Risk-Based Authentication (RBA) Goes Open Source

Like to put RBA into practice? Then you should check out our open source RBA implementations.

We wrote a plugin for the cloud management software OpenStack, which you can integrate into your own software solutions. This is the first known RBA plugin, and based a scientifically evaluated algorithm.
OpenStack Plugin
We provide our reference implementation as a Jupyter Notebook, which we used to evaluate RBA with real-world datasets.
Reference Implementation

Risk-Based Authentication Dialog in OpenStack when using our plugin

Technical Paper

Our publication provide more information on how to integrate the software, and the pitfalls that we discovered when working on putting RBA algorithms into software projects.

The paper is published at ACM CODASPY ‘23’.

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example

Vincent Unsel, Stephan Wiefling, Nils Gruschka, and Luigi Lo Iacono

Read the paper Source Code Abstract

Abstract

Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing.

Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.

If you like to cite the paper, please use the following BibTeX entry:

@inproceedings{Unsel_Risk_2023,
  title = {{Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example}},
  author = {Unsel, Vincent and Wiefling, Stephan and Gruschka, Nils and Lo Iacono, Luigi},
  booktitle = {{13th ACM Conference on Data and Application Security and Privacy}},
  year = {2023},
  series = {{CODASPY} '23},
  location = {Charlotte, NC, USA},
  publisher = {ACM},
  pages = {237–-243},
  doi = {10.1145/3577923.35836},
  month = apr,
  year = {2023}
}