Understanding Users' Interaction with Login Notifications
Philipp Markert, Leona Lassak, Maximilian Golla, Markus Dürmuth
TL;DR
Login notifications aim to inform users about recent sign-ins to prevent unauthorized access. The authors analyze the efficacy and usability of granted-access notifications through a 3-stage, deception-based user study ($n=229$) built on a baseline derived from $n=72$ real-world emails. They find that users easily identify legitimate logins but struggle to interpret and respond to unexpected or malicious logins, with only $22\%$ of malicious cases leading to password changes. The paper argues for contextualization (Why Notification), risk-based triggering, and broader remediation steps by service providers to enhance usable security. These findings offer concrete recommendations to reduce warning fatigue while improving account protection.
Abstract
Login notifications intend to inform users about sign-ins and help them protect their accounts from unauthorized access. Notifications are usually sent if a login deviates from previous ones, potentially indicating malicious activity. They contain information like the location, date, time, and device used to sign in. Users are challenged to verify whether they recognize the login (because it was them or someone they know) or to protect their account from unwanted access. In a user study, we explore users' comprehension, reactions, and expectations of login notifications. We utilize two treatments to measure users' behavior in response to notifications sent for a login they initiated or based on a malicious actor relying on statistical sign-in information. We find that users identify legitimate logins but need more support to halt malicious sign-ins. We discuss the identified problems and give recommendations for service providers to ensure usable and secure logins for everyone.