Security Mandates are Pervasive: An Inter-School Study on Analyzing User Authentication Behavior

Two-factor authentication (2FA) technologies are designed to increase the security and usability of authentication. Adoption of 2FA hardware devices that generate one- time passwords has proven to be effective as a risk mitigating strategy. Despite 2FA addressing user data security concerns, individuals appear either disinterested or unable to adopt 2FA tools. Many institutions are now mandating 2FA to better secure their network and user data. Some have more rigid requirements than others (e.g., offering only one 2FA method vs. offering multiple 2FA options). To better understand the impact of mandatory 2FA policies, we conducted a study of the usability, adoption, and acceptability of 2FA at three different universities. In our study, using the Yubico FIDO U2F security token, we found that mandating the use of 2FA without complementary risk communication is often inadequate. In our interviews, we found that mandatory 2FA did not necessarily increase security, instead leading to less secure user behavior, such as sharing 2FA tokens, storing credentials for a longer time in public devices, and other security avoidance behaviors.