Show simple item record

The Never-Ending Story of Authentication
Investigating Password Composition Policies and Second-Factor Recoverability

dc.contributor.advisorSmith, Matthew
dc.contributor.authorTiefenau, Eva
dc.date.accessioned2025-01-10T08:29:33Z
dc.date.available2025-01-10T08:29:33Z
dc.date.issued10.01.2025
dc.identifier.urihttps://hdl.handle.net/20.500.11811/12725
dc.description.abstractAuthentication is an area where users regularly encounter IT security, and it has been studied in the field of usable IT security for at least 25 years. There are numerous proposals and ideas to improve the IT security of personal accounts through various mechanisms aimed at preventing unauthorized access.
This work aims to explore two of these mechanisms: password composition policies, which restrict password choices, and two-factor authentication (2FA), which requires two different factors for users to log into an account. Regarding the first topic, this work presents the results of a survey conducted in German companies to understand the use of various elements in password composition policies and to investigate the challenges faced by decision-makers in creating such policies. By repeating the survey annually over four years, it was possible to observe the development of certain elements, such as enforcing regular, time-based password changes. This approach was recommended in the BSI guidelines in the first year of the survey but was changed shortly thereafter, advising against password expiry. This led to a decline in companies enforcing regular changes, though some continued to require them. The difficulties in implementing the new recommendations were often due to technical hurdles and lack of resources. The second topic of this work is 2FA, specifically how account recovery is handled when 2FA is enabled. While access to accounts protected only by a password can often be restored via email, access to accounts with 2FA should be better secured to justify the increased IT security. At the same time, the requirements for legitimate users should be easy to implement. The first part examines the user interface and processes on 78 high-traffic websites during 2FA setup and account recovery. It was found that the protocols and support users receive vary greatly from website to website. Building on these results, the following study investigates users’ backup strategies and their expectations for account recovery on websites. The findings suggest that only a minority would be able to recover their 2FA-protected accounts if the websites do not accept personal information as proof of identity. Combining these results with the insights from the processes and protocols on websites shows that there is significant potential for improvement in the area of account recovery.
en
dc.language.isoeng
dc.rightsNamensnennung 4.0 International
dc.rights.urihttp://creativecommons.org/licenses/by/4.0/
dc.subjectAuthentifizierung
dc.subjectPasswortvorgaben
dc.subjectZwei-Faktor
dc.subjectIT-Sicherheit
dc.subjectNutzerstudie
dc.subjectExpertenstudie
dc.subjectAuthentication
dc.subjectPassword Composition Policies
dc.subjectTwo-Factor-Authentication
dc.subjectIt Security
dc.subjectUser Study
dc.subjectExpert Study
dc.subject.ddc004 Informatik
dc.titleThe Never-Ending Story of Authentication
dc.title.alternativeInvestigating Password Composition Policies and Second-Factor Recoverability
dc.typeDissertation oder Habilitation
dc.publisher.nameUniversitäts- und Landesbibliothek Bonn
dc.publisher.locationBonn
dc.rights.accessRightsopenAccess
dc.identifier.urnhttps://nbn-resolving.org/urn:nbn:de:hbz:5-80026
ulbbn.pubtypeErstveröffentlichung
ulbbn.birthnameGerlitz
ulbbnediss.affiliation.nameRheinische Friedrich-Wilhelms-Universität Bonn
ulbbnediss.affiliation.locationBonn
ulbbnediss.thesis.levelDissertation
ulbbnediss.dissID8002
ulbbnediss.date.accepted02.12.2024
ulbbnediss.instituteMathematisch-Naturwissenschaftliche Fakultät : Fachgruppe Informatik / Institut für Informatik
ulbbnediss.fakultaetMathematisch-Naturwissenschaftliche Fakultät
dc.contributor.coRefereeMeier, Michael


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record

The following license files are associated with this item:

Namensnennung 4.0 International