Stephan Wiefling, Tanvi Patil, Markus Dürmuth, and Luigi Lo Iacono
H‑BRS & Ruhr University Bochum & UNC Charlotte
Summary: Study on three email-based re-authentication methods. Measuring effects on users and authentication speed. "Magic links" made users more anxious. Code-based solutions can be improved.
Risk-Based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-Factor Authentication (2FA). This technology is getting more and more important.
During login, RBA estimates a risk score based on the login behavior.
On a medium risk (e.g. unknown device), the website asks for additional information to confirm the claimed identity. This is mostly done by email address verification via code, as we found out in our prior study.
This procedure has a major impact on RBA’s time exposure and usability.
In order to evaluate the re-authentication, we compared three different variants of it:
We tested these variants in a study involving crowdworkers of Amazon Mechanical Turk (MTurk).
More than 500 participants created an account and logged into our study website.
We also measured in the background:
Using the authentication code in both email subject and body performed best in our study.
This variant significantly reduced the login time compared to the other variants in these cases:
Participants getting the authentication code in both email subject and body were significantly less nervous than those getting the code in the email body only.
Participants getting the verification link were significantly more anxious than those getting a verification code.
Based on the results, the clear winner is the re-authentication variant that uses the code in both the subject and body of the email. This is, however, not the current state of RBA practice.
Following that, we suggest to revise current RBA implementations to improve the overall RBA experience.
More details on the study and the re-authentication variants can be found in the publication below.
The paper is published at IFIP SEC 2020.
Risk-Based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far.
We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N=592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via "magic links", however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.
If you like to cite the paper, please use the following BibTeX entry:
@inproceedings{Wiefling_Evaluation_2020,
author = {Wiefling, Stephan and Patil, Tanvi and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
title = {{Evaluation} of {Risk-based} {Re}-{Authentication} {Methods}},
booktitle = {35th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2020)},
series = {{IFIP} {Advances} in {Information} and {Communication} {Technology}},
publisher = {Springer International Publishing},
location = {Maribor, Slovenia},
volume = {580},
pages = {280--294},
isbn = {978-3-030-58200-5},
doi = {10.1007/978-3-030-58201-2_19},
month = sep,
year = {2020},
}