Lost and not Found: An Investigation of Recovery Methods for Multi-Factor Authentication

Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. To the best of our knowledge, we are the first to first-hand investigate the security and user experience of deployed Multi-Factor Authentication recovery procedures. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated

“We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts’ associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery

Humans and Vulnerability During Times of Change: Computer Security Needs, Practices, Challenges, and Opportunities

Thesis (Ph.D.)--University of Washington, 2022This dissertation explores the relationship between *change* and vulnerability to security and privacy harms. I suggest that change causes vulnerability in part due to the nature of change, and in part due to the design of technical and sociopolitical systems. I suggest that this connection between change and vulnerability exists for three reasons. First, when someone experiences change, new or different threats, risks, assets, technologies, and actors arise; if they do not update their personal threat model, it may be incomplete or inaccurate, making them unable to respond to emergent threats. Second, even if they are aware of all threats, they may be unable to prioritize security and privacy, as other needs may be more important. Third, the design of technology and user education is often misaligned with the needs and threat models of those going through change, causing vulnerable populations to become more vulnerable and exacerbating existing systemic inequities. I explore these three themes through four populations experiencing immense change differing in scope, cause, and time frame: (a) refugees who have moved to the United States; (b) activists in Sudan during the 2018-2019 revolution; (c) people considering using contact tracing apps during the first months of the Covid-19 pandemic; and (d) people who experience hurricanes. This dissertation makes contributions at two levels. First, each individual research chapter contributes an understanding of the security and privacy needs, experiences, and challenges of vulnerable populations. In each chapter, I make design, policy, and research recommendations to work towards more equitable technology. Second, taken together, the entirety of this dissertation contributes a deep understanding of the relationship between *change* and *vulnerability* to computer security and privacy harms. While the nature of change itself *does* engender vulnerability, in many ways the vulnerability is constructed---by sociopolitical and historical injustices or by technical design, or both

A Privacy-Focused Systematic Analysis of Online Status Indicators

Online status indicators (or OSIs, i.e., interface elements that communicate whether a user is online) can leak potentially sensitive information about users. In this work, we analyze 184 mobile applications to systematically characterize the existing design space of OSIs. We identified 40 apps with OSIs across a variety of genres and conducted a design review of the OSIs in each, examining both Android and iOS versions of these apps. We found that OSI design decisions clustered into four major categories, namely: appearance, audience, settings, and fidelity to actual user behavior. Less than half of these apps allow users change the default settings for OSIs. Informed by our findings, we discuss: 1) how these design choices support adversarial behavior, 2) design guidelines for creating consistent, privacy-conscious OSIs, and 3) a set of novel design concepts for building future tools to augment users’ ability to control and understand the presence information they broadcast. By connecting the common design patterns we document to prior work on privacy in social technologies, we contribute an empirical understanding of the systematic ways in which OSIs can make users more or less vulnerable to unwanted information disclosure