A Mixed-Methods Study on User Experiences and Challenges of Recovery Codes for an End-to-End Encrypted Service

Sandra Höltervennhoff, Noah Wöhler, Arne Möhle, Marten Oltrogge, Yasemin Acar, Oliver Wiese and Sascha Fahl.
In 33rd USENIX Security Symposium, USENIX Security '24, August 14-16, 2024
PDF Abstract Cite


Recovery codes are a popular backup mechanism for online services to aid users who lost their passwords or two-factor authentication tokens in regaining access to their accounts or encrypted data. Especially for end-to-end encrypted services, recovery codes are a critical feature, as the service itself cannot access the encrypted user data and help users regain access.

The way end-users manage recovery codes is not well understood. Hence, we investigate end-user perceptions and management strategies of recovery codes. Therefore, we survey users of an end-to-end encrypted email service provider, deploying recovery codes for accounts and encrypted data recovery in case of authentication credential loss.

We performed an online survey with 281 users. In a second study, we analyzed 197 support requests on Reddit. Most of our participants stored the service provider’s recovery code. We could identify six strategies for saving it, with using a password manager being the most widespread. Participants were generally satisfied with the service provider’s recovery code. However, while they appreciated its security, its usability was lacking. We found obstacles, such as losing access to the recovery code or non-functioning recovery codes and security misconceptions. These often resulted from users not understanding the underlying security implications, e.g., that the support cannot access or restore their unencrypted data.


	title	  = {A Mixed-Methods Study on User Experiences and Challenges of Recovery Codes for an End-to-End Encrypted Service},
	author    =	{Sandra Höltervennhoff and
			Noah Wöhler and 
			Arne Möhle and 
			Marten Oltrogge and 
			Yasemin Acar and 
			Oliver Wiese and 
			Sascha Fahl},
	booktitle = {In 33rd {USENIX} Security Symposium, {USENIX} Security '24, Philadelphia, PA, USA, August 14-16, 2024},
	month     = {Aug},
	year      = {2024},
	publisher = {USENIX Association},