DP18701 Measuring user costs of enterprise multifactor authentication policies
Multifactor authentication (MFA) is one of the most important security controls, topping most lists of cyber hygiene activities advocated by experts. While the security benefits may be substantial, less attention has been paid to the impact on users by the added friction introduced by the more stringent precautions. In this paper, we construct and analyze a dataset of authentication logs from a University population spanning two years. We focus on two types of costs experienced by users: (1) the elapsed time resulting from errors and failed authentications and (2) the time spent away from IT applications following a failed authentication before attempting to reauthenticate. The first measure tracks the excess time dedicated to the authentication when users encounter problems, while the second captures how user frustration can manifest by avoiding or delaying future engagement after experiencing failures. Following an exogenous change in MFA policy from a deny/approve mobile notification to a more cumbersome two-digit code mobile notification confirmation, we observe significant increases to the time spent away following failures.
