On Sept 16th, Zitao Zhang presented research entitled “Building An Authentication Infrastructure — Designing a Two Factor Authentication Hardware Token with Form Factor that Encourages Engagement” at this year’s TPRC 2022 conference. Co-Authors of this research included Prof. L. Jean Camp and Dr. Jacob Abbott from Indiana University’s Luddy School of Informatics, Computing, and Engineering and Assistant Professor Sanchari Das from the Ritchie School of Engineering and Computer Science, University of Denver.
This research project aimed at understanding what the determining factors and barriers are for why people adopt, or not, the use of hardware security tokens. In this study, 200 free Yubikey security tokens were distributed to students and followed with a survey at the beginning and end of a semester to collect feedback on their attitudes and if they continued to use the security tokens. Very few (n=14) of the students who received security tokens responded to the end of semester survey, but the majority reported having discontinued use of the security token in favor of authenticating through push notification mechanism on their mobile phone.
Additionally, the research prototyped an alternative form-factor implementing a custom designed card-like Yubikey interface. The prototype addressed findings on usability issues from existing studies and then was subjected to a Wizard-of-Oz usability workshop where participants were asked to use the prototype and it appeared to be fully functional. The prototype was formed similar to that of a credit card with a USB-A and USB-C connection that could be slid to either side to act as the security token during the study. Participants brought up additional form factor issues such as fear of breaking the token or losing the card, and did not understand a benefit when compared to authenticating on their mobile phone.
Research results revealed that design alone cannot make people adopt or consistently use the hardware security token. A mix method of design and public education campaigns will be needed to strengthen security infrastructure. Additionally, the results indicate the need for future research targeted towards specific populations such as older adults, users with low socioeconomic status, or those with jobs in a security setting for future inquiry.
The presentation of the work can be seen from the TPRC presentation recording starting at the 31:45 marker.