You still use the password after all – Exploring FIDO2 Security Keys in a Small Company
2020Conference / Journal
Authors
Theodor Schnitzler Philipp Markert Markus Dürmuth Lennart Lorenz Florian M. Farke
Research Hub
Research Hub D: Benutzerfreundlichkeit
Research Challenges
RC 11: End-users and Usability
Abstract
The goal of the FIDO2 project is to provide secure and usable alternatives to password-based authentication on the Web. It relies on public-key credentials, which a user can provide via security tokens, biometrics, knowledge-based factors, or combinations. In this work, we report the results of a qualitative study accompanying the deployment of FIDO2-enabled security tokens for primary authentication in a web application of a small software company operating in the life sciences industry. We assisted the company in implementing and setting up FIDO2-enabled authentication on its public test and evaluation server. Over four weeks, we observed the authentication routine of 8 employees out of 10 employees regularly using the web application, including sales representatives, software developers, project managers, and account managers. We gathered data through login diaries, server logs, and semi-structured interviews to assess themes regarding usability, perceived security, and deployability. We found that participants had several concerns, like losing the security token and longer authentication times, while the security benefits were largely intangible or perceived as unnecessary.