Taxonomy and User Evaluation of Authentication Recovery Methods: Bridging Theory and Perception
Taxonomy and User Evaluation of Authentication Recovery Methods: Bridging Theory and Perception
Supervisor(s): | Lukas Gehrke |
Status: | finished |
Topic: | Others |
Author: | Raphael Dabbert |
Submission: | 2024-11-18 |
Type of Thesis: | Bachelorthesis |
DescriptionBroken access control of authentication schemes is widely regarded as a cyber security issue [1]. Over the past years, organizations and individuals have introduced numerous new concepts and measures to enhance account security, including widely adopting twofactor authentication. However, users often overlook one critical aspect of authentication: the account recovery process. For this reason, we extend and refine the taxonomy of Bonneau [2], with a focus on recovery, and conducted a study to see how the perception of the recovery process is from the perspective of the end-user. We conducted an online survey with 163 participants, with questions focusing on authentication method knowledge, perceived security, and usability, as well as specific questions about their experience and ideas about the authentication recovery process. The highest perceived usability among participants is attributed to the fingerprint (mean = 5.43, SD = 0.97) and the face scan (mean = 5.45, SD = 0.89), rated on a scale of one to six, rating the most usable. Conversely, the lowest perceived usability is associated with an One-time password (OTP) delivered via letter (mean = 2.8, SD = 1.31). On the other hand, the highest perceived security was attributed to a hardware key (mean = 5.46 sd = 0.66). Our study found that 82% of users recovered at least one of their accounts last year and 66% more than once, showing the importance of the authentication recovery path. The most popular methods used to recover accounts use are a second channel either email or SMS, the methods are OTP (n = 92) or reset link via email (n = 66) and OTP via SMS (n = 57), The most requested recovery method by the participants is OTP via email (mean = 4.67), closely followed by OTP via SMS (mean = 4.63). Conversely, the lowest wanted method was OTP via letter. A majority of 71% of users express a preference for receiving notifications about account recovery. In particular, among all participants, 56% prefer to be notified once per year, while 7% are open to receiving notifications up to four times per year. Users primarily choose recovery methods based on perceived usability and security, with usability being the strongest predictor (β = 0.52, p < 0.001), followed by security (β = 0.24, p < 0.01). A comparison of the taxonomy with our survey data in terms of usability and security revealed notable differences. Both values were normalized for analysis. For usability, the absolute difference showed a mean of 0.1 (SD = 0.08), while for perceived security, the absolute difference was slightly higher, with a mean of 0.15 (SD = 0.09). These results highlight the variances between the theoretical taxonomy and the user’s perceptions in practice. Overall, this research offers a taxonomy that can be used to evaluate the security and usability of authentication and recovery methods, providing an elaborated framework to evaluate and deploy them as service providers. The survey offers insights on how users deal with and want to use recovery procedures. |