Users' Interaction with Login Notifications

Digital Security: A Question of Perspective. A Large-Scale Telephone Survey with Four At-Risk User Groups

52 Weeks Later: Attitudes Towards COVID-19 Apps for Different Purposes Over Time