Renascence Tarafder Prapty (University of California Irvine), Gene Tsudik (University of California Irvine)
Multi-Factor Authentication (MFA) enhances login security by requiring users to use multiple authentication factors. MFA adoption has surged in recent years in response to the growing frequency, diversity, and sophistication of attacks. Duo is among the most popular MFA providers, used by thousands of organizations worldwide, including Fortune 500 companies and large educational institutions. However, its usability has not been investigated thoroughly or recently. Although prior work addressed technical challenges and user perceptions during initial implementation phases, there was no assessment of key usability metrics, such as average task completion time and System Usability Scale (SUS) scores. Moreover, relevant prior results are outdated, having been conducted years ago when the entire MFA concept was relatively new and unfamiliar to the average user.
Motivated by the above, we conducted a long-term and largescale Duo usability study. This study took place at the University of California Irvine (UCI) over the course of the 2024-2025 academic year and it involved 2, 559 unique participants. Our analysis is based on a large set of authentication log files and a survey of 57 randomly selected participants. The study reveals that the average overhead of a Duo Push notification task is nearly 8 seconds, a duration described by participants as short to moderate. Several factors influence this overhead, including the time of day when the task was performed, the participant’s field of study, as well as their education/student level. The rate of authentication failures due to incomplete Duo tasks is 4.35%. Furthermore, 43.86% of survey respondents reported experiencing a Duo login failure at least once. The Duo SUS score is found to be 70, corresponding to a “Good” usability level: while participants generally find Duo easy to use, they also perceive it as annoying. On a positive note, Duo increases participants’ sense of security regarding their accounts. Finally, participants described commonly encountered issues and provided constructive suggestions for improvement.