Two-factor authentication (2F) aims to enhance resilience of password-based
authentication by requiring users to provide an additional authentication
factor, e.g., a code generated by a security token. However, it also introduces
non-negligible costs for service providers and requires users to carry out
additional actions during the authentication process. In this paper, we present
an exploratory comparative study of the usability of 2F technologies. First, we
conduct a pre-study interview to identify popular technologies as well as
contexts and motivations in which they are used. We then present the results of
a quantitative study based on a survey completed by 219 Mechanical Turk users,
aiming to measure the usability of three popular 2F solutions: codes generated
by security tokens, one-time PINs received via email or SMS, and dedicated
smartphone apps (e.g., Google Authenticator). We record contexts and
motivations, and study their impact on perceived usability. We find that 2F
technologies are overall perceived as usable, regardless of motivation and/or
context of use. We also present an exploratory factor analysis, highlighting
that three metrics -- ease-of-use, required cognitive efforts, and
trustworthiness -- are enough to capture key factors affecting 2F usability.Comment: A preliminary version of this paper appears in USEC 201