Account Recovery Methods for Two-Factor Authentication (2FA): An Exploratory Study

System administrators have started to adopt two-factor authentication (2FA) to increase user account resistance to cyber-attacks. Systems with 2FA require users to verify their identity using a password and a second-factor authentication device to gain account access. This research found that 60% of users only enroll one second-factor device to their account. If a user’s second factor becomes unavailable, systems are using different procedures to ensure its authorized owner recovers the account. Account recovery is essentially a bypass of the system’s main security protocols and needs to be handled as an alternative authentication process (Loveless, 2018). The current research aimed to evaluate users’ perceived security for four 2FA account recovery methods. Using Renaud’s (2007) opportunistic equation, the present study determined that a fallback phone number recovery method provides user accounts with the most cyber-attack resistance followed by system-generated recovery codes, a color grid pattern, and graphical passcode. This study surveyed 103 participants about authentication knowledge, general risk perception aptitude, ability to correctly rank the recovery methods in terms of their attackr esistance, and recovery method perceptions. Other survey inquires related to previous 2FA, account recovery, and cybersecurity training experiences. Participants generally performed poorly when asked to rank the recovery methods by security strength. Results suggested that neither risk numeracy, authentication knowledge, nor cybersecurity familiarity impacted users’ ability to rank recovery methods by security strength. However, the majority of participants ranked either generated recovery codes, 39%, or a fallback phone number, 25%, as being most secure. The majority of participants, 45%, preferred the fallback phone number for account recovery, 38% expect it will be the easiest to use, and 46% expect it to be the most memorable. However, user’s annotative descriptions for recovery method preferences revealed that users are likely to disregard the setup instructions and use their phone number instead of an emergency contact number. Overall, this exploratory study offers information that researchers and designers can deploy to improve user’s 2FA- and 2FA account recovery- experiences

A Bayesian reanalysis of the Standard versus Accelerated Initiation of Renal-Replacement Therapy in Acute Kidney Injury (STARRT-AKI) trial

Background Timing of initiation of kidney-replacement therapy (KRT) in critically ill patients remains controversial. The Standard versus Accelerated Initiation of Renal-Replacement Therapy in Acute Kidney Injury (STARRT-AKI) trial compared two strategies of KRT initiation (accelerated versus standard) in critically ill patients with acute kidney injury and found neutral results for 90-day all-cause mortality. Probabilistic exploration of the trial endpoints may enable greater understanding of the trial findings. We aimed to perform a reanalysis using a Bayesian framework. Methods We performed a secondary analysis of all 2927 patients randomized in multi-national STARRT-AKI trial, performed at 168 centers in 15 countries. The primary endpoint, 90-day all-cause mortality, was evaluated using hierarchical Bayesian logistic regression. A spectrum of priors includes optimistic, neutral, and pessimistic priors, along with priors informed from earlier clinical trials. Secondary endpoints (KRT-free days and hospital-free days) were assessed using zero–one inflated beta regression. Results The posterior probability of benefit comparing an accelerated versus a standard KRT initiation strategy for the primary endpoint suggested no important difference, regardless of the prior used (absolute difference of 0.13% [95% credible interval [CrI] − 3.30%; 3.40%], − 0.39% [95% CrI − 3.46%; 3.00%], and 0.64% [95% CrI − 2.53%; 3.88%] for neutral, optimistic, and pessimistic priors, respectively). There was a very low probability that the effect size was equal or larger than a consensus-defined minimal clinically important difference. Patients allocated to the accelerated strategy had a lower number of KRT-free days (median absolute difference of − 3.55 days [95% CrI − 6.38; − 0.48]), with a probability that the accelerated strategy was associated with more KRT-free days of 0.008. Hospital-free days were similar between strategies, with the accelerated strategy having a median absolute difference of 0.48 more hospital-free days (95% CrI − 1.87; 2.72) compared with the standard strategy and the probability that the accelerated strategy had more hospital-free days was 0.66. Conclusions In a Bayesian reanalysis of the STARRT-AKI trial, we found very low probability that an accelerated strategy has clinically important benefits compared with the standard strategy. Patients receiving the accelerated strategy probably have fewer days alive and KRT-free. These findings do not support the adoption of an accelerated strategy of KRT initiation