Passwords are the dominant form of authentication on the web today. However,many users choose weak passwords and reuse the same password on multiple sites, thus increasing their vulnerability to having their credentials leaked or stolen. Two-factor authentication strengthens existing password authentication schemes against impersonation attacks and makes it more difficult for attackers to reuse stolen credentials on other websites. Despite the added security benefits of two-factor authentication, there are still many open questions about its usability. Many two-factor authentication systems in widespread usage today have not yet been subjected to adequate usability testing. Previous comparative studies have demonstrated significant differences in usability between various single-factor authentication systems.The main contributions of this work are as follows. First, we developed a novel user behavior model that describes four phases of interaction between a user and an authentication system. This model is designed to inform the design of future usability studies and will enable researchers and those implementing authentication systems to have a more nuanced understanding of authentication system usability. Second, we conducted a comparative usability study of some of the most common two-factor authentication systems. In contrast to previous authentication usability studies, we had participants use the system for a period of two weeks and collected both timing data and SUS metrics on the systems under test. From these studies, we make several conclusions about the state of usability and acceptance of two-factor authentication, finding that many users want more security for their sensitive online accounts and are open to using multiple forms of two-factor authentication. We also suggest that security researchers draw upon risk communication theory to better help users make informed security decisions.



College and Department

Physical and Mathematical Sciences; Computer Science



Date Submitted


Document Type





two-factor authentication, usable security, two step verification