Multi-Factor Authentication is intended to strengthen the security of
password-based authentication by adding another factor, such as hardware tokens
or one-time passwords using mobile apps. However, this increased authentication
security comes with potential drawbacks that can lead to account and asset
loss. If users lose access to their additional authentication factors for any
reason, they will be locked out of their accounts. Consequently, services that
provide Multi-Factor Authentication should deploy procedures to allow their
users to recover from losing access to their additional factor that are both
secure and easy-to-use. To the best of our knowledge, we are the first to
first-hand investigate the security and user experience of deployed
Multi-Factor Authentication recovery procedures. We first evaluate the official
help and support pages of 1,303 websites that provide Multi-Factor
Authentication and collect documented information about their recovery
procedures. Second, we select a subset of 71 websites, create accounts, set up
Multi-Factor Authentication, and perform an in-depth investigation of their
recovery procedure security and user experience. We find that many websites
deploy insecure Multi-Factor Authentication recovery procedures and allowed us
to circumvent and disable Multi-Factor Authentication when having access to the
accounts' associated email addresses. Furthermore, we commonly observed
discrepancies between our in-depth analysis and the official help and support
pages, implying that information meant to aid users is often either incorrect
or outdated