Overview

Risk-Based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-Factor Authentication (2FA). This technology is getting more and more important.

During login, RBA estimates a risk score based on the login behavior.

On a low risk (e.g., same device as always), the website grants access. On a medium risk (e.g., unknown device), the website asks for additional information to confirm the claimed identity.

Risk-Based Authentication
Website used in the study

Usability and Security Perceptions

Do users accept this technology? And how do they perceive the security of RBA?

We conducted a lab study focused on the usability and security perceptions of RBA. We compared these perceptions to an equivalent 2FA variant and password-only authentication.

Website used in the study

Findings

Users considered RBA to be more usable then the studied 2FA variant. They also found RBA more secure than password-only authentication and comparably secure to 2FA.

However, user acceptance of RBA strongly depends on the type of website and the use case scenario.

Only for websites with high security demands, users preferred 2FA over RBA. In general, using email addresses for RBA re-authentication is more accepted than using phone numbers or an authentication app.

We also discovered a pitfall when the email provider used RBA as well.

RBA dialog saying 'Verify your identity'

Technical Paper

You can find more details in our publication below.

The paper is published at ACSAC 2020.

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-Based Authentication
Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono
 
Abstract

Risk-Based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance.

If you like to cite the paper, please use the following BibTeX entry: 

@inproceedings{Wiefling_More_2020,
  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  title = {{More} {Than} {Just} {Good} {Passwords}? A {Study} on {Usability} and {Security} {Perceptions} of {Risk-based} {Authentication}},
  booktitle = {36th {Annual} {Computer} {Security} {Applications} {Conference}},
  series = {{ACSAC} '20},
  publisher = {ACM},
  location = {Austin, USA},
  doi = {10.1145/3427228.3427243},
  isbn = {978-1-4503-8858-0/20/12},
  pages = {203–218},
  month = dec,
  year = {2020}
}

Journal Article

An extended and revised version of the paper is also published in IEEE Security & Privacy.

Verify It’s You: How Users Perceive Risk-Based Authentication
Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono
 
Abstract

Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication against account takeover attacks. Our study on 65 participants shows that users find RBA more usable than Two-Factor Authentication equivalents and more secure than password-only authentication. We identify pitfalls and provide guidelines for putting RBA into practice.

If you like to cite the article, please use the following BibTeX entry: 

@article{Wiefling_Verify_2021,
  title = {Verify {It}'s {You}: {How} {Users} {Perceive} {Risk}-based {Authentication}},
  journal = {{IEEE} {Security} & {Privacy}},
  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  month = nov,
  volume = {19},
  number = {6},
  pages = {47--57},
  year = {2021},
  publisher = {IEEE},
  doi = {10.1109/MSEC.2021.3077954}
}

Coverage

Schneier on Security
October 5, 2020
On Risk-Based Authentication
https://www.schneier.com/blog/archives/2020/10/on-risk-based-authentication.html

it-daily.net
October 15, 2020
Hacker mit Passwortraten überraschend erfolgreich
https://www.it-daily.net/it-sicherheit/cybercrime/25789-hacker-mit-passwortraten-ueberraschend-erfolgreich

wissen.de
November 4, 2020
Neue Authentifizierungsmethode: Hackern den Riegel vorschieben
https://www.wissen.de/neue-authentifizierungsmethode-hackern-den-riegel-vorschieben

Industry of Things
November 4, 2020
Wenn Ihre Passwörter zu schwach sind
https://www.industry-of-things.de/wenn-ihre-passwoerter-zu-schwach-sind-a-973293/

The Daily Swig
November 25, 2020
PasswordsCon 2020: Authentication expert expresses skepticism about ‘passwordless’ future
https://portswigger.net/daily-swig/passwordscon-2020-authentication-expert-expresses-skepticism-about-passwordless-future

Infosec
February 1, 2021
Security vs. usability: Pros and cons of risk-based authentication
https://resources.infosecinstitute.com/topic/security-vs-usability-pros-cons-of-risk-based-authentication/

golem.de
May 25, 2021
Risk Based Authentication: Wir brauchen leider unbedingt Ihre Handynummer
https://www.golem.de/news/risk-based-authentication-wir-brauchen-leider-unbedingt-ihre-handynummer-2105-155831.html