These were the authenticaton factors that the online services demanded in our study:

ServiceRequested authenticaton factors
  • Verification code (email*, text message)
  • Approve login on another computer
  • Identify photos of friends
  • Asking friends for help
  • Verification code (text message)
  • Verification code (email)*
  • Enter the city you usually sign in from
  • Verification code (email, text message, app, phone call)
  • Press confirmation button on second device (tablet, smartphone)
  • Verification code (email)*

*: Authentication factor was offered in all tested parameter variations

Steam, Twitch and iCloud did not show any reaction in both studies. Possible reasons for this behavior could be:

  1. RBA was not implemented.
  2. RBA was not activated by the user behavior.
  3. Other features than the five tested were rated as more important.
  4. An internal warning was triggered informing operational staff about suspicious behavior.

Note that a feature named SteamGuard might had been enabled by using the desktop software Steam. However, this was not tested in our studies.