Improving password security

Using strong passwords doesn’t mean that your user account is safe. Large-scale password database leaks and intelligent password guessing attacks can still compromise your accounts.

Risk-based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-factor Authentication (2FA).

How does it work?

During login, RBA estimates a risk score based on the login behavior.

On a low risk (e.g. same device as always), access to the website is granted.
On a medium risk (e.g. unknown device), the website asks for additional information to confirm the claimed identity (e.g. confirmation of email address).
On a high risk, access is denied.

A well kept secret

Despite its major importance, online services keep their usage of RBA a secret. For this reason we did black box testing on eight popular online services to find out:

• Are they using RBA?

And if yes:

1. How do they calculate the risk score?
2. What additional authentication factors are they offering?
3. What do the RBA dialogs look like?

Who uses RBA?

We found evidence that Google, Facebook, LinkedIn, Amazon and GOG.com are using it.

Want to know how they are using it?

Check our results page or Read the paper

What can go wrong?

Facebook’s verification code feature leaked the full phone number in our study. We consider this a bad practice and a threat for privacy. In so doing, phone numbers of users can be obtained. Also, attackers can call the number and gain access to the verification code by social engineering.

Thanks to the prompt reaction by Facebook, this vulnerability is now fixed:

• We contacted Facebook about the phone number leak on September 4th, 2018.
• Facebook resolved the issue on September 6th, 2018.