Volltext-Downloads (blau) und Frontdoor-Views (grau)
The search result changed since you submitted your search request. Documents might be displayed in a different sort order.
  • search hit 11 of 6826
Back to Result List

Privacy Considerations for Risk-Based Authentication Systems

  • Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor authentication and just as secure. However, users currently obtain RBA's high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data. We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.

Download full text files

Export metadata

Additional Services

Search Google Scholar Check availability

Statistics

Show usage statistics
Metadaten
Document Type:Conference Object
Language:English
Author:Stephan WieflingORCiD, Jan Tolsdorf, Luigi Lo Iacono
Parent Title (German):2021 International Workshop on Privacy Engineering (IWPE '21), co-located with 6th IEEE European European Symposium on Security and Privacy (EuroS&P '21). September 7, 2021. Vienna, Austria (Online)
Number of pages:8
First Page:320
Last Page:327
ISBN:978-1-6654-1012-0
ISSN:2768-0657
URN:urn:nbn:de:hbz:1044-opus-58417
DOI:https://doi.org/10.1109/EuroSPW54576.2021.00040
Publisher:IEEE
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Date of first publication:2021/10/29
Embargo Date:2022/10/29
Copyright:© 2022 Stephan Wiefling, Jan Tolsdorf, Luigi Lo Iacono. Open Access version of a paper published at IWPE ’21.
Funding:This research was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North Rhine-Westphalia.
Keyword:Big Data Analysis; Password; Risk-based Authentication; Usable Security and Privacy
Departments, institutes and facilities:Fachbereich Informatik
Institut für Cyber Security & Privacy (ICSP)
Projects:URIA - Usability of Risk-based Implicit Authentication
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten
Entry in this database:2021/09/07
Licence (German):License LogoCreative Commons - CC BY - Namensnennung 4.0 International