Risk-Based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-Factor Authentication (2FA). This technology is getting more and more important. It is also more usable than comparable 2FA methods.

During login, RBA estimates a risk score based on features describing the login behavior.

On a low risk (e.g., same device as always), the website grants access. On a medium risk (e.g., unknown device), the website asks for additional information to confirm the claimed identity.

Risk-Based Authentication

Sign in dialog

Observing RBA Behavior in Practice

How often does RBA request re-authentication in practice? And which configurations are useful for RBA?

We observed 780 users on a real-world online service for over 1.8 years to find out more.

Based on the data, we determined how often RBA requests legitimate users for re-authentication. We also tested 247 features regarding their RBA security and usability.

Sign in dialog


Our results show that RBA can achieve very low re-authentication rates for legitimate users, even when blocking more than 99.45% of targeted attackers.

Also, only few features qualified for RBA. Among them was a new developed feature based on the Round Trip Time (RTT).

Here are the server originated features which are hard to spoof:

  • IP address
  • Round Trip Time (three variations)
  • Region, Autonomous System Number (ASN)
  • Hour, Weekday and hour

The other client-based features can be found in the paper.

The results show that online services do not need to collect many features to achieve good security and usability in terms of RBA.

Average re-authentication count for a tested RBA algorithm

Technical Paper

You can find more details in our publication below.

The paper is published at FC 2021.

What's in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics
Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono

Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users.

To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.

If you like to cite the paper, please use the following BibTeX entry:

  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  title = {What’s in {Score} for {Website} {Users}: {A} {Data}-{Driven} {Long}-{Term} {Study} on {Risk}-{Based} {Authentication} {Characteristics}},
  booktitle = {25th {International} {Conference} on {Financial} {Cryptography} and {Data} {Security}},
  series = {{FC} '21},
  location = {Grenada},
  publisher = {Springer},
  doi = {10.1007/978-3-662-64331-0_19},
  pages = {361--381},
  month = mar,
  year = {2021}