YubiKey Usability Study Represents Undergraduate Research Success

Joshua Reynolds will present research he completed as a BYU undergraduate on YubiKey usability at the 39th IEEE Symposium on Security and Privacy on May 23, 2018. This is the top academic computer security conference where only 11 percent of all papers submitted were accepted this year. Kent Seamons, Reynolds’s faculty mentor, pointed out that it is rare for an undergraduate to be first author on a paper at this conference.

Password protection has become increasingly important as identity theft has become more common. Proving you are who you say you are on the internet is both vital and challenging. Two-factor authentication is the stronger method to prove identity. A password plus a fingerprint, a password plus a texted code, and a password plus a hardware authentication device are all examples of two-factor authentication methods. They are more protective than passwords alone.

One example of a hardware authentication device is Yubico’s YubiKey. It looks similar to a USB, and it can be plugged into a computer. Users are required to press a button on the device to authenticate their identity.

Courtesy of Kent Seamons

Joshua Reynolds, Brigham Young University computer science alumnus, began his undergraduate research on the consumer usability of YubiKeys in 2017.

Although YubiKeys have become popular among technological companies such as Google and Amazon, the hardware authentication device has yet to catch on among consumers outside the technological world. Reynolds noted that technological companies employ IT teams to help employees operate the YubiKeys. He wondered if a lay person, without help from an IT team, could effectively operate a YubiKey.

When Reynolds began planning his study, he was “surprised that nobody else had investigated this question yet.”

BYU computer science professor Kent Seamons oversaw Reynolds’s research. Seamons runs a lab on campus dedicated to usable security.

Reynolds’s team conducted two studies: a laboratory study and a longitudinal study. The paper based on these studies is called “A Tale of Two Studies: the Best and Worst of YubiKey Usability.” The laboratory study included thirty-one participants who were instructed to configure their YubiKey with Windows, Facebook, and Google accounts. Participants received no assistance or outside help. The results revealed that many users didn’t configure their accounts correctly. Some participants thought they had set up their YubiKeys correctly, but in reality they hadn’t. Others were locked out of their accounts when they tried to set up their YubiKeys.

The longitudinal study, however, yielded better results. Twenty-five participants used a YubiKey every day for one month. Most users did well and liked YubiKey once they knew how to use it.

“A Tale of Two Studies” gave Reynolds a good idea of YubiKeys’ current level of usability. Most participants felt that setup would have been easier if instructions were improved. Some systems, such as Google, were easier to configure than others, such as Windows and Facebook. The study included specific suggestions for making YubiKeys more user-friendly.

“Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts,” they concluded in the paper.

Courtesy of Joshua Reynolds

Seamons and Reynolds both have predictions and hopes for the future of two-factor authentication methods.

“I hope that someday we can find a more reliable way to prove who we are that is easy to remember, easy to carry, easy to use, and easy to replace,” Reynolds said.

Seamons’s idea is less traditional. He hopes that rather than adding more security factors, security keys could replace less secure passwords altogether.

“I wonder if some people would rather use just the second factor and not have a password at all. No one has explored that. Security experts might be alarmed with that. They might want more factors. But since (a hardware-authentication token) is the stronger security, and someone would have to steal it, the password isn’t the strongest factor, so maybe we could just get rid of that.”

“A Tale of Two Studies” was one of the first studies of its kind.

“Because this was a new topic that people haven’t looked at before, it’s been really well received,” Seamons said. He is excited that Reynolds’s research was accepted into the 39th IEEE Symposium on Security and Privacy.

Reynolds led and conducted the study along with BYU students from the Internet Security Research Lab: Trevor Smith (undergraduate), Ken Reese (MS), and Luke Dickinson (MS). The graduate students in the lab were instrumental in introducing Reynolds to two-factor authentication research.

Seamons is conducting follow-up research with his students that builds on the work of Reynolds’s paper. Jonathan Dutson recently surveyed BYU students’ experience with the Duo Mobile two-factor authentication system as part of his current honor’s thesis research. Ken Reese, an MS student, recently conducted a study comparing five different two-factor authentication methods.

Reynolds is now a PhD student at the University of Illinois at Urbana-Champaign. The university has the fifth-ranked computer science program in the United States.

By Angela Cava Posted on