Practical Investigation of Multi-Factor Recovery

In this study, the CISPA Helmholtz Center for Information Security in cooperation with Leibniz University Hannover, investigates the recovery of multifactor authentication (MFA).

We examine MFA implementations and recovery processes for online services, how they describe related procedures, and evaluate the user experience of the recovery process.

Therefore, we evaluated 1,800 online services and their websites. We picked 80 of them for a practical hands-on study. For those, we created accounts and enabled MFA. Afterwards we contacted the website support, pretending to have lost our MFA (e. g. wallet, phone, security key) and initiated the MFA recovery process from a loss of our additional factor.

Our goal was to investigate the trade-off between security and usability in real-world deployments of MFA, and to use our findings to inform best practices for online services supporting MFA. We especially aim to give recommendations for web services, authentication providers, and developers involved in MFA implementations.

Our study complies with requirements from our Ethical Review Board, and we tried to uphold ethical research standards by only sending out one request per website, attempting to minimize contact with real humans, and causing as little harm as possible.

If you have any questions, or are interested in further information, please feel free to contact us:



CISPA Helmholtz-Center for Information Security

Leibniz University Hannover