More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

@article{Wiefling2020MoreTJ,
  title={More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication},
  author={Stephan Wiefling and Markus Durmuth and Luigi Lo Iacono},
  journal={Annual Computer Security Applications Conference},
  year={2020}
}
Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well. We present the results of a between-group… 
Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service
TLDR
The first long-term RBA analysis on a real-world large-scale online service is provided and insights are provided on selecting an optimized RBA configuration so that users profit from RBA after just a few logins.
Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication
TLDR
A heuristic evaluation of 12 account recovery mechanisms regarding their properties for FIDO2 passwordless authentication identifies promising account recovery solutions and provides recommendations for further studies.
What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics
TLDR
This work provides insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts, and shows that RBA needs to be carefully tailored to each online service.
Verify It’s You: How Users Perceive Risk-Based Authentication
TLDR
This study shows that users find RBA more usable than two-factor authentication equivalents and more secure than password-only authentication.
Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns
TLDR
This work conducts a series of large-scale in-the-wild, controlled messaging experiments on Facebook to examine whether messaging that addresses users’ motivations, mental models, and concerns about 2FA and UX design patterns found effective in other fields can effectively improve 2FA adoption.
Phish in Sheep’s Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting
TLDR
This paper presents the first comprehensive and in-depth exploration of the security implications of real-world systems relying on browser fingerprints for authentication, and develops a tool for auto-constructing browser-based fingerprinting vectors that replicate the process of target websites, enabling the extraction of fingerprinting from users’ devices that exactly match those generated by target websites.
A quarter century of usable security and privacy research: transparency, tailorability, and the road ahead
TLDR
Six contributions with regard to privacy concerns in times of COVID-19, authentication on mobile devices, GDPR-compliant data management, privacy notices on websites, as well as rights under data protection law and the concrete process should data subjects want to claim those rights are presented.
Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols
TLDR
This work crafted a phishing website that mimics Google login’s page and im-plements a FIDO-downgrade attack, and found that, when using FIDo as their second authentication factor, 55% of participants fell for real-time phishing, and another 35% would potentially be susceptible to the attack in practice.
Privacy Considerations for Risk-Based Authentication Systems
TLDR
A subset of the properties of the privacy-preserving RBA enhancements in practical environments are evaluated with long-term data from 780 users of a real-world online service and show the potential to increase privacy in RBA solutions.

References

SHOWING 1-10 OF 65 REFERENCES
Usability and Security Perceptions of Implicit Authentication: Convenient, Secure, Sometimes Annoying
TLDR
The findings indicate that 91% of participants found IA to be convenient (26% more than the explicit authentication schemes tested) and 81% perceived the provided level of protection to be satisfactory, which is encouraging.
Evaluation of Risk-Based Re-Authentication Methods
TLDR
Two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach are introduced and it is shown with significant results that there is potential to speed up the RBAReauthentication process without reducing neither its security properties nor its security perception.
Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
TLDR
This work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.
2FA Might Be Secure, But It’s Not Usable: A Summative Usability Assessment of Google’s Two-factor Authentication (2FA) Methods
TLDR
Approximate measures indicated that Google’s optional 2FA systems’ usability needed to be improved, especially with regard to the initial setup of 2FA, and developers need to focus more attention on making 2FA easier and faster to use.
Two-Factor or not Two-Factor? A Comparative Usability Study of Two-Factor Authentication
TLDR
It is found that 2F technologies are overall perceived as usable, regardless of motivation and/or context of use, and three metrics – ease-of-use, required cognitive efforts, and trustworthiness – are enough to capture key factors affecting 2F usability.
A Tale of Two Studies: The Best and Worst of YubiKey Usability
TLDR
Based on the analysis, standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts are recommended.
A Usability Study of Five Two-Factor Authentication Methods
TLDR
While a few participants experienced difficulty setting up a hardware token and a one-time password, in general, users found the methods easy to set up.
Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance
TLDR
A negative effect on password security could be observed as users fall back to using passwords that are easier to enter on the respective devices as a result of the influence of mobile devices on authentication performance and password composition.
...
...