Two-factor authentication (2FA) is a strong defense against account compromise. However, usability studies reveal challenges with 2FA setup. The process to manually setup and remove 2FA methods differs across websites. We present a system design for a 2FA manager to automatically setup and remove 2FA methods. Potential benefits are reduced time, fewer mistakes, consistent terminology, a single workflow for users to learn, and the ability to rapidly transition to a new 2FA method—e.g., when replacing a lost 2FA method. We create two proof-of-concept implementations of our design, one as a browser extension and one integrated as a feature in an existing password manager. We evaluated the browser extension implementation approach using a between-subjects user study (N=60). Our results show fewer mistakes and reduced time compared to manually adding and removing 2FA methods. Qualitative results show that users found the automated process easy to use and were enthusiastic about the 2FA manager's ability to help them rapidly replace 2FA methods in the case they lost their 2FA device.
College and Department
Physical and Mathematical Sciences; Computer Science
BYU ScholarsArchive Citation
Smith, Garrett D., "“If I could do this, I feel anyone could:” The Design and Evaluation of a Two-Factor Authentication Manager" (2022). Theses and Dissertations. 9502.
Usable Security, Two-Factor Authentication, automation, user study