AuthGuide: Analyzing Security, Privacy and Usability Trade-Offs in Multi-factor Authentication

Abstract

Multi-factor authentication (MFA) reduces the risk of compromised credentials. However, selecting, configuring and combining different authentication factors is a challenge for both security administrators and end-users, as the configuration possibilities are large and the implications of choices on security, privacy and usability are not always well understood. This concern is further aggravated when the security administrator grants the end-user some flexibility for the selection of authentication factors, or when the latter are combined in a risk-adaptive manner. In this work, we present AUTHGUIDE, an authentication knowledge and configuration framework that increases the awareness about these trade-offs. Additionally, it raises the level of abstraction to configure MFA for a given identity and access management (IAM) platform through a series of questions by mapping the responses onto the IAM's workflow of authentication steps for registration and login. We implemented AUTHGUIDE, validated it on top of the open source Keycloak IAM, and evaluated the effectiveness of our framework to analyze the security, privacy and usability trade-offs.