The Best and Worst of YubiKey Usability

Link to the paper: https://isrl.byu.edu/pubs/sp2018.pdf

Summary:

This paper is based on the entire aspect of 2FA authentication specifically the Yubikey which is a usb like piece of hardware which givens an access code when it has its main button pressed. The novelty of this study was the fact that this was the first major study where 2FA was tested among users outside of the enterprise setting. As part of the study the authors had 2 different aspects - the first was the users experience in the initial set up of 2FA. The second was their experience of the Yubikey using it in their personal lives to login into windows 10, google, and facebook. The results of the study should not be taken as one for the entire public as most of the participants of the study were of the younger generation. But the study found the on-boarding process was a little bit too hard for the general user, and some users experienced issues with usability over the course of the study.  

Points to talk about:

  1. The study recommends standardizing the on-boarding process for 2FA In order to make it simpler. Which organization, and parties need to create these standards

  2. In the process of standardizing on-boarding for 2FA - would this open the consumer up to more attacks if a vulnerability is found in the standard on-boarding process. Would this make the on-boarding process a higher priority for attack by hackers?

  3. Why is there a split in current 2FA methods between business and consumers. Businesses use hardware while consumers use SMS more?

  4. How does the Yubikey differ from other forms of 2FA? With similar tests, have the results been the same among 2FA methods?

  5. How might this study change when the test group is composed of users who already use 2FA? Will they like Yubikey more or is this effect isolated to first time 2FA users?

 What I liked:

  1. The fact they had 2 studies one for the actual set up of 2FA and the other for the daily usability gives a more complete picture of the field

  2. I liked that they compared the login in times of users with other secure logins ie compared the 2FA with single sign on codes

  3. The study went into depth about the very specific issues users ran into when trying to setup their keys on windows and Facebook

  4. Why does Google have such a high success rate for 2FA as compared to other platforms? Possibly because they have enterprise companies already using some of their products?

  5. Interesting that the consumers found the Yubikey better to use and preferred it over SMS after the set up process

 

What I didn’t like:

  1. There's no indication of what percentage of the user's visit sites with 2FA as an option. Given that we aren't dealing with enterprise level - I think that it might be worthwhile to examine which consumer facing sites offer 2FA

  2. The fact the study narrows 2FA only to Facebook, Google and Windows - not as broad as a normal consumer

  3. The users they used in this study didn't know anything about 2FA and were only given 5 mins in the study to google any questions they have - I don’t think this would be representative of real life.

  4. The average age of the study skewed very young and very male - which isn't really representative of the demographics of most consumers

  5. I'm not sure how the study measures SUS (System Usability Scale) accurately in the set up process if the majority of users could not make it through the first 3 steps as the study said. Did they narrow the data set to only the users who were able to set it up correctly?

 

 New Ideas:

  1. The study neglects to answer the background issue of what percentage of the general population is actually interested in 2FA. This is the first study to go outside the enterprise environment, and in the consumer space consumer wants and usability has historically traded off with security.

  2. There's no indication of what percentage of the user's visit sites with 2FA as an option. Given that we aren't dealing with enterprise level - I think that it might be worthwhile to examine which consumer facing sites offer 2FA

  3. We could look into way's of how to replicate Google's success with setting up 2FA and how to migrate that to other platforms

  4. Look into the psychology of security ie I don't see a reason why SMS is less secure and more user intensive that Yubikey but for some reason a good amount of users in the study said they preferred using the physical key.

  5.  How might we go about account sharing - possibly 2 different keys that have the same privileges?