Evaluation of Risk-based Re-Authentication Methods

08/18/2020
by   Stephan Wiefling, et al.
0

Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far. We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N=592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via "magic links", however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
10/01/2020

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

Risk-based Authentication (RBA) is an adaptive security measure to stren...
research
01/26/2021

What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics

Risk-based authentication (RBA) aims to strengthen password-based authen...
research
08/13/2020

Costs and benefits of authentication advice

When it comes to passwords, conflicting advice can be found everywhere. ...
research
02/23/2021

Usability and Security of Different Authentication Methods for an Electronic Health Records System

We conducted a survey of 67 graduate students enrolled in the Privacy an...
research
05/26/2021

Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication

Threats to passwords are still very relevant due to attacks like phishin...
research
12/16/2022

A Survey on Biometrics Authentication

Nowadays, traditional authentication methods are vulnerable to face atta...
research
10/29/2021

2D-2FA: A New Dimension in Two-Factor Authentication

We propose a two-factor authentication (2FA) mechanism called 2D-2FA to ...

Please sign up or login with your details

Forgot password? Click here to reset