Overview

Risk-based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-factor Authentication (2FA). This technology is getting more and more important.

During login, RBA estimates a risk score based on the login behavior.

On a low risk (e.g., same device as always), the website grants access. On a medium risk (e.g., unknown device), the website asks for additional information to confirm the claimed identity.

Risk-based Authentication

Website used in the study

Usability and Security Perceptions

Do users accept this technology? And how do they perceive the security of RBA?

We conducted a lab study focused on the usability and security perceptions of RBA. We compared these perceptions to an equivalent 2FA variant and password-only authentication.

Website used in the study

Findings

Users considered RBA to be more usable then the studied 2FA variant. They also found RBA more secure than password-only authentication and comparably secure to 2FA.

However, user acceptance of RBA strongly depends on the type of website and the use case scenario.

Only for websites with high security demands, users preferred 2FA over RBA. In general, using email addresses for RBA re-authentication is more accepted than using phone numbers or an authentication app.

We also discovered a pitfall when the email provider used RBA as well.

RBA dialog saying 'Verify your identity'

Technical Paper

You can find more details in our publication below.

The paper is accepted for ACSAC 2020.

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication
Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono
 
Abstract

Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance.

If you like to cite the paper, please use the following BibTeX entry:

@inproceedings{Wiefling_More_2020,
  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  title = {{More} {Than} {Just} {Good} {Passwords}? A {Study} on {Usability} and {Security} {Perceptions} of {Risk-based} {Authentication}},
  booktitle = {36th {Annual} {Computer} {Security} {Applications} {Conference}},
  series = {{ACSAC} '20},
  publisher = {ACM},
  location = {Austin, USA},
  doi = {10.1145/3427228.3427243},
  isbn = {978-1-4503-8858-0/20/12},
  month = dec,
  year = {2020}
}


Coverage

Schneier on Security
October 5, 2020
On Risk-Based Authentication
https://www.schneier.com/blog/archives/2020/10/on-risk-based-authentication.html