We Published a Lot of Papers and Articles on Risk-Based Authentication

Here's an overview of them all, which you can download here. We also offer summaries of the papers on our website. Just use the navigation bar at the top of the page.


Dissertation

Usability, Security, and Privacy of Risk-Based Authentication
Stephan Wiefling
Dissertation, Ruhr University Bochum
 
Abstract

Weaknesses in password-based authentication have always shaken password security, especially with the rise of data breaches. Credential stuffing and password spraying attacks automatically enter leaked login credentials (username and password) on literally all websites worldwide, in the hope that users re-used them. Other attacks involving machine learning can use the login credentials to guess passwords more efficiently. To protect their users against such attacks, and to increase the cost for attackers, popular online services started using risk-based authentication (RBA). This decision was made as more than 90% of their users still refuse to opt for two-factor (2FA) or multi-factor authentication (MFA) schemes. RBA can increase the protection of these users, until more secure authentication methods are in place.

RBA is an adaptive approach to strengthen password-based authentication. It monitors a set of features related to the login behavior during the password entry, e.g., IP address and user agent string. When the observed features values significantly differ from those of previous legitimate logins, RBA requests additional information from the user to proof the claimed identity, e.g., verifying the user account's email address. Government agencies like NIST (USA), NCSC (UK), and ACSC (AU) recommend RBA to protect users against attacks involving stolen passwords. Also a US presidential order requires RBA for federal agencies. Despite these facts, RBA suffered from a lack of open knowledge. In particular, little or no research had been done on the usability, security, and privacy properties of RBA. Understanding these aspects is important, however, to achieve a widespread adoption in practice.

This thesis aims to provide a broad understanding of RBA. To achieve this, I designed, conducted, and evaluated a series of six experimental and user studies. The first study black box tested eight popular online services to study RBA's state of practice. These findings built the foundation of the subsequent studies, which investigated a wide range of RBA aspects.

The first set of studies focused on human aspects of RBA, investigating its usability and security perceptions. A lab study involving 65 participants showed that users found RBA significantly more usable than classical 2FA and comparably secure in many use case scenarios, e.g., social media and online shopping websites. The study also identified potential usability problems, such as users being locked out when the service provider of the email address requested for verification also requests verification. To address these problems, online services should actively communicate their RBA use to increase user awareness. An online study involving 592 participants furthermore showed that RBA's state of re-authentication practice can be improved with a new code-based variant. This variant shows the email verification code in both subject line and body. Link-based re-authentication using "magic links", in contrast, made users significantly more anxious than code-based variants.

The subsequent studies focused on technical aspects of RBA systems, using real-world usage data. The first study collected login feature data of 780 users over more than 1.8 years on a real-world online service. Based on the collected data, it then evaluated two RBA models used by the majority of deployments in practice, and extracted a list of features that provide good usability and security. The results show that RBA rarely requests re-authentication in practice, even when blocking a very high percentage of targeted attackers. This means that RBA can block attackers who know the victim's password and use the same location, browser, and operating system, without legitimate users noticing any difference in the online service's authentication behavior.

To obtain RBA's security and usability gain, however, users currently need to provide potentially sensitive data. As this might conflict with user privacy, the follow-up study identified potential challenges that could arise with RBA usage. To solve these challenges, the work proposed and tested five improvements that can balance privacy in RBA systems.

The last study evaluated and improved RBA's usability, security, and privacy aspects on a real-world large-scale online service having 3.3 million users. The online service was part of the listed multinational telecommunications company Telenor. The online service's RBA behavior was analyzed based on feature data of 31.3 million login attempts conducted in more than one year. The analysis also included considering the login frequency and learning from failed login attempts. The work also evaluated the potential of a server-originated round-trip time feature---which was introduced and proposed in this thesis---as a privacy-enhancing alternative to the IP address. Beyond that, enhancements are proposed to speed up the RBA authentication time and to help administrators find an optimal RBA setup.

The results of this thesis enable developers, administrators, and researchers to create privacy-enhanced RBA solutions which strengthen password-based authentication while being accepted by users. To foster RBA research and development, I provide a synthesized data set which resembles the login behavior at the large-scale online service. The work intends to further support practitioners with the results and innovations that were researched and developed as part of this thesis. For this purpose, popular open source software, such as the cloud computing platform OpenStack was extended and equipped with RBA functionality. To increase public RBA awareness, I also established and operated a RBA website providing information to the public.


Large Scale Online Service

Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service
Stephan Wiefling, Paul René Jørgensen, Sigurd Thunem, and Luigi Lo Iacono
ACM Transactions on Privacy and Security. Winner Open Data Impact Award 2022.
   
Abstract

Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from previously observed ones. It is recommended by various national security organizations, and users perceive it more usable and equally secure than equivalent two-factor authentication. Despite that, RBA is still only used by very few online services. Reasons for this include a lack of validated open resources on RBA properties, implementation, and configuration. This effectively hinders the RBA research, development, and adoption progress.

To close this gap, we provide the first long-term RBA analysis on a real-world large-scale online service. We collected feature data of 3.3 million users and 31.3 million login attempts over more than one year. Based on the data, we provide (i) studies on RBA's real-world characteristics, and its configurations and enhancements to balance usability, security, and privacy, (ii) a machine learning based RBA parameter optimization method to support administrators finding an optimal configuration for their own use case scenario, (iii) an evaluation of the round-trip time feature's potential to replace the IP address for enhanced user privacy, and (iv) a synthesized RBA data set to reproduce this research and to foster future RBA research. Our results provide insights on selecting an optimized RBA configuration so that users profit from RBA after just a few logins. The open data set enables researchers to study, test, and improve RBA for widespread deployment in the wild.


Privacy

Privacy Considerations for Risk-Based Authentication Systems
Stephan Wiefling, Jan Tolsdorf, and Luigi Lo Iacono
IWPE '21, co-located with IEEE EuroS&P '21
 
Abstract

Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than Two-Factor Authentication and just as secure. However, users currently obtain RBA's high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data.

We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.


Security

What's in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics
Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono
FC '21
 
Abstract

Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users.

To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.


Usability

Verify It’s You: How Users Perceive Risk-Based Authentication
Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono
IEEE Security and Privacy (November/December '21)
 
Abstract

Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication against account takeover attacks. Our study on 65 participants shows that users find RBA more usable than Two-Factor Authentication equivalents and more secure than password-only authentication. We identify pitfalls and provide guidelines for putting RBA into practice.

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-Based Authentication
Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono
ACSAC '20
 
Abstract

Risk-Based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance.

Evaluation of Risk-Based Re-Authentication Methods
Stephan Wiefling, Tanvi Patil, Markus Dürmuth, and Luigi Lo Iacono
IFIP SEC '20
 
Abstract

Risk-Based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far.

We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N=592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via "magic links", however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.


State of Practice

Risk-Based Authentication

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
Stephan Wiefling, Luigi Lo Iacono, and Markus Dürmuth
IFIP SEC '19
 
Abstract

Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA.

In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.

HTTP Client Hints

A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web
Stephan Wiefling, Marian Hönscheid, Luigi Lo Iacono
ARES '24
 
Abstract

HTTP client hints are a set of standardized HTTP request headers designed to modernize and potentially replace the traditional user agent string. While the user agent string exposes a wide range of information about the client's browser and device, client hints provide a controlled and structured approach for clients to selectively disclose their capabilities and preferences to servers. Essentially, client hints aim at more effective and privacy-friendly disclosure of browser or client properties than the user agent string.

We present a first long-term study of the use of HTTP client hints in the wild. We found that despite being implemented in almost all web browsers, server-side usage of client hints remains generally low. However, in the context of third-party websites, which are often linked to trackers, the adoption rate is significantly higher. This is concerning because client hints allow the retrieval of more data from the client than the user agent string provides, and there are currently no mechanisms for users to detect or control this potential data leakage. Our work provides valuable insights for web users, browser vendors, and researchers by exposing potential privacy violations via client hints and providing help in developing remediation strategies as well as further research.

Risk-Based Account Recovery

Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication
Andre Büttner, Andreas Thue Pedersen, Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono
UbiSec '23
 
Abstract

Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authentication has mainly focused on the login process. However, recent attacks have revealed vulnerabilities in other parts of the authentication process, specifically in the account recovery function. Consequently, to ensure comprehensive authentication security, the use of anomaly detection in the context of account recovery must also be investigated.

This paper presents the first study to investigate risk-based account recovery (RBAR) in the wild. We analyzed the adoption of RBAR by five prominent online services (that are known to use RBA). Our findings confirm the use of RBAR at Google, LinkedIn, and Amazon. Furthermore, we provide insights into the different RBAR mechanisms of these services and explore the impact of multi-factor authentication on them. Based on our findings, we create a first maturity model for RBAR challenges. The goal of our work is to help developers, administrators, and policy-makers gain an initial understanding of RBAR and to encourage further research in this direction.


Open Source Software

RBA Plugin for OpenStack

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example
Vincent Unsel, Stephan Wiefling, Nils Gruschka, and Luigi Lo Iacono
CODASPY '23
   
Abstract

Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing.

Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.

Black-Box Testing Tool (HOSIT)

Even Turing Should Sometimes Not Be Able To Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services
Stephan Wiefling, Nils Gruschka, and Luigi Lo Iacono
NordSec '19
 
Abstract

Online services such as social networks, online shops, and search engines deliver different content to users depending on their location, browsing history, or client device. Since these services have a major influence on opinion forming, understanding their behavior from a social science perspective is of greatest importance. In addition, technical aspects of services such as security or privacy are becoming more and more relevant for users, providers, and researchers. Due to the lack of essential data sets, automatic black box testing of online services is currently the only way for researchers to investigate these services in a methodical and reproducible manner. However, automatic black box testing of online services is difficult since many of them try to detect and block automated requests to prevent bots from accessing them.

In this paper, we introduce a testing tool that allows researchers to create and automatically run experiments for exploratory studies of online services. The testing tool performs programmed user interactions in such a manner that it can hardly be distinguished from a human user. To evaluate our tool, we conducted - among other things - a large-scale research study on Risk-based Authentication (RBA), which required human-like behavior from the client. We were able to circumvent the bot detection of the investigated online services with the experiments. As this demonstrates the potential of the presented testing tool, it remains to the responsibility of its users to balance the conflicting interests between researchers and service providers as well as to check whether their research programs remain undetected.