Tiefenau, Eva: The Never-Ending Story of Authentication : Investigating Password Composition Policies and Second-Factor Recoverability. - Bonn, 2025. - Dissertation, Rheinische Friedrich-Wilhelms-Universität Bonn.
Online-Ausgabe in bonndoc: https://nbn-resolving.org/urn:nbn:de:hbz:5-80026
@phdthesis{handle:20.500.11811/12725,
urn: https://nbn-resolving.org/urn:nbn:de:hbz:5-80026,
author = {{Eva Tiefenau}},
title = {The Never-Ending Story of Authentication : Investigating Password Composition Policies and Second-Factor Recoverability},
school = {Rheinische Friedrich-Wilhelms-Universität Bonn},
year = 2025,
month = jan,

note = {Authentication is an area where users regularly encounter IT security, and it has been studied in the field of usable IT security for at least 25 years. There are numerous proposals and ideas to improve the IT security of personal accounts through various mechanisms aimed at preventing unauthorized access.
This work aims to explore two of these mechanisms: password composition policies, which restrict password choices, and two-factor authentication (2FA), which requires two different factors for users to log into an account. Regarding the first topic, this work presents the results of a survey conducted in German companies to understand the use of various elements in password composition policies and to investigate the challenges faced by decision-makers in creating such policies. By repeating the survey annually over four years, it was possible to observe the development of certain elements, such as enforcing regular, time-based password changes. This approach was recommended in the BSI guidelines in the first year of the survey but was changed shortly thereafter, advising against password expiry. This led to a decline in companies enforcing regular changes, though some continued to require them. The difficulties in implementing the new recommendations were often due to technical hurdles and lack of resources. The second topic of this work is 2FA, specifically how account recovery is handled when 2FA is enabled. While access to accounts protected only by a password can often be restored via email, access to accounts with 2FA should be better secured to justify the increased IT security. At the same time, the requirements for legitimate users should be easy to implement. The first part examines the user interface and processes on 78 high-traffic websites during 2FA setup and account recovery. It was found that the protocols and support users receive vary greatly from website to website. Building on these results, the following study investigates users’ backup strategies and their expectations for account recovery on websites. The findings suggest that only a minority would be able to recover their 2FA-protected accounts if the websites do not accept personal information as proof of identity. Combining these results with the insights from the processes and protocols on websites shows that there is significant potential for improvement in the area of account recovery.},

url = {https://hdl.handle.net/20.500.11811/12725}
}

The following license files are associated with this item:

Namensnennung 4.0 International