More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication
- Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well. We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance.
Document Type: | Conference Object |
---|---|
Language: | English |
Author: | Stephan WieflingORCiD, Markus Dürmuth, Luigi Lo Iacono |
Parent Title (English): | 36th Annual Computer Security Applications Conference (ACSAC '20). December 07-11, 2020 |
First Page: | 203 |
Last Page: | 218 |
ISBN: | 978-1-4503-8858-0 |
URN: | urn:nbn:de:hbz:1044-opus-50707 |
URL: | https://riskbasedauthentication.org/usability/perceptions/ |
DOI: | https://doi.org/10.1145/3427228.3427243 |
ArXiv Id: | http://arxiv.org/abs/2010.00339 |
Publisher: | ACM |
Publishing Institution: | Hochschule Bonn-Rhein-Sieg |
Date of first publication: | 2020/10/01 |
Copyright: | © 2020 Copyright held by the owner/author(s). This is the author’s version of the work. It is posted here for your personal use. Not for redistribution. |
Funding: | This research was supported by the researchtraining group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North Rhine-Westphalia. |
Keywords: | Authentication; Password; Risk-based Authentication; Two-factor Authentication; Usable Security |
Departments, institutes and facilities: | Fachbereich Informatik |
Institut für Cyber Security & Privacy (ICSP) | |
Projects: | URIA - Usability of Risk-based Implicit Authentication |
Dewey Decimal Classification (DDC): | 0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten |
Entry in this database: | 2020/10/06 |
Licence (Multiple languages): | In Copyright (Urheberrechtsschutz) |