Evaluation of Risk-Based Re-Authentication Methods

  title={Evaluation of Risk-Based Re-Authentication Methods},
  author={Stephan Wiefling and Tanvi Patil and Markus Durmuth and Luigi Lo Iacono},
  journal={ICT Systems Security and Privacy Protection},
  pages={280 - 294}
Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which… 
Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service
The first long-term RBA analysis on a real-world large-scale online service is provided and insights are provided on selecting an optimized RBA configuration so that users profit from RBA after just a few logins.
More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication
This study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types.
What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics
This work provides insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts, and shows that RBA needs to be carefully tailored to each online service.
Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication
A heuristic evaluation of 12 account recovery mechanisms regarding their properties for FIDO2 passwordless authentication identifies promising account recovery solutions and provides recommendations for further studies.
A quarter century of usable security and privacy research: transparency, tailorability, and the road ahead
Six contributions with regard to privacy concerns in times of COVID-19, authentication on mobile devices, GDPR-compliant data management, privacy notices on websites, as well as rights under data protection law and the concrete process should data subjects want to claim those rights are presented.
Cognitive function vs. accessible authentication: insights from dyslexia research
Using a qualitative approach, this paper explores the challenges current password-based approaches pose to people with dyslexia, a relatively common cognitive disability, highlighting several issues.
Verify It’s You: How Users Perceive Risk-Based Authentication
This study shows that users find RBA more usable than two-factor authentication equivalents and more secure than password-only authentication.
Phish in Sheep’s Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting
This paper presents the first comprehensive and in-depth exploration of the security implications of real-world systems relying on browser fingerprints for authentication, and develops a tool for auto-constructing browser-based fingerprinting vectors that replicate the process of target websites, enabling the extraction of fingerprinting from users’ devices that exactly match those generated by target websites.


Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
This work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.
The State of User Authentication in the Wild
This paper intends to map the current state of user authentication, as typically seen by end users, by evaluating the mechanisms used by 48 different services, including websites, IoT/smart home devices, and mobile devices.
Who Are You? A Statistical Approach to Measuring User Authenticity
This work develops a statistical framework for identifying suspicious login attempts and develops a fully functional prototype implementation that can be evaluated efficiently on large datasets and provides a systematic study of possible attackers against such a system, including attackers targeting the classifier itself.
Protecting accounts from credential stuffing with password breach alerting
A privacy-preserving protocol whereby a client can query a centralized breach repository to determine whether a specific username and password combination is publicly exposed, but without revealing the information queried is proposed.
Ask Me Again But Don't Annoy Me: Evaluating Re-authentication Strategies for Smartphones
This work proposes several re-authentication configurations with varying levels of screen transparency and an optional time delay before displaying the authentication prompt, and finds that participants respond positively to the proposed changes and utilize the time delay while they are anticipating to get an authentication prompt to complete their current task.
Understanding user perceptions of transparent authentication on a mobile device
It is found that having a few barriers to device and data access aided the user in building a mental model of the on-device security provided by transparent authentication, showing that a more granular method of smartphone security is justified.
"What was that site doing with my Facebook password?": Designing Password-Reuse Notifications
Insight is provided into notifications used by companies in situations potentially involving password reuse and how notifications alone appear insufficient in solving password reuse.
How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk, Web, and Telephone Samples
These findings lend tempered support for the generalizability of prior crowdsourced security and privacy user studies; provide context to more accurately interpret the results of such studies; and suggest rich directions for future work to mitigate experience- rather than demographic-related sample biases.
Assessing end-user awareness of social engineering and phishing
An assessment of user awareness of such methods in the form of email phishing attacks using a web­based survey shows that the 179 participants were 36% successful in identifying legitimate emails, versus 45%successful in spotting illegitimate ones.
Conducting Usable Privacy & Security Studies with Amazon ’ s Mechanical Turk
This paper describes three different usable privacy and security experiments that were conducted through Mechanical Turk, highlighting both reasons for using Amazon’s service as well as common pitfalls that the authors encountered.