Volltext-Downloads (blau) und Frontdoor-Views (grau)

What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics

  • Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users. To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.

Download full text files

Export metadata

Additional Services

Share in Twitter Search Google Scholar Check availability

Statistics

Show usage statistics
Metadaten
Document Type:Conference Object
Language:English
Author:Stephan WieflingORCiD, Markus Dürmuth, Luigi Lo IaconoORCiD
Parent Title (English):25th International Conference on Financial Cryptography and Data Security (FC '21). March 01-05, 2021. Pre-Proceedings
Pagenumber:23
URN:urn:nbn:de:hbz:1044-opus-53053
URL:https://riskbasedauthentication.org/security/characteristics/
ArXiv Id:http://arxiv.org/abs/2101.10681
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Date of first publication:2021/01/26
Note:
This research was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North Rhine-Westphalia. The Platformfor Scientific Computing was supported by the German Ministry for Education and Research, and the Ministry for Culture and Science of the state North Rhine-Westphalia (research grant 13FH156IN6).
Keyword:Authentication features; Big Data Analysis; Risk-based Authentication (RBA); Usable Security
Departments, institutes and facilities:Fachbereich Informatik
Institut für Cyber Security & Privacy (ICSP)
Projects:EI-HPC - Enabling Infrastructure for HPC-Applications (DE/BMBF/13FH156IN6)
URIA - Usability of Risk-based Implicit Authentication
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten
Entry in this database:2021/01/26
Licence (Multiple Languages):License LogoIn Copyright (Urheberrechtsschutz)