Key-factor: Re-Authentication

Risk-based Authentication (RBA) is an approach to improve account security on websites without forcing users to use Two-factor Authentication (2FA). This technology is getting more and more important.

During login, RBA estimates a risk score based on the login behavior.

On a medium risk (e.g. unknown device), the website asks for additional information to confirm the claimed identity. This is mostly done by email address verification via code, as we found out in our prior study.

This procedure has a major impact on RBA’s time exposure and usability.

Risk-based Authentication

Risk-based Authentication

Usability Evaluation

In order to evaluate the re-authentication, we compared three different variants of it:

  1. Verification code in email body (State of the Art)
  2. Verification code in email subject and body
  3. Verification link in the email body

We tested these variants in a study involving crowdworkers of Amazon Mechanical Turk (MTurk).

Risk-based Authentication

Study Setup

More than 500 participants created an account and logged into our study website.

  1. Then, they were asked for re-authentication
  2. After that, they stated their feelings during the re-authentication

We also measured in the background:

  • The times needed for authentication during the study
  • The devices used for
    1. logging into the website
    2. checking the verification email
Risk-based Authentication

Login times when using a **desktop PC** for both logging into the website and checking the verification email

Login Times

Using the authentication code in both email subject and body performed best in our study.

This variant significantly reduced the login time compared to the other variants in these cases:

  • Using a desktop PC for both logging into the website and checking the verification email.
  • Using a desktop PC for logging into the website and a mobile device for checking the verification email.
Login times when using a **desktop PC** for both logging into the website and checking the verification email

Feelings

Participants getting the authentication code in both email subject and body were significantly less nervous than those getting the code in the email body only.

Participants getting the verification link were significantly more anxious than those getting a verification code.

Feelings the participants provided

Risk-based Authentication

The winner

Based on the results, the clear winner is the re-authentication variant that uses the code in both the subject and body of the email. This is, however, not the current state of RBA practice.

Following that, we suggest to revise current RBA implementations to improve the overall RBA experience.

Risk-based Authentication

Technical Paper

More details on the study and the re-authentication variants can be found in the publication below.

The paper is accepted for IFIP SEC 2020.

Evaluation of Risk-based Re-Authentication Methods
Stephan Wiefling, Tanvi Patil, Markus Dürmuth, and Luigi Lo Iacono
 
Abstract

Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far.

We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N=592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via "magic links", however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.

If you like to cite the paper, please use the following BibTeX entry:

@inproceedings{Wiefling_Evaluation_2020,
  author = {Wiefling, Stephan and Patil, Tanvi and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  title = {{Evaluation} of {Risk-based} {Re}-{Authentication} {Methods}},
  booktitle = {35th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2020)},
  series = {{IFIP} {Advances} in {Information} and {Communication} {Technology}},
  publisher = {Springer International Publishing},
  location = {Maribor, Slovenia},
  volume = {580},
  pages = {280--294},
  isbn = {978-3-030-58200-5},
  doi = {10.1007/978-3-030-58201-2_19},
  month = sep,
  year = {2020},
}