 Measuring user costs of enterprise multifactor authentication policiesSeth Hastings, Tyler Moore, Neil Gandal and Noa Barnir No 18701, CEPR Discussion Papers from C.E.P.R. Discussion Papers Abstract: Multifactor authentication (MFA) is one of the most important security controls, topping most lists of cyber hygiene activities advocated by experts. While the security benefits may be substantial, less attention has been paid to the impact on users by the added friction introduced by the more stringent precautions. In this paper, we construct and analyze a dataset of authentication logs from a University population spanning two years. We focus on two types of costs experienced by users: (1) the elapsed time resulting from errors and failed authentications and (2) the time spent away from IT applications following a failed authentication before attempting to reauthenticate. The first measure tracks the excess time dedicated to the authentication when users encounter problems, while the second captures how user frustration can manifest by avoiding or delaying future engagement after experiencing failures. Following an exogenous change in MFA policy from a deny/approve mobile notification to a more cumbersome two-digit code mobile notification confirmation, we observe significant increases to the time spent away following failures. JEL-codes: D00 (search for similar items in EconPapers) Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:cpr:ceprdp:18701 Ordering information: This working paper can be ordered from Access Statistics for this paper More papers in CEPR Discussion Papers from C.E.P.R. Discussion Papers Centre for Economic Policy Research, 33 Great Sutton Street, London EC1V 0DX. |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.