Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

@article{Wiefling2019IsTR,
  title={Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild},
  author={Stephan Wiefling and Luigi Lo Iacono and Markus D{\"u}rmuth},
  journal={ArXiv},
  year={2019},
  volume={abs/2003.07622}
}
Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing… 
Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service
TLDR
The first long-term RBA analysis on a real-world large-scale online service is provided and insights are provided on selecting an optimized RBA configuration so that users profit from RBA after just a few logins.
Evaluation of Risk-Based Re-Authentication Methods
TLDR
Two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach are introduced and it is shown with significant results that there is potential to speed up the RBAReauthentication process without reducing neither its security properties nor its security perception.
More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication
TLDR
This study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types.
What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics
TLDR
This work provides insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts, and shows that RBA needs to be carefully tailored to each online service.
FIDO2 With Two Displays - Or How to Protect Security-Critical Web Transactions Against Malware Attacks
TLDR
A new paradigm to improve two-factor authentication that involves the concepts of one-out- of-two security and transaction authentication is proposed, which can protect security-critical transactions against manipulation, even if one of the factors is completely compromised.
A Systematic Approach for a Secure Authentication System
TLDR
This paper portraits a systematic architecture to verify user credentials using specific parameters, trying to unfold patterns using machine learning algorithms based on user's past login records, thus trying to provide a safer and secure authentication process for the users.
Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale
TLDR
The findings suggest that the IMPaaS model is growing, and provides the mechanisms needed to systematically evade authentication controls across multiple platforms, while providing attackers with a reliable, up-to-date, and semi-automated environment enabling target selection and user impersonation against Internet users as scale.
"It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn
While prior attempts at passwordless authentication on the web have required specialized hardware, FIDO2’s WebAuthn protocol lets users sign into websites with their smartphone. Users authenticate
Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols
TLDR
This work crafted a phishing website that mimics Google login’s page and im-plements a FIDO-downgrade attack, and found that, when using FIDo as their second authentication factor, 55% of participants fell for real-time phishing, and another 35% would potentially be susceptible to the attack in practice.
A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication
TLDR
This article makes the link between the digital fingerprints that distinguish browsers, and the biological fingerprint that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors, and concludes that their browser fingerprints carry the promise to strengthen web authentication mechanisms.
...
...

References

SHOWING 1-10 OF 37 REFERENCES
Who Are You? A Statistical Approach to Measuring User Authenticity
TLDR
This work develops a statistical framework for identifying suspicious login attempts and develops a fully functional prototype implementation that can be evaluated efficiently on large datasets and provides a systematic study of possible attackers against such a system, including attackers targeting the classifier itself.
Privacy concerns of implicit secondary factors for web authentication
TLDR
These implicit factors can help transform authentication from a binary decision problem (based on passwords alone) into a classification problem with a spectrum of possible decisions, and are commonly mentioned for use in mobile devices.
The State of User Authentication in the Wild
TLDR
This paper intends to map the current state of user authentication, as typically seen by end users, by evaluating the mechanisms used by 48 different services, including websites, IoT/smart home devices, and mobile devices.
Risk-based authenticator for web applications
TLDR
This work describes the security pattern risk-based authenticator and exemplifies its application in the SmartCampus, a service-oriented web application that continuously and transparently collect data on the user to learn their typical behavior and detect anomalies.
Distinguishing Attacks from Legitimate Authentication Traffic at Scale
TLDR
This work shows how to accurately estimate the odds that an observation x indicates that a request is malicious, and how to identify subsets of the request data that contain least (or even no) attack traffic.
Mobile device fingerprinting considered harmful for risk-based authentication
TLDR
Research shows that particularly for mobile devices the fingerprints carry a lot of similarity, even across models and brands, making them less reliable for risk assessment and step-up authentication.
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
  • Joseph Bonneau
  • Computer Science
    2012 IEEE Symposium on Security and Privacy
  • 2012
TLDR
It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.
Targeted Online Password Guessing: An Underestimated Threat
TLDR
TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker, is proposed to design novel and efficient guessing algorithms.
Password security
Account security, through password selection and data encryption, has been a common thread through the past few Webwaves columns, and this one is no exception. Readers may recall the discovery of the
A Survey on Web Tracking: Mechanisms, Implications, and Defenses
TLDR
This survey reviews the existing literature on the methods used by web services to track the users online as well as their purposes, implications, and possible user’s defenses, and presents five main groups of methods used for user tracking.
...
...