Volltext-Downloads (blau) und Frontdoor-Views (grau)

Evaluation of Risk-based Re-Authentication Methods

  • Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far. We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N=592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via "magic links", however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.

Download full text files

Export metadata

Additional Services

Share in Twitter Search Google Scholar Check availability

Statistics

Show usage statistics
Metadaten
Document Type:Conference Object
Language:English
Author:Stephan WieflingORCiD, Tanvi PatilORCiD, Markus Dürmuth, Luigi Lo IaconoORCiD
Parent Title (English):Hölbl, Rannenberg et al. (Eds.): ICT Systems Security and Privacy Protection. 35th IFIP TC 11 International Conference, SEC 2020, Maribor, Slovenia, September 21–23, 2020, Proceedings
First Page:280
Last Page:294
ISBN:978-3-030-58200-5
URN:urn:nbn:de:hbz:1044-opus-49521
URL:https://riskbasedauthentication.org/usability/re-authentication/
DOI:https://doi.org/10.1007/978-3-030-58201-2_19
ArXiv Id:http://arxiv.org/abs/2008.07795
Publisher:Springer
Place of publication:Cham
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Date of first publication:2020/09/14
Keyword:Re-authentication; Risk-based Authentication (RBA); Usable Security
Departments, institutes and facilities:Fachbereich Informatik
Institut für Cyber Security & Privacy (ICSP)
Projects:URIA - Usability of Risk-based Implicit Authentication
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 004 Datenverarbeitung; Informatik
Entry in this database:2020/06/29
Licence (Multiple Languages):License LogoIn Copyright (Urheberrechtsschutz)