Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

  • Stephan WieflingEmail author
  • Luigi Lo Iacono
  • Markus Dürmuth
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 562)


Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA.

In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.



This research was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North-Rhine Westphalia.


  1. 1.
    Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: CCS 2014, pp. 674–689. ACM (2014)Google Scholar
  2. 2.
    Akhtar, N., Haq, F.: Real time online banking fraud detection using location information. In: Das, V.V., Thankachan, N. (eds.) CIIT 2011. CCIS, vol. 250, pp. 770–772. Springer, Heidelberg (2011). Scholar
  3. 3.
    Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication. In: Proceedings of ACSAC 2016, pp. 289–301. ACM (2016)Google Scholar
  4. 4.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Security & Privacy, pp. 538–552. IEEE, May 2012Google Scholar
  5. 5.
    Bonneau, J., Felten, E.W., Mittal, P., Narayanan, A.: Privacy concerns of implicit secondary factors for web authentication. In: WAY Workshop (2014)Google Scholar
  6. 6.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)CrossRefGoogle Scholar
  7. 7.
    Bujlow, T., Carela-Espanol, V., Lee, B.R., Barlet-Ros, P.: A survey on web tracking: mechanisms, implications, and defenses. Proc. IEEE 105(8), 1476–1510 (2017)CrossRefGoogle Scholar
  8. 8.
    Cser, A., Maler, E.: The Forrester Wave: Risk-Based Authentication, Q1 (2012)Google Scholar
  9. 9.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS 2014, San Diego, vol. 14, pp. 23–26, February 2014Google Scholar
  10. 10.
    Daud, N.I., Haron, G.R., Othman, S.S.S.: Adaptive authentication: implementing random canvas fingerprinting as user attributes factor. In: ISCAIE, pp. 152–156. IEEE (2017)Google Scholar
  11. 11.
    Freeman, D., Jain, S., Dürmuth, M., Biggio, B., Giacinto, G.: Who are you? A statistical approach to measuring user authenticity. In: NDSS 2016, February 2016Google Scholar
  12. 12.
    Golan, L., Orad, A., Bennett, N.: System and method for risk based authentication. US Patent 8,572,391, October 2013Google Scholar
  13. 13.
    Google: Notifying Android users natively when devices are added to their account (2016).
  14. 14.
    Grassi, P.A., et al.: Digital identity guidelines. Technical Report NIST SP 800-63b (2017)Google Scholar
  15. 15.
    Herley, C., Schechter, S.: Distinguishing attacks from legitimate authentication traffic at scale. In: NDSS 2019, San Diego (2019)Google Scholar
  16. 16.
    Hurkala, A., Hurkala, J.: Architecture of context-risk-aware authentication system for web environments. In: Proceedings of ICIEIS 2014, Lodz, Poland, September 2014Google Scholar
  17. 17.
    Iaroshevych, O.: Improving second factor authentication challenges to help protect Facebook account owners. In: SOUPS 2017, Santa Clara, CA, USA, July 2017Google Scholar
  18. 18.
    Johansson, J., Canavor, D., Hitchcock, D.: Risk-based authentication duration. US Patent 8,683,597, March 2014Google Scholar
  19. 19.
    Milka, G.: Anatomy of account takeover. In: Enigma 2018. USENIX, January 2018Google Scholar
  20. 20.
    Molloy, I., Dickens, L., Morisset, C., Cheng, P.C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: CODASPY 2012, pp. 157–168. ACM (2012)Google Scholar
  21. 21.
    Morris, R., Thompson, K.: Password security. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  22. 22.
    Petsas, T., Tsirantonakis, G., Athanasopoulos, E., Ioannidis, S.: Two-factor authentication: is the world ready? In: EuroSec 2015, pp. 4:1–4:7. ACM (2015)Google Scholar
  23. 23.
    Quermann, N., Harbach, M., Dürmuth, M.: The state of user authentication in the wild. In: Who are you? Adventures in Authentication Workshop 2018, August 2018Google Scholar
  24. 24.
    Shepard, L., Chen, W., Perry, T., Popov, L.: Using social information for authenticating a user session, December 2014Google Scholar
  25. 25.
    Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: EuroSec 2015, pp. 6:1–6:6. ACM (2015)Google Scholar
  26. 26.
    Steinegger, R.H., Deckers, D., Giessler, P., Abeck, S.: Risk-based authenticator for web applications. In: Proceedings of EuroPlop 2016, pp. 16:1–16:11. ACM (2016)Google Scholar
  27. 27.
    Traore, I., Woungang, I., Obaidat, M.S., Nakkabi, Y., Lai, I.: Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In: Proceedings of ICDH 2012, pp. 138–145. IEEE, November 2012Google Scholar
  28. 28.
  29. 29.
    Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: CCS 2016, pp. 1242–1254. ACM (2016)Google Scholar
  30. 30.
    Wang, X., Kohno, T., Blakley, B.: Polymorphism as a defense for automated attack of websites. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 513–530. Springer, Cham (2014). Scholar
  31. 31.
    Wiefling, S., Lo Iacono, L., Dürmuth, M.: Risk-Based Authentication (2019).

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.TH Köln - University of Applied SciencesCologneGermany
  2. 2.Ruhr University BochumBochumGermany

Personalised recommendations