CISPA
Browse
cispa_all_4039.pdf (727.6 kB)

“We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Download (727.6 kB)
conference contribution
posted on 2024-03-05, 12:14 authored by Sabrina AmftSabrina Amft, Höltervennhoff, Sandra, Huaman, Nicolas, Alexander KrauseAlexander Krause, Simko, Lucy, Acar, Yasemin, Sascha FahlSascha Fahl
Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts’ associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.

History

Preferred Citation

Sabrina Amft, Sandra Höltervennhoff, Nicolas Huaman, Alexander Krause, Lucy Simko, Yasemin Acar, Sascha Fahl. “We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2024.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Legacy Posted Date

2024-01-23

Open Access Type

  • Repository

BibTeX

@inproceedings{cispa_all_4039, author = {Sabrina Amft AND Sandra Höltervennhoff AND Nicolas Huaman AND Alexander Krause AND Lucy Simko AND Yasemin Acar AND Sascha Fahl}, title = {“We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments}, booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security}, year = {2024} }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC