Stephan Wiefling, Jan Tolsdorf, and Luigi Lo Iacono
H‑BRS University of Applied Sciences
& Ruhr University Bochum
Summary: Online services use Risk-Based Authentication (RBA) to protect their users against attacks involving stolen passwords. But they currently collect potentially sensitive data to achieve this (e.g., IP addresses). Thus, we proposed and partially tested five measures to enhance privacy in RBA.
Paper Overview Talk Large-scale online services use Risk-Based Authentication (RBA) to protect users against attacks involving stolen passwords. This technology is getting more and more important. It is also more usable than comparable 2FA methods.
During login, RBA estimates a risk score based on features describing the login behavior.
On a low risk (e.g., same device as always), the website grants access. On a medium risk (e.g., unknown device), the website asks for additional information to confirm the claimed identity.
Users currently obtain RBA’s high security and usability benefits at the cost of disclosing potentially sensitive data. This requires to consider user rights regarding the processing of personal data.
Moreover, user privacy is at risk when RBA databases are forwarded or breached, as additional data besides usernames would potentially allow to identify individuals.
We propose, discuss, and partially tested five privacy considerations that can be used in RBA systems. We also tested a subset of them on real-world data.
The results show that there is potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy.
You can find more details in our publication below.
The paper is published at IWPE ‘21.
Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than Two-Factor Authentication and just as secure. However, users currently obtain RBA's high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data.
We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.
If you like to cite the paper, please use the following BibTeX entry:
@inproceedings{Wiefling_Privacy_2021,
author = {Wiefling, Stephan and Tolsdorf, Jan and Lo Iacono, Luigi},
title = {{Privacy} {Considerations} for {Risk}-{Based} {Authentication} {Systems}},
booktitle = {2021 {International} {Workshop} on {Privacy} {Engineering}},
series = {{IWPE} '21},
location = {Vienna, Austria},
doi = {10.1109/EuroSPW54576.2021.00040},
pages = {320--327},
publisher = {{IEEE}},
month = sep,
year = {2021}
}