A well kept secret

Despite its major importance, online services keep their usage of RBA a secret. For this reason we did black box testing on eight popular online services to find out:

  • Are they using RBA?

And if yes:

  1. How do they calculate the risk score?
  2. What additional authentication factors are they offering?
  3. What do the RBA dialogs look like?

Risk-based Authentication dialog of LinkedIn

Who uses RBA?

We found evidence that Google, Facebook, LinkedIn, Amazon and GOG.com are using it.

Want to know how they are using it?

Check our results page or

Risk-based Authentication dialog of LinkedIn

What can go wrong?

Facebook’s verification code feature leaked the full phone number in our study. We consider this a bad practice and a threat for privacy. In so doing, phone numbers of users can be obtained. Also, attackers can call the number and gain access to the verification code by social engineering.

Thanks to the prompt reaction by Facebook, this vulnerability is now fixed:

  • We contacted Facebook about the phone number leak on September 4th, 2018.
  • Facebook resolved the issue on September 6th, 2018.

Technical Paper

The paper is accepted for IFIP SEC 2019.

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
Stephan Wiefling, Luigi Lo Iacono, and Markus Dürmuth

If you like to cite the paper, please use the following BibTeX entry:

  author = {Wiefling, Stephan and Lo Iacono, Luigi and D\"{u}rmuth, Markus},
  title = {Is {This} {Really} {You}? {An} {Empirical} {Study} on {Risk}-{Based} {Authentication} {Applied} in the {Wild}},
  booktitle = {34th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2019)},
  series = {{IFIP} {Advances} in {Information} and {Communication} {Technology}},
  volume = {562},
  pages = {134--148},
  isbn = {978-3-030-22311-3},
  doi = {10.1007/978-3-030-22312-0_10},
  publisher = {Springer International Publishing},
  location = {Lisbon, Portugal},
  month = jun,
  year = {2019}