User perceptions of security and usability of mobile-based single password authentication and two-factor authentication

Abstract

Two-factor authentication provides a significant improvement over the security of traditional password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. In this decade, single password authentication (SPA) schemes are introduced to overcome the challenges of traditional password authentication, which is vulnerable to the offline dictionary, phishing, honeypot, and man-in-the-middle attacks. Unlike classical password-based authentication systems, in SPA schemes the user is required to remember only a single password (and a username) for all her accounts, while the password is protected against the aforementioned attacks in a provably secure manner. In this paper, for the first time, we implement the state-of-the-art mobile-based SPA system of Acar et al. (2013) as a prototype and assess its usability in a lab environment where we compare it against two-factor authentication (where, in both cases, in addition to the password, the user needs access to her mobile device). Our study shows that mobile-based SPA is as easy as, but less intimidating and more secure than two-factor authentication, making it a better alternative for online banking type deployments. Based on our study, we conclude with deployment recommendations and further usability study suggestions.