Title: On the Security and Usability of Password Managers and Two-Factor Authentication
Passwords are widely used by Internet services to authenticate their users. Unfortunately, passwords suﬀer from several well-documented security and usability issues. The two of the main techniques to address password problems are: (i) Password managers, a tool that gives a user the option of generating a strong, complex password that is stored and automatically retrieved during login for each internet service, and (ii) two-factor authentication, a second layer of authentication that requires the use of two authentication factors for login (e.g., password and a one-time PIN code generated on the second-factor device, typically a phone). Security experts regularly advise day to day users to deploy these techniques to improve the security of password-based authentication. A higher level goal of this survey is to investigate if indeed password managers and two-factor authentication schemes can help improve security without substantially lowering usability.
The contribution of this survey paper is four-fold. First, we identify the prominent password managers and two-factor authentication schemes from the academic and industry domains. Second, we provide an exposition of the security, privacy, and usability of password managers and two-factor authentication systems. In particular, we argue that the low-eﬀort two-factor authentication schemes do improve the usability of the two-factor login process, but they also introduce fundamental and hidden design vulnerabilities schemes. Third, we evaluate these schemes in terms of security, usability, and privacy, as well as analyze current and emerging research trends and provide directions for future research. For our evaluation, we extend the Bonneau et al. (IEEE S&P 2012) framework (a standard analytical evaluation framework mainly designed to assess the security and usability of authentication schemes in general) to the speciﬁcs and unique challenges associated with password managers and two-factor authentication. Fourth, we evaluate the security and usability of the system that combines the password manager and two-factor authentication based on aforementioned evaluation framework. While the focus of this survey is applied in nature, it builds on and spans the foundational elements underlying the usability, security, and privacy of password managers and two-factor authentication, machine learning, human-computer interaction, and cryptographic protocols.
Wednesday, December 4, 2019 at 11:15am to 12:05pm
University Hall, 4002
1402 10th Ave S, Birmingham, Alabama 35294