LAS VEGAS—Two-factor authentication is an amazing enhancement to account security. If you protect your online accounts with two-factor, a hacker who guesses or steals your password still can't get in, because only you have the second factor.

But if this technology is so great, why aren't people using it? Prof. Jean Camp and Ph.D. student Sanchari Das, both at Indiana University, decided to find out.

To be clear, their study, presented here at Black Hat, applies to individuals protecting their own accounts, not corporations like Google, which enforces two-factor authentication and greatly enhanced its security.

"There are three main choices for two-factor authentication—codes sent via SMS, apps that provide one-time passwords [OTP], and hardware tokens," said Dr. Camp. "The SMS and OTP options interrupt logins, [so] we decided on a physical token, and the Yubikey, with its strong crypto, is the best in its class. We started the study thinking we wouldn't find any stop points where the users simply got stuck."

"What is usability? Several things," said Das. "The security solution should be secure, scalable, threat resistant, loss resistant, and memoryless. It should give clear feedback and error messages. The Yubikey is physically tough and you never have to charge it, but it does lack feedback and error messages."

To distinguish between usability research and shared opinions, Dr. Camp developed a standard series of steps for such studies, culminating in focus groups. She noted that the designers must not run the focus groups, lest subjects hold back negative thoughts for fear of being seen as mean to the nice grad students.

Testing Two-Factor Acceptance

The researchers set up a simple exercise, taking consumers with no two-factor experience and observing them as they tried to set it up on a website designed to make the process as simple as possible. They tested using both Yubico's instructions and Google's instructions. The results were surprising.

A large number of participants never managed to register the key. They worked through a demo showing how to register and figured they had finished. And these were users identified as security enthusiasts and expert users. Others fell by the wayside at different points in the process. Participants got to keep the tokens, but a follow-up survey a month later showed none of them actually using the token. Many simply discarded them or gave them away.

Dr. Camp also reported a lot of confusion around the device. Some thought that because you touch to activate it was a biometric device, for example.

Phase Two

The researchers went to Google and Yubico with recommendations to improve the process, like boil the "wall of text" down to simple instructions, and ensure users don't confuse the demo with actual registration.

Even after the providers implemented some of these suggestions, a few remained for later. Neither company supplies a confirmation that the registration was successful. And neither does a good job of conveying the benefits of using the device, and the risks of omitting it.

With updates in place, the researchers repeated the exercise, watching a new bunch of participants as they tried to register an account for Yubikey protection. The process went much smoother. But despite the enhanced ease of use and usability, the participants were just as dismissive of the devices as the first time around. They just didn't see the value and underestimated the risk.

Users fear being locked out of an account because of a lost or failed device. And the prospect of account takeover by someone else is remote by comparison.

"We still have to work on communication," concluded Dr. Paul. "We need communication for humans, like the surgeon general's warning that smoking kills." The session finished with a public service announcement video showing a toothbrush cleaning nasty, dirty areas on one side and a bad password on the other side, concluding that both passwords and toothbrushes are "single use only."