skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


This content will become publicly available on June 24, 2026

Title: Quantifying opportunity costs of enhanced security in multifactor authentication
Multifactor authentication (MFA) is one of the most important security controls, topping most lists of cyber hygiene activities advocated by experts. While the security benefits may be substantial, less attention has been paid to the impact on users by the added friction introduced by the more stringent precautions. In this paper, we construct and analyze a dataset of authentication logs from a University population spanning two years. We focus on opportunity costs experienced by users: (1) log-in failures and (2) the time spent away from IT applications following a failed authentication before attempting to re-authenticate. The second measure captures how user frustration can manifest by avoiding or delaying future engagement after experiencing failures. Following an exogenous change in MFA policy from a deny/approve mobile notification to a more cumbersome two-digit code mobile notification confirmation, we show that there are significant increases in the number of log-in failures and in time spent away following failures when using mobile MFA. We also briefly examine which types of users had the greatest difficulty adjusting to the more secure mobile MFA procedure.  more » « less
Award ID(s):
2147505
PAR ID:
10582691
Author(s) / Creator(s):
; ; ;
Publisher / Repository:
24th Workshop on the Economics of Information Security
Date Published:
Format(s):
Medium: X
Location:
Tokyo, Japan
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy)
    As account compromises and malicious online attacks are on the rise, multi-factor authentication (MFA) has been adopted to defend against these attacks. OTP and mobile push notification are just two examples of the popularly adopted MFA factors. Although MFA improve security, they also add additional steps or hardware to the authentication process, thus increasing the authentication time and introducing friction. On the other hand, keystroke dynamics-based authentication is believed to be a promising MFA for increasing security while reducing friction. While there have been several studies on the usability of other MFA factors, the usability of keystroke dynamics has not been studied. To this end, we have built a web authentication system with the standard features of signup, login and account recovery, and integrated keystroke dynamics as an additional factor. We then conducted a user study on the system where 20 participants completed tasks related to signup, login and account recovery. We have also evaluated a new approach for completing the user enrollment process, which reduces friction by naturally employing other alternative MFA factors (OTP in our study) when keystroke dynamics is not ready for use. Our study shows that while maintaining strong security (0% FPR), adding keystroke dynamics reduces authentication friction by avoiding 66.3% of OTP at login and 85.8% of OTP at account recovery, which in turn reduces the authentication time by 63.3% and 78.9% for login and account recovery respectively. Through an exit survey, all participants have rated the integration of keystroke dynamics with OTP to be more preferable to the conventional OTP-only authentication. 
    more » « less
  2. ; ; ; (, CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy)
    The ubiquity of mobile devices nowadays necessitates securing the apps and user information stored therein. However, existing one-time entry-point authentication mechanisms and enhanced security mechanisms such as Multi-Factor Authentication (MFA) are prone to a wide vector of attacks. Furthermore, MFA also introduces friction to the user experience. Therefore, what is needed is continuous authentication that once passing the entry-point authentication, will protect the mobile devices on a continuous basis by confirming the legitimate owner of the device and locking out detected impostor activities. Hence, more research is needed on the dynamic methods of mobile security such as behavioral biometrics-based continuous authentication, which is cost-effective and passive as the data utilized to authenticate users are logged from the phone's sensors. However, currently, there are not many mobile authentication datasets to perform benchmarking research. In this work, we share two novel mobile datasets (Clarkson University (CU) Mobile datasets I and II) consisting of multi-modality behavioral biometrics data from 49 and 39 users respectively (88 users in total). Each of our datasets consists of modalities such as swipes, keystrokes, acceleration, gyroscope, and pattern-tracing strokes. These modalities are collected when users are filling out a registration form in sitting both as genuine and impostor users. To exhibit the usefulness of the datasets, we have performed initial experiments on selected individual modalities from the datasets as well as the fusion of simultaneously available modalities. 
    more » « less
  3. (, Who Are You?! Adventures in Authentication Workshop)
    Password-based mobile user authentication is vulnerable to a variety of security threats. Shoulder-surfing is the key to those security threats. Despite a large body of research on password security with mobile devices, existing studies have focused on shaping the security behavior of mobile users by enhancing the strengths of user passwords or by establishing secure password composition policies. There is little understanding of how an attacker actually goes about observing the password of a target user. This study empirically examines attackers’ behaviors in observing passwordbased mobile user authentication sessions across the three observation attempts. It collects data through a longitudinal user study and analyzes the data collected through a system log. The results reveal several behavioral patterns of attackers. The findings suggest that attackers are strategic in deploying attacks of shoulder-surfing. The findings have implications for enhancing users’ password security and refining organizations’ password composition policies. 
    more » « less
  4. (, Proceedings of 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2023))
    Witnessing the blooming adoption of push notifications on mobile devices, this new message delivery paradigm has become pervasive in diverse applications. Accompanying with its broad adoption, the potential security risks and privacy exposure issues raise public concerns regarding its great social impacts. This paper conducts the first attempt to exploit the mobile notification ecosystem. By dissecting its structural elements and implementation process, a comprehensive vulnerability analysis is conducted towards the complete flow of mobile notification from platform enrollment to messaging. Meanwhile, for privacy exposure, we first examine the implementation of privacy policy compliance by proposing a three-level inspection approach to guide our analysis. Then, our top-down methods from documentation analysis, application network traffic study, to static analysis expose the illicit data collection behaviors in released applications. In addition, we uncover the potential privacy inference resulted from the notification monitoring. To support our analysis, we conduct empirical studies on 12 most popular notification platforms and perform static analysis over 30,000+ applications. We discover: 1) six platforms either provide ambiguous KEY naming rules or offer vulnerable messaging APIs; 2) privacy policy compliance implementations are either stagnated at the documentation stages (8 of 12 platforms) or never implemented in apps, resulting in billions of users suffering from privacy exposure; and 3) some apps can stealthily monitor notification messages delivering to other apps, potentially incurring user privacy inference risks. Our study raises the urgent demand for better regulations of mobile notification deployment. 
    more » « less
  5. ; ; ; (, IEEE International Conference on Intelligence and Security Informatics (ISI))
    Password-based mobile user authentication is vulnerable to shoulder-surfing. Despite the increasing research on user password entry behavior and mobile security, there is limited understanding of how an adversary identifies a password through shoulder-surfing during mobile authentication. This study empirically examines the behaviors and strategies of password identification through shoulder-surfing with multiple observation attempts and from different observation distances. The results of analyzing data collected from a user study reveal the strategies and dynamics of password identification behaviors. The findings have implications for enhancing users’ password security and improving the design of mobile authentication methods. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email