PROM06 – Personal Reflection

Personal Reflection on Early Stages of Project Process

Project Title: Evaluating the Impact of Adaptive Multi-Factor Authentication on Usability and Perceived Security in Enterprise Environments
(A human-centred study of context-aware authentication systems and their effect on employee experience and trust)

The initial stages of this dissertation project have been a formative and insightful journey, marked by iterative refinement of my academic direction and a growing understanding of the methodological complexities in human-centred cybersecurity. My original intention was to explore adaptive multi-factor authentication (aMFA) from a high-level usability perspective, envisioning a straightforward comparative study. However, through literature review and preliminary stakeholder discussions, I recognized critical complexities that necessitated significant adjustments to my research scope, objectives, and methodological approach.

A primary realization was that “adaptive authentication” is not a uniform concept across enterprises. Documentation, such as Microsoft Entra Conditional Access and Google BeyondCorp whitepapers, along with varied literature, revealed substantial variations in adaptive triggers—including device risk, user risk, geo-velocity, application sensitivity, device trust level, real-time risk scoring, and user role. This variability highlighted that my research methods must explicitly account for these contextual differences rather than treating aMFA as a monolithic technology. Consequently, I refined my research questions to emphasize employee experiences, perceptions, and trust responses to these systems under diverse contextual conditions.

Further insights emerged from preliminary exploratory interviews (documented in Appendix B). Participants noted that aMFA often goes “invisible when it works well” but becomes highly noticeable and potentially frustrating when incorrectly triggered. This shifted my approach to usability measurement. While initially planning to use standard questionnaires like SUS and UEQ, I realized these were insufficient for capturing episodic frustration, trust erosion, or heightened security awareness. Therefore, I modified my evaluation plan to incorporate experience sampling and qualitative diary entries, allowing for real-time capture of user reactions. This change is justified given the dynamic nature of context-aware authentication systems, which static post-task questionnaires risk oversimplifying.

The literature review process also required significant refinement. Initial searches yielded an abundance of unrelated results due to ambiguous keywords such as “trust,” “context,” and “usability” (evidence in Appendix C). To address this, I revised my Boolean search strategy to include more specific constructs like “risk-based authentication,” “adaptive security,” “context-aware MFA,” and “perceived security.” This not only increased the relevance of retrieved studies but also helped identify important theoretical frameworks, particularly human-computer interaction perspectives on trust formation and security fatigue.

Using structured Boolean search strategies across databases like IEEE Xplore, ACM Digital Library, SpringerLink, ScienceDirect, Sage Journals, and Google Scholar, I identified an initial group of sources. The PRISMA process revealed that many early papers focused narrowly on MFA technologies from a technical security standpoint, largely omitting human factors. This exposed a crucial gap: despite aMFA’s growing enterprise adoption, limited research examines how employees experience these systems—especially regarding trust, comfort, transparency, and perceived invasiveness. Consequently, I refined the project’s scope to explicitly incorporate employee perceptions and trust mechanisms, moving beyond purely functional usability metrics.

This refinement necessitated adjusting the main research question. My initial question— “How does adaptive MFA affect usability and security in enterprise environments?”—was too broad. Through reflection and methodological planning, I reformulated the main research question to:

“How does adaptive multi-factor authentication influence employee usability experience and perceived security in enterprise environments?”

This revised question more explicitly links the technological mechanism (adaptive MFA) with psychological and experiential constructs (usability, trust, perceived security). This change strengthens alignment with human-cantered cybersecurity frameworks and supports the mixed-method evaluation approach I intend to use.

A further methodological adjustment involved the participant sampling strategy. My original proposal assumed homogeneous employee experiences within a single organization. However, informal discussions with IT administrators and security experts revealed significant variations in authentication burden across departments based on job roles, mobility patterns, and access privileges. To accurately reflect this diversity, I revised my sampling plan to include participants from multiple functional areas, explicitly comparing high-risk and low-risk roles. This adjustment enhances the study’s internal validity and ensures findings better inform enterprise-level adoption strategies.

In parallel, I reviewed methodological approaches in prior empirical security usability studies. While many focused on performance metrics, more recent research emphasizes perceived security as a psychological construct. This led me to expand my theoretical lens to include trust calibration and risk perception models, supported by sources highlighting the importance of aligning users’ trust judgments with actual system behaviour. As a result, my research objectives now explicitly investigate not only usability but also employees’ subjective sense of safety and confidence when interacting with adaptive MFA.

Ethical considerations also guided my reflections. Early review of organizational policies indicated strict requirements for handling sensitive authentication-related data. Initially, I planned to collect authentication logs to correlate employee experiences with trigger frequency. However, discussions with the data protection officer confirmed this was not feasible due to privacy constraints. I therefore redesigned the study to rely on self-report and simulated authentication tasks rather than live system logs. While this somewhat limits ecological validity, it ensures compliance with ethical and legal standards.

Overall, these early project stages have been highly iterative and informative. The refinements to research questions, methods, and theoretical framing were directly driven by emerging evidence and practical constraints. These adjustments position the study to offer a nuanced and human-cantered understanding of adaptive MFA systems—particularly their impact on employee trust and day-to-day usability. As I move into the data collection phase, the groundwork laid ensures a stronger alignment between the research aims and the realities of enterprise authentication environments.