“We've Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Research output: Chapter in book/report/conference proceedingConference contributionResearchpeer review

Authors

  • Sabrina Amft
  • Sandra Höltervennhoff
  • Nicolas Huaman
  • Alexander Krause
  • Lucy Simko
  • Yasemin Acar
  • Sascha Fahl

Research Organisations

External Research Organisations

  • CISPA Helmholtz Center for Information Security
  • George Washington University
  • Paderborn University
View graph of relations

Details

Original languageEnglish
Title of host publicationCCS 2023
Subtitle of host publicationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Pages3138-3152
Number of pages15
ISBN (electronic)9798400700507
Publication statusPublished - 21 Nov 2023
Event30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 - Copenhagen, Denmark
Duration: 26 Nov 202330 Nov 2023

Abstract

Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.

Keywords

    authentication, multi-factor authentication, usable security

ASJC Scopus subject areas

Cite this

“We've Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. / Amft, Sabrina; Höltervennhoff, Sandra; Huaman, Nicolas et al.
CCS 2023 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023. p. 3138-3152.

Research output: Chapter in book/report/conference proceedingConference contributionResearchpeer review

Amft, S, Höltervennhoff, S, Huaman, N, Krause, A, Simko, L, Acar, Y & Fahl, S 2023, “We've Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. in CCS 2023 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. pp. 3138-3152, 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, 26 Nov 2023. https://doi.org/10.48550/arXiv.2306.09708, https://doi.org/10.1145/3576915.3623180
Amft, S., Höltervennhoff, S., Huaman, N., Krause, A., Simko, L., Acar, Y., & Fahl, S. (2023). “We've Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. In CCS 2023 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (pp. 3138-3152) https://doi.org/10.48550/arXiv.2306.09708, https://doi.org/10.1145/3576915.3623180
Amft S, Höltervennhoff S, Huaman N, Krause A, Simko L, Acar Y et al. “We've Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. In CCS 2023 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023. p. 3138-3152 doi: 10.48550/arXiv.2306.09708, 10.1145/3576915.3623180
Amft, Sabrina ; Höltervennhoff, Sandra ; Huaman, Nicolas et al. / “We've Disabled MFA for You” : An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. CCS 2023 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023. pp. 3138-3152
Download
@inproceedings{8024a25b3fe1426dad164c00af237cb6,
title = "“We've Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments",
abstract = "Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.",
keywords = "authentication, multi-factor authentication, usable security",
author = "Sabrina Amft and Sandra H{\"o}ltervennhoff and Nicolas Huaman and Alexander Krause and Lucy Simko and Yasemin Acar and Sascha Fahl",
note = "Funding Information: We thank the included websites for allowing us to use their data and our insights into their processes for this work. Furthermore, we thank our reviewers for their valuable feedback. Finally, we thank Philip Klostermeyer and Juliane Schm{\"u}ser for proofreading our work. Funded by the and by the VolkswagenStiftung Nieders{\"a}chsisches Vorab - ZN3695 and by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy - EXC 2092 CASA - 390781972. ; 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 ; Conference date: 26-11-2023 Through 30-11-2023",
year = "2023",
month = nov,
day = "21",
doi = "10.48550/arXiv.2306.09708",
language = "English",
pages = "3138--3152",
booktitle = "CCS 2023",

}

Download

TY - GEN

T1 - “We've Disabled MFA for You”

T2 - 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023

AU - Amft, Sabrina

AU - Höltervennhoff, Sandra

AU - Huaman, Nicolas

AU - Krause, Alexander

AU - Simko, Lucy

AU - Acar, Yasemin

AU - Fahl, Sascha

N1 - Funding Information: We thank the included websites for allowing us to use their data and our insights into their processes for this work. Furthermore, we thank our reviewers for their valuable feedback. Finally, we thank Philip Klostermeyer and Juliane Schmüser for proofreading our work. Funded by the and by the VolkswagenStiftung Niedersächsisches Vorab - ZN3695 and by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy - EXC 2092 CASA - 390781972.

PY - 2023/11/21

Y1 - 2023/11/21

N2 - Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.

AB - Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.

KW - authentication

KW - multi-factor authentication

KW - usable security

UR - http://www.scopus.com/inward/record.url?scp=85179852997&partnerID=8YFLogxK

U2 - 10.48550/arXiv.2306.09708

DO - 10.48550/arXiv.2306.09708

M3 - Conference contribution

AN - SCOPUS:85179852997

SP - 3138

EP - 3152

BT - CCS 2023

Y2 - 26 November 2023 through 30 November 2023

ER -