Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. To the best of our knowledge, we are the first to first-hand investigate the security and user experience of deployed Multi-Factor Authentication recovery procedures. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated.

翻译：多因素认证旨在通过增加额外因素（如硬件令牌或使用移动应用的一次性密码）来增强基于密码的认证安全性。然而，这种增强的认证安全性也带来潜在缺陷，可能导致账户和资产损失。如果用户因任何原因失去对额外认证因子的访问权限，他们将无法登录账户。因此，提供多因素认证的服务应部署既安全又易用的流程，以便用户能够恢复对额外因子的访问。据我们所知，我们是首次直接调查已部署的多因素认证恢复流程的安全性和用户体验。我们首先评估了1,303个提供多因素认证的网站的官方帮助和支持页面，并收集了有关其恢复流程的文档信息。其次，我们选择了71个网站的子集，创建账户、设置多因素认证，并对其恢复流程的安全性和用户体验进行了深入调查。我们发现，许多网站部署了不安全的多因素认证恢复流程，允许我们在拥有账户关联电子邮件地址的情况下绕过并禁用多因素认证。此外，我们普遍观察到深入分析结果与官方帮助和支持页面之间存在差异，这表明旨在帮助用户的信息往往不正确或已过时。