DeepAI AI Chat
Log In Sign Up

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

by   Stephan Wiefling, et al.
TH Köln
Ruhr University Bochum

Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA. In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.


page 1

page 2

page 3

page 4


What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics

Risk-based authentication (RBA) aims to strengthen password-based authen...

MetaSecure: A Passwordless Authentication for the Metaverse

Metaverse in general holds a potential future for cyberspace. At the beg...

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example

Online services have difficulties to replace passwords with more secure ...

MFA is a Waste of Time! Understanding Negative Connotation Towards MFA Applications via User Generated Content

Traditional single-factor authentication possesses several critical secu...

Work in progress: Identifying Two-Factor Authentication Support in Banking Sites

Two-factor authentication (2FA) offers several security benefits that se...

Studying the Impact of Managers on Password Strength and Reuse

Despite their well-known security problems, passwords are still the incu...