TUM Logo

Taxonomy and User Evaluation of Authentication Recovery Methods: Bridging Theory and Perception

Taxonomy and User Evaluation of Authentication Recovery Methods: Bridging Theory and Perception

Supervisor(s): Lukas Gehrke
Status: finished
Topic: Others
Author: Raphael Dabbert
Submission: 2024-11-18
Type of Thesis: Bachelorthesis

Description

Broken access control of authentication schemes is widely regarded as a cyber security
issue [1]. Over the past years, organizations and individuals have introduced numerous
new concepts and measures to enhance account security, including widely adopting twofactor
authentication. However, users often overlook one critical aspect of authentication:
the account recovery process. For this reason, we extend and refine the taxonomy of
Bonneau [2], with a focus on recovery, and conducted a study to see how the perception
of the recovery process is from the perspective of the end-user.
We conducted an online survey with 163 participants, with questions focusing on
authentication method knowledge, perceived security, and usability, as well as specific
questions about their experience and ideas about the authentication recovery process.
The highest perceived usability among participants is attributed to the fingerprint
(mean = 5.43, SD = 0.97) and the face scan (mean = 5.45, SD = 0.89), rated on a scale
of one to six, rating the most usable. Conversely, the lowest perceived usability is
associated with an One-time password (OTP) delivered via letter (mean = 2.8, SD = 1.31).
On the other hand, the highest perceived security was attributed to a hardware key
(mean = 5.46 sd = 0.66).
Our study found that 82% of users recovered at least one of their accounts last year
and 66% more than once, showing the importance of the authentication recovery path.
The most popular methods used to recover accounts use are a second channel either
email or SMS, the methods are OTP (n = 92) or reset link via email (n = 66) and OTP
via SMS (n = 57),
The most requested recovery method by the participants is OTP via email (mean = 4.67),
closely followed by OTP via SMS (mean = 4.63). Conversely, the lowest wanted method
was OTP via letter.
A majority of 71% of users express a preference for receiving notifications about
account recovery. In particular, among all participants, 56% prefer to be notified once
per year, while 7% are open to receiving notifications up to four times per year.
Users primarily choose recovery methods based on perceived usability and security,
with usability being the strongest predictor (β = 0.52, p < 0.001), followed by security
(β = 0.24, p < 0.01).
A comparison of the taxonomy with our survey data in terms of usability and
security revealed notable differences. Both values were normalized for analysis. For
usability, the absolute difference showed a mean of 0.1 (SD = 0.08), while for perceived
security, the absolute difference was slightly higher, with a mean of 0.15 (SD = 0.09).
These results highlight the variances between the theoretical taxonomy and the user’s
perceptions in practice.
Overall, this research offers a taxonomy that can be used to evaluate the security and
usability of authentication and recovery methods, providing an elaborated framework
to evaluate and deploy them as service providers. The survey offers insights on how
users deal with and want to use recovery procedures.