Overview

Risk-Based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-Factor Authentication (2FA). This technology is getting more and more important. It is also more usable than comparable 2FA methods.

During login, RBA estimates a risk score based on features describing the login behavior.

On a low risk (e.g., same device as always), the website grants access. On a medium risk (e.g., unknown device), the website asks for additional information to prove the claimed identity.

Risk-Based Authentication

Sign in dialog

RBA at Scale

Our previous research showed that RBA can achieve good security and privacy properties on a small online service. But:

How does RBA behave on a large-scale online service with millions of users? And how can RBA be optimized for these services to achieve high usability, security, and privacy?

To answer these questions, we studied 31.3M login attempts and 3.3M users over more than one year at a single sign-on online service.

Sign in dialog

Findings

  • We can confirm that RBA rarely requests re-authentication in practice, even when blocking more than 99% of targeted attackers. RBA can even detect a high number of very targeted account takeover attempts.

  • The RBA behavior strongly depends on the users’ login frequencies.

  • To increase privacy, login history entries older than six months can be removed without having a great impact on usability.

  • Attack data should be used only with caution or not at all, as these can greatly decrease the usability and security properties.

Graph showing different RBA behavior based on the login frequency

RTT values measured for Europe

Consider Round-Trip Time For More Privacy

Instead of storing the user’s IP address, the server originated Round-Trip Time (RTT) could be used as a feature instead. This can increase privacy.

Our tests with mobile users showed that the RTT is a promising RBA feature to verify regions and to identify users while increasing user privacy.

RTT values measured for Europe

Speed Up

The online service processed 74.8K login attempts per day. Using non-optimized RBA was potentially vulnerable to denial of service in such use cases.

To mitigate this, and to considerably shorten the authentication time, one should consider optimizing the RBA algorithm using efficient data structures such as hash tables. This resulted in a 28x speed up here.

Graph showing the login count at the online service

Journal Article

You can find more details in our publication below.

The paper is published in ACM TOPS.

Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service
Stephan Wiefling, Paul René Jørgensen, Sigurd Thunem, and Luigi Lo Iacono
   
Abstract

Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from previously observed ones. It is recommended by various national security organizations, and users perceive it more usable and equally secure than equivalent two-factor authentication. Despite that, RBA is still only used by very few online services. Reasons for this include a lack of validated open resources on RBA properties, implementation, and configuration. This effectively hinders the RBA research, development, and adoption progress.

To close this gap, we provide the first long-term RBA analysis on a real-world large-scale online service. We collected feature data of 3.3 million users and 31.3 million login attempts over more than one year. Based on the data, we provide (i) studies on RBA's real-world characteristics, and its configurations and enhancements to balance usability, security, and privacy, (ii) a machine learning based RBA parameter optimization method to support administrators finding an optimal configuration for their own use case scenario, (iii) an evaluation of the round-trip time feature's potential to replace the IP address for enhanced user privacy, and (iv) a synthesized RBA data set to reproduce this research and to foster future RBA research. Our results provide insights on selecting an optimized RBA configuration so that users profit from RBA after just a few logins. The open data set enables researchers to study, test, and improve RBA for widespread deployment in the wild.

If you like to cite the paper, please use the following BibTeX entry:

@article{Wiefling_Pump_2022,
  author = {Wiefling, Stephan and Jørgensen, Paul René and Thunem, Sigurd and {Lo Iacono}, Luigi},
  title  = {Pump {Up} {Password} {Security}! {Evaluating} and {Enhancing} {Risk}-{Based} {Authentication} on a {Real}-{World} {Large}-{Scale} {Online} {Service}},
  journal = {{ACM} {Transactions} on {Privacy} and {Security}},
  doi = {10.1145/3546069},
  publisher = {ACM},
  volume = {26},
  number = {1},
  articleno = {6},
  issn = {2471-2566},
  month = feb,
  year   = {2023}
}


Data Set

To address the current lack of high quality open data for RBA research, we provide a synthesized RBA data set. You can use the data set for your own projects. The synthesized data set resembles the statistical properties of our original data set that we had to delete for privacy reasons.

Feel free to use this data set to research, test, and improve RBA solutions. Please cite our publication when doing so.

This data set won the Open Data Impact Award 2022 by the German Stifterverband.