research-article

Two-factor authentication: is the world ready?: quantifying 2FA adoption

Authors:

Thanasis Petsas,

Giorgos Tsirantonakis,

Elias Athanasopoulos,

Sotiris IoannidisAuthors Info & Claims

EuroSec '15: Proceedings of the Eighth European Workshop on System Security

Article No.: 4, Pages 1 - 7

https://doi.org/10.1145/2751323.2751327

Published: 21 April 2015 Publication History

Abstract

As text-based passwords continue to be the dominant form for user identification today, services try to protect their costumers by offering enhanced, and more secure, technologies for authentication. One of the most promising is two-factor authentication (2FA). 2FA raises the bar for the attacker significantly, however, it is still questionable if the technology can be realistically adopted by the majority of Internet users. In this paper, we attempt a first study for quantifying the adoption of 2FA in probably the largest existing provider, namely Google. For achieving this, we leverage the password-reminder process in a novel way for discovering if 2FA is enabled for a particular account, without annoying or affecting the account's owner. Our technique has many challenges to overcome, since it requires issuing massively thousands of password reminders. In order to remain below the radar, and therefore avoid solving CAPTCHAs or having our hosts blocked, we leverage distributed systems, such as TOR and PlanetLab. After examining over 100,000 Google accounts, we conclude that 2FA has not yet been adopted by more than 6.4% of the users. Last but not least, as a side-effect of our technique, we are also able to exfiltrate private information, which can be potentially used for malicious purposes. Thus, in this paper we additionally present important findings for raising concerns about privacy risks in designing password reminders.

References

[1]

Amazon mechanical turk. https://www.mturk.com/.

[2]

Casperjs. http://casperjs.org/.

[3]

Death by captcha. http://www.deathbycaptcha.com.

[4]

Gmail now has 425 million active users. http://www.theverge.com/2012/6/28/3123643/gmail-425-million-total-users.

[5]

Most common user agents. http://techblog.willshouse.com/2012/01/03/most-common-user-agents/.

[6]

Rumola. http://skipinput.com/.

[7]

Two factor auth (2fa) -- list of websites and whether or not they support 2fa. https://twofactorauth.org/.

[8]

Ahn, L. V., Blum, M., Hopper, N. J., and Langford, J. Captcha: Using hard ai problems for security. In European Cryptology Conference (EUROCRYPT) (2003).

Digital Library

[9]

Blog, G. O. Advanced sign-in security for your google account. http://googleblog.blogspot.gr/2011/02/advanced-sign-in-security-for-your.html.

[10]

Blog, G. O. S. Strengthening 2-step verification with security key. http://googleonlinesecurity.blogspot.gr/2014/10/strengthening-2-step-verification-with.html.

[11]

Blog, O. O. S. Cleaning up after password dumps. http://googleonlinesecurity.blogspot.gr/2014/09/cleaning-up-after-password-dumps.html.

[12]

Bonneau, J., and Schechter, S. Towards reliable storage of 56-bit secrets in human memory. In USENIX Security Symposium (2014).

Digital Library

[13]

Bortz, A., and Boneh, D. Exposing private information by timing web applications. In International Conference on World wide web (WWW) (2007).

Digital Library

[14]

Brostoff, S., and Sasse, A. M. Are passfaces more usable than passwords? In International Conference on Human-Computer Interaction (HCI) (2000).

[15]

Cheswick, W. Rethinking passwords. Communications of the ACM 56, 2 (2013).

Digital Library

[16]

Chiasson, S., van Oorschot, P. C., and Biddle, R. A usability study and critique of two password managers. In USENIX Security Symposium (2006).

Digital Library

[17]

Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., and Bowman, M. Planetlab: An overlay testbed for broad-coverage services. ACM SIGCOMM Computer Communication Review (CCR) 33, 3 (2003).

Digital Library

[18]

De Cristofaro, E., Du, H., Freudiger, J., and Norcie, G. A comparative usability study of two-factor authentication. In Proceedings of the Workshop on Usable Security (USEC) (2014).

[19]

Dhamija, R., Tygar, J., and Hearst, M. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (SIGCHI) (2006).

Digital Library

[20]

Dingledine, R., Mathewson, N., and Syverson, P. Tor: The second-generation onion router. In USENIX Security Symposium (2004).

Digital Library

[21]

Florencio, D., and Herley, C. A large-scale study of web password habits. In International Conference on World Wide Web (WWW) (2007).

Digital Library

[22]

Gaw, S., and Felten, E. W. Password management strategies for online accounts. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS) (2006).

Digital Library

[23]

Google. About 2-step verification. https://support.google.com/accounts/answer/180744.

[24]

Grosse, E., and Upadhyay, M. Authentication at scale. IEEE Security and Privacy 11 (2013), 15--22. http://www.computer.org/cms/Computer.org/ComputingNow/pdfs/AuthenticationAtScale.pdf.

Digital Library

[25]

Gunson, N., Marshall, D., Morton, H., and Jack, M. A. User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. Computers & Security (2011).

Digital Library

[26]

Halderman, J. A., Waters, B., and Felten, E. W. A convenient method for securely managing passwords. In International Conference on World Wide Web (WWW) (2005).

Digital Library

[27]

Hill, K. Google says not to worry about 5 million gmail passwords leaked. http://www.forbes.com/sites/kashmirhill/2014/09/11/google-says-not-to-worry-about-5-million-gmail-passwords-leaked/.

[28]

Honan, M. How apple and amazon security flaws led to my epic hacking. Wired Magazine, August 2012. http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/.

[29]

Kontaxis, G., Athanasopoulos, E., Portokalidis, G., and Keromytis, A. D. Sauth: Protecting user accounts from password database leaks. In ACM Conference on Computer and Communications Security (CCS) (2013).

Digital Library

[30]

Paul Moore. Does two factor authentication actually weaken security? https://ramblingrant.co.uk/does-two-factor-authentication-actually-weaken-security/ (and private communication in October 2014).

[31]

Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. Stronger password authentication using browser extensions. In USENIX Security Symposium (2005).

Digital Library

[32]

Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., Christin, N., and Cranor, L. F. Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS) (2010).

Digital Library

[33]

Viennot, N., Garcia, E., and Nieh, J. A measurement study of google play. In ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS) (2014).

Digital Library

[34]

Weir, C. S., Douglas, G., Richardson, T., and Jack, M. A. Usable security: User preferences for authentication methods in ebanking and the effects of experience. Interacting with Computers (2010).

Digital Library

Cited By

Joel MEbenezer VJenefa ASagayam KRajan JMandali D(2024)Designing a Secure and Lightweight Ecosystem for Internet of Medical Things (IoMT) in HealthcareLightweight Digital Trust Architectures in the Internet of Medical Things (IoMT)10.4018/979-8-3693-2109-6.ch006(84-105)Online publication date: 31-May-2024
https://doi.org/10.4018/979-8-3693-2109-6.ch006
Aburbeian AFernández-Veiga M(2024)Secure Internet Financial Transactions: A Framework Integrating Multi-Factor Authentication and Machine LearningAI10.3390/ai50100105:1(177-194)Online publication date: 10-Jan-2024
https://doi.org/10.3390/ai5010010
Bhole PLi ZBokolia SOh TTigwell GPeiris R(2024)Haptic2FA: Haptics-Based Accessible Two-Factor Authentication for Blind and Low Vision PeopleProceedings of the ACM on Human-Computer Interaction10.1145/36765098:MHCI(1-20)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676509
Show More Cited By

Index Terms

Two-factor authentication: is the world ready?: quantifying 2FA adoption
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

A two-factor authentication scheme with anonymity for multi-server environments

In a multi-server environment, remote user authentication is essential for secure communication. Recently, Liao and Wang, Hsiang and Shih, and Lee et al. have successively proposed various remote user authentication schemes for multi-server ...
Design of a lightweight two-factor authentication scheme with smart card revocation

Smart card based authentication schemes present user-friendly and secure communication mechanism over insure public channel. Recently, Li et al. designed an authentication scheme with pre-smart card authentication to present efficient login phase and ...
A Usable and Secure Two-Factor Authentication Scheme

There are many secure authentication schemes that are secure but difficult to use. Most existing network applications authenticate users with a username and password pair. Such systems using the reusable passwords are susceptible to attacks based on the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSec '15: Proceedings of the Eighth European Workshop on System Security

April 2015

51 pages

ISBN:9781450334792

DOI:10.1145/2751323

Program Chairs:
Juan Caballero
IMDEA Software Institute
,
Michalis Polychronakis
Stony Brook University

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

EuroSys '15

Sponsor:

SIGOPS

EuroSys '15: Tenth EuroSys Conference 2015

April 21, 2015

Bordeaux, France

Acceptance Rates

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

66
Total Citations
View Citations
1,926
Total Downloads

Downloads (Last 12 months)266
Downloads (Last 6 weeks)18

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Joel MEbenezer VJenefa ASagayam KRajan JMandali D(2024)Designing a Secure and Lightweight Ecosystem for Internet of Medical Things (IoMT) in HealthcareLightweight Digital Trust Architectures in the Internet of Medical Things (IoMT)10.4018/979-8-3693-2109-6.ch006(84-105)Online publication date: 31-May-2024
https://doi.org/10.4018/979-8-3693-2109-6.ch006
Aburbeian AFernández-Veiga M(2024)Secure Internet Financial Transactions: A Framework Integrating Multi-Factor Authentication and Machine LearningAI10.3390/ai50100105:1(177-194)Online publication date: 10-Jan-2024
https://doi.org/10.3390/ai5010010
Bhole PLi ZBokolia SOh TTigwell GPeiris R(2024)Haptic2FA: Haptics-Based Accessible Two-Factor Authentication for Blind and Low Vision PeopleProceedings of the ACM on Human-Computer Interaction10.1145/36765098:MHCI(1-20)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676509
Lassak LMarkert PGolla MStobert EDürmuth M(2024)A Comparative Long-Term Study of Fallback Authentication SchemesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642889(1-19)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642889
Jiang HJi PZhang TCao HLiu D(2024)Two-Factor Authentication for Keyless Entry System via Finger-Induced VibrationsIEEE Transactions on Mobile Computing10.1109/TMC.2024.336833123:10(9708-9720)Online publication date: Oct-2024
https://doi.org/10.1109/TMC.2024.3368331
García-Treviño CPérez-Díaz JVargas-Rosales CZareei M(2024)Transparent Multifactor Authentication Algorithm Based on GeolocationIEEE Access10.1109/ACCESS.2024.341269112(84691-84705)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3412691
Tsouvalas BNikiforakis N(2024)Knocking on Admin’s Door: Protecting Critical Web Applications with DeceptionDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_15(283-306)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_15
Gavazzi AWilliams RKirda ELu LKing ADavis ALeek TCalandrino JTroncoso C(2023)A study of multi-factor and risk-based authentication availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620352(2043-2060)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620352
Upadhyay UKumar ASharma GGupta BAlhalabi WArya VChui K(2023)Cyberbullying in the MetaverseJournal of Global Information Management10.4018/JGIM.32579331:1(1-25)Online publication date: 10-Jul-2023
https://doi.org/10.4018/JGIM.325793
Choi SYim JKim SJin YWu DJin Z(2023)VibPathProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36108947:3(1-26)Online publication date: 27-Sep-2023
https://dl.acm.org/doi/10.1145/3610894
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents