CISPA
Browse

A Mixed-Methods Study on User Experiences and Challenges of Recovery Codes for an End-to-End Encrypted Service.

Download (559.09 kB)
conference contribution
posted on 2024-08-26, 10:50 authored by Sandra Höltervennhoff, Noah Wöhler, Arne Möhle, Marten OltroggeMarten Oltrogge, Yasemin Acar, Oliver WieseOliver Wiese, Sascha FahlSascha Fahl
Recovery codes are a popular backup mechanism for online services to aid users who lost their passwords or two-factor authentication tokens in regaining access to their accounts or encrypted data. Especially for end-to-end encrypted services, recovery codes are a critical feature, as the service itself cannot access the encrypted user data and help users regain access. The way end-users manage recovery codes is not well understood. Hence, we investigate end-user perceptions and management strategies of recovery codes. Therefore, we survey users of an end-to-end encrypted email service provider, deploying recovery codes for accounts and encrypted data recovery in case of authentication credential loss. We performed an online survey with 281 users. In a second study, we analyzed 197 support requests on Reddit. Most of our participants stored the service provider's recovery code. We could identify six strategies for saving it, with using a password manager being the most widespread. Participants were generally satisfied with the service provider's recovery code. However, while they appreciated its security, its usability was lacking. We found obstacles, such as losing access to the recovery code or non-functioning recovery codes and security misconceptions. These often resulted from users not understanding the underlying security implications, e.g., that the support cannot access or restore their unencrypted data.

History

Editor

Balzarotti D ; Xu W

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Usenix Security Symposium (USENIX-Security)

Journal

USENIX Security Symposium

Publisher

USENIX Association

BibTeX

@conference{Höltervennhoff:Wöhler:Möhle:Oltrogge:Acar:Wiese:Fahl:2024, title = "A Mixed-Methods Study on User Experiences and Challenges of Recovery Codes for an End-to-End Encrypted Service.", author = "Höltervennhoff, Sandra" AND "Wöhler, Noah" AND "Möhle, Arne" AND "Oltrogge, Marten" AND "Acar, Yasemin" AND "Wiese, Oliver" AND "Fahl, Sascha", editor = "Balzarotti, Davide" AND "Xu, Wenyuan", year = 2024, month = 1, journal = "USENIX Security Symposium", publisher = "USENIX Association" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC