YubiKey Scored “Pretty Positive” in BYU Study
Two-factor authentication via a smartphone has appeal since so many of us carry smartphones, but it isn’t the only hardware game in town. Think smaller—devices only large enough to permit users to press a button. There are several such devices on the market already, and one is the YubiKey from YubiCo.
But how usable are devices like the YubiKey? Academic researchers recently investigated this question for the first time. Usability is the difference between such a device being actively used, or being discarded on the scrap heap of well-intentioned gadgets that just didn’t fit into the everyday lives of their intended users.
The YubiKey was recently studied by students at the research lab of Kent Seamons, a faculty member in the computer science department at Brigham Young University (BYU). The study will be published this spring at the IEEE Symposium on Security and Privacy, Seamons says. His students invited 30 students from across campus. “None of them were studying computer science, just a variety of majors,” he says.
“Some of them didn’t even know what a YubiKey was,” Seamons continued. “We didn’t want to teach them about the device and risk biasing them. Instead, we gave them five minutes to learn about it using an Internet connection and Google search.”
Next, the researchers gave the students three tasks: set up the device for use with Google, Facebook, and Windows 10.
“We handed them the envelope the YubiKey comes in,” Seamons says. “Very visibly on the envelope is a URL for ‘getting started’ instructions. No users went to that, interestingly enough. They would all go to the Internet to started searching, and they would sometimes find their way independently to those instructions.”
Overall, the Google installations went most smoothly, in part because Google supplies an easy-to-use setup wizard. Facebook fared less well. “Some students thought they had finished the setup task, but a combination of outdated instructions and unclear indicators on the Facebook setup page meant that some of them had not fully activated the device for Facebook logins,” Seamons says.
The Windows 10 task, using Yubico-supplied software, “was pretty much a disaster,” Seamons says. “The lengthy instructions provided for the device are pretty complicated. Then you’ve got to install .Net, and again there are some confusing instructions. A small group of people actually locked themselves out of their machines, more than were able to successfully complete the task.”
The second part of the study sought to see how users were doing after using their YubiKey for one month. How often would they be prompted to authenticate using the device? Could they avoid losing it? For this part of the study, Seamons’ group set up YubiKeys for 25 users on Google, Facebook and Windows, then sent them away for four weeks.
“We took some steps, so they could phone us if they got in trouble. We didn’t want students to be out there and suddenly find that they can’t do what they need to do when they’re turning in homework or things like that,” Seamons says. After the month passed, researchers interviewed users to see how the month had gone. “By and large, it was pretty positive.”
An important outcome of the study is that it demonstrated the value of studying setup and long-term use separately.
The study did come up with some recommendations to ensure that YubiKey-like devices are successful. First, it recommends that the industry standardize the way such devices are set up, regardless of hardware or of the target platform, such as Google, Facebook, Windows or others. Second, these devices should do a better job of letting the user know that they have successfully completed installation and configuration for a given app.
Something else the study suggested would be to let users set up a trial run with their device, or to share the device with a partner or family member. There are questions of privacy, but a trial could be set up with a ‘sandbox’ shared account for testing only, or even with short-term delegation.
In general, these types of devices would also benefit from being more smoothly integrated into operating systems. “Hardware-based authentication devices like this are still new enough that, to my knowledge, that hasn’t been done yet,” Seamons says.
Of course, all these recommendations apply most to a direct-to-consumer security key experience. IT departments and help desks at various enterprises, including Google, already support YubiKeys and similar devices as part of their mission. But the BYU study speaks to a general notion that these security keys belong in widespread use, not just as part of enterprise operations.
“So far, the results of the study were well received by officials at YubiKey,” Seamons says. After the study, some of those who participated noted that the process of inserting a YubiKey into a USB drive and pressing a single button remains easier to use than the process of retrieving their cell phone to copy a one-time number into a website.
Following that observation, Seamons and his students are now underway with another study that will compare five kinds of two-factor authentication including a YubiKey, push notifications, one-time passwords and others. This will involve trying a simulated banking application over a two-week period.
Seamons notes that the study was designed and led by Joshua Reynolds, an undergraduate student, with assistance from a number of other students. The new study is being led by another student, Ken Reese.
With the continuing importance of moving beyond the use of passwords alone to protect our information, research like this is vital. It deserves attention and support from the entire identity industry.
By Scott Mace