Volltext-Downloads (blau) und Frontdoor-Views (grau)

Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service

  • Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from those previously observed. It is recommended by various national security organizations, and users perceive it more usable than and equally secure to equivalent two-factor authentication. Despite that, RBA is still used by very few online services. Reasons for this include a lack of validated open resources on RBA properties, implementation, and configuration. This effectively hinders the RBA research, development, and adoption progress. To close this gap, we provide the first long-term RBA analysis on a real-world large-scale online service. We collected feature data of 3.3 million users and 31.3 million login attempts over more than 1 year. Based on the data, we provide (i) studies on RBA’s real-world characteristics plus its configurations and enhancements to balance usability, security, and privacy; (ii) a machine learning–based RBA parameter optimization method to support administrators finding an optimal configuration for their own use case scenario; (iii) an evaluation of the round-trip time feature’s potential to replace the IP address for enhanced user privacy; and (iv) a synthesized RBA dataset to reproduce this research and to foster future RBA research. Our results provide insights on selecting an optimized RBA configuration so that users profit from RBA after just a few logins. The open dataset enables researchers to study, test, and improve RBA for widespread deployment in the wild.

Download full text files

Export metadata

Additional Services

Search Google Scholar Check availability


Show usage statistics
Document Type:Article
Author:Stephan WieflingORCiD, Paul René Jørgensen, Sigurd Thunem, Luigi Lo Iacono
Parent Title (English):ACM Transactions on Privacy and Security
Article Number:6
Number of pages:36
ArXiv Id:http://arxiv.org/abs/2206.15139
Publisher:Association for Computing Machinery
Place of publication:New York, NY, United States
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Date of first publication:2022/06/30
Copyright:© 2022 Copyright held by the owner/author(s).
Funding:This research was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North Rhine-Westphalia. The Platform for Scientific Computing was supported by the German Ministry for Education and Research, and the Ministry for Culture and Science of the state North Rhine-Westphalia (research grant 13FH156IN6).
Keyword:Big Data Analysis; Large-Scale Online Services; Risk-based Authentication
Departments, institutes and facilities:Fachbereich Informatik
Institut für Cyber Security & Privacy (ICSP)
Projects:EI-HPC - Enabling Infrastructure for HPC-Applications (DE/BMBF/13FH156IN6)
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten
Entry in this database:2022/06/30
Licence (German):License LogoCreative Commons - CC BY - Namensnennung 4.0 International