What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics

01/26/2021
by   Stephan Wiefling, et al.
0

Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users. To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

03/17/2020

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

Risk-based authentication (RBA) is an adaptive security measure to stren...
08/18/2020

Evaluation of Risk-based Re-Authentication Methods

Risk-based Authentication (RBA) is an adaptive security measure that imp...
04/19/2018

Anonymous Single-Sign-On for n designated services with traceability

Anonymous Single-Sign-On authentication schemes have been proposed to al...
12/08/2020

On Aadhaar Identity Management System

A unique identification for citizens can lead to effective governance to...
11/20/2018

Killing the Password and Preserving Privacy with Device-Centric and Attribute-based Authentication

Current authentication methods on the Web have serious weaknesses. First...
08/16/2019

MFA is a Waste of Time! Understanding Negative Connotation Towards MFA Applications via User Generated Content

Traditional single-factor authentication possesses several critical secu...
12/02/2020

Analysis of a Decentralised Digital Token Architecture for Public Transport

Digitisation is often viewed as beneficial to a user. Where originally p...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.