Volltext-Downloads (blau) und Frontdoor-Views (grau)

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

  • Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA. In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.

Volltext Dateien herunterladen

Metadaten exportieren

Weitere Dienste

Teilen auf Twitter Suche bei Google Scholar


Verfasserangaben:Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth
Angaben zur Erstveröffentlichung:34th IFIP TC 11 International Conference on Information Security and Privacy Protection (IFIP SEC 2019), Lisbon, Portugal, June 25-27, 2019, Proceedings, IFIP Advances in Information and Communication Technology, vol. 562
Datum des Hochladens:31.05.2019
GND-Schlagwort:Authentifikation; Passwort; Studie
Freies Schlagwort / Tag:Authentication; Password; Risk-based Authentication; Study
Fakultäten und Zentrale Einrichtungen:Informations-, Medien- und Elektrotechnik (F07) / Fakultät 07 / Institut für Medien- und Phototechnik
CCS-Klassifikation:H. Information Systems / H.5 INFORMATION INTERFACES AND PRESENTATION (e.g., HCI) (I.7) / H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6) / Graphical user interfaces (GUI) (NEW)
K. Computing Milieux / K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS / K.6.5 Security and Protection (D.4.6, K.4.2) / Authentication
DDC-Sachgruppen:000 Allgemeines, Informatik, Informationswissenschaft
Open Access:Open Access
Lizenz (Deutsch):License LogoEs gilt das UrhG