"It's Just a Lot of Prerequisites": A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator

Abstract

Two-factor authentication (2FA) overcomes the insecurity of passwords by adding a second factor to the authentication process. A variant of 2FA, which is even phishing-resistant unlike, e.g., SMS-based implementations, is offered by the FIDO2 protocol. In 2018 its compatibility with eID, the German electronic identification system, which is built into every German ID card, was published. Thus, users who own a German ID card may use it as a second factor to secure their online accounts. We conducted a qualitative study with n = 20 participants to collect users' impressions of the usability when utilizing an ID as a second factor, their perception of security, and the overall acceptance. After showing participants an introductory video to familiarize them with the procedure, they completed a hands-on task for which they first set up an ID as a second factor and then used it to log in. Users' opinions, thoughts, and concerns were collected through multiple-choice questions and structured interviews. We find that most non-tech-savvy users struggle with the setup but generally perceive the login to be easy. Users with a tech background faced fewer issues when setting up the ID as a second factor but pointed out to prefer other alternatives. Finally, we observe a misconception regarding the transmission of personal information to the authenticating service despite several indicators of privacy-conform data handling. Based on our findings, we depict which aspects need to be addressed in order to provide a competitive alternative to established second factors.