"`They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking

TL;DR

This study investigates the usability and user acceptance of two-factor authentication in UK online banking, highlighting challenges with hardware tokens and suggesting improvements for user experience.

Contribution

It provides an in-depth qualitative and quantitative analysis of 2FA usability in real-world banking, focusing on user perceptions and practical issues.

Findings

Hardware tokens cause significant usability issues.

Reducing authentication steps can improve user experience.

Features that do not enhance security may negatively impact usability.

Abstract

To prevent password breaches and guessing attacks, banks increasingly turn to two-factor authentication (2FA), requiring users to present at least one more factor, such as a one-time password generated by a hardware token or received via SMS, besides a password. We can expect some solutions -- especially those adding a token -- to create extra work for users, but little research has investigated usability, user acceptance, and perceived security of deployed 2FA. This paper presents an in-depth study of 2FA usability with 21 UK online banking customers, 16 of whom had accounts with more than one bank. We collected a rich set of qualitative and quantitative data through two rounds of semi-structured interviews, and an authentication diary over an average of 11 days. Our participants reported a wide range of usability issues, especially with the use of hardware tokens, showing that the mental and physical workload involved shapes how they use online banking. Key targets for improvements are (i) the reduction in the number of authentication steps, and (ii) removing features that do not add any security but negatively affect the user experience.