The 2FA Illusion: Uncovering Weak Links of Web Account Access in the Wild
Single-factor authentication (1FA) and two-factor authentication (2FA) for secure and reliable website account access have become everyday tasks for most users. However, the complexity of integrating 1FA, 2FA, and password reset mechanisms makes real-world deployments challenging to navigate, leaving key questions about their implications for account security and accessibility unanswered. In this paper, we present a comprehensive investigation into the deployment of 1FA, 2FA, and password reset mechanisms across 50 major websites in six industries. By formally modeling account access and password reset patterns and applying Karnaugh maps for logical optimization, we uncover surprising consequences of current integrations of authentication mechanisms. We present key findings on the implications of modern authentication integrations for account security and accessibility, highlighting both the overestimated strengths and overlooked weaknesses of current deployments. Our research aims to provide a valuable and practical understanding of real-world authentication deployments for advancing web authentication practices.
