Improving password security

Using strong passwords doesn’t mean that your user account is safe. Large-scale password database leaks and intelligent password guessing attacks can still compromise your accounts.

Risk-based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-factor Authentication (2FA).

Risk-based Authentication

How does it work?

During login, RBA estimates a risk score based on the login behavior.

  • On a low risk (e.g. same device as always), access to the website is granted.
  • On a medium risk (e.g. unknown device), the website asks for additional information to confirm the claimed identity (e.g. confirmation of email address).
  • On a high risk, access is denied.

A well kept secret

Despite its major importance, online services keep their usage of RBA a secret. For this reason we did black box testing on eight popular online services to find out:

  • Are they using RBA?

And if yes:

  1. How do they calculate the risk score?
  2. What additional authentication factors are they offering?
  3. What do the RBA dialogs look like?
Architecture

Risk-based Authentication dialog of LinkedIn

Who uses RBA?

We found evidence that Google, Facebook, LinkedIn, Amazon and GOG.com are using it.

Want to know how they are using it?

Check our results page or

Risk-based Authentication dialog of LinkedIn

What can go wrong?

Facebook’s verification code feature leaked the full phone number in our study. We consider this a bad practice and a threat for privacy. In so doing, phone numbers of users can be obtained. Also, attackers can call the number and gain access to the verification code by social engineering.

Thanks to the prompt reaction by Facebook, this vulnerability is now fixed:

  • We contacted Facebook about the phone number leak on September 4th, 2018.
  • Facebook resolved the issue on September 6th, 2018.

Technical Paper

The paper is accepted for IFIP SEC 2019.

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
Stephan Wiefling, Luigi Lo Iacono and Markus Dürmuth


If you like to cite the paper, please use the following Bibtex entry:

@inproceedings{Wiefling2019,
  author = {Wiefling, Stephan and Lo Iacono, Luigi and D\"{u}rmuth, Markus},
  title = {Is {This} {Really} {You}? {An} {Empirical} {Study} on {Risk}-{Based} {Authentication} {Applied} in the {Wild}},
  booktitle = {34th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2019)},
  series = {{IFIP} {Advances} in {Information} and {Communication} {Technology}},
  volume = {562},
  pages = {134--148},
  isbn = {978-3-030-22311-3},
  doi = {10.1007/978-3-030-22312-0_10},
  publisher = {Springer International Publishing},
  location = {Lisbon, Portugal},
  month = jun,
  year = {2019}
}