Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
- 2 Citations
- 5 Mentions
- 532 Downloads
Abstract
Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA.
In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.
Notes
Acknowledgements
This research was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North-Rhine Westphalia.
References
- 1.Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: CCS 2014, pp. 674–689. ACM (2014)Google Scholar
- 2.Akhtar, N., Haq, F.: Real time online banking fraud detection using location information. In: Das, V.V., Thankachan, N. (eds.) CIIT 2011. CCIS, vol. 250, pp. 770–772. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25734-6_136CrossRefGoogle Scholar
- 3.Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication. In: Proceedings of ACSAC 2016, pp. 289–301. ACM (2016)Google Scholar
- 4.Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Security & Privacy, pp. 538–552. IEEE, May 2012Google Scholar
- 5.Bonneau, J., Felten, E.W., Mittal, P., Narayanan, A.: Privacy concerns of implicit secondary factors for web authentication. In: WAY Workshop (2014)Google Scholar
- 6.Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)CrossRefGoogle Scholar
- 7.Bujlow, T., Carela-Espanol, V., Lee, B.R., Barlet-Ros, P.: A survey on web tracking: mechanisms, implications, and defenses. Proc. IEEE 105(8), 1476–1510 (2017)CrossRefGoogle Scholar
- 8.Cser, A., Maler, E.: The Forrester Wave: Risk-Based Authentication, Q1 (2012)Google Scholar
- 9.Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS 2014, San Diego, vol. 14, pp. 23–26, February 2014Google Scholar
- 10.Daud, N.I., Haron, G.R., Othman, S.S.S.: Adaptive authentication: implementing random canvas fingerprinting as user attributes factor. In: ISCAIE, pp. 152–156. IEEE (2017)Google Scholar
- 11.Freeman, D., Jain, S., Dürmuth, M., Biggio, B., Giacinto, G.: Who are you? A statistical approach to measuring user authenticity. In: NDSS 2016, February 2016Google Scholar
- 12.Golan, L., Orad, A., Bennett, N.: System and method for risk based authentication. US Patent 8,572,391, October 2013Google Scholar
- 13.Google: Notifying Android users natively when devices are added to their account (2016). https://gsuiteupdates.googleblog.com/2016/08/notifying-android-users-natively-when.html
- 14.Grassi, P.A., et al.: Digital identity guidelines. Technical Report NIST SP 800-63b (2017)Google Scholar
- 15.Herley, C., Schechter, S.: Distinguishing attacks from legitimate authentication traffic at scale. In: NDSS 2019, San Diego (2019)Google Scholar
- 16.Hurkala, A., Hurkala, J.: Architecture of context-risk-aware authentication system for web environments. In: Proceedings of ICIEIS 2014, Lodz, Poland, September 2014Google Scholar
- 17.Iaroshevych, O.: Improving second factor authentication challenges to help protect Facebook account owners. In: SOUPS 2017, Santa Clara, CA, USA, July 2017Google Scholar
- 18.Johansson, J., Canavor, D., Hitchcock, D.: Risk-based authentication duration. US Patent 8,683,597, March 2014Google Scholar
- 19.Milka, G.: Anatomy of account takeover. In: Enigma 2018. USENIX, January 2018Google Scholar
- 20.Molloy, I., Dickens, L., Morisset, C., Cheng, P.C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: CODASPY 2012, pp. 157–168. ACM (2012)Google Scholar
- 21.Morris, R., Thompson, K.: Password security. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
- 22.Petsas, T., Tsirantonakis, G., Athanasopoulos, E., Ioannidis, S.: Two-factor authentication: is the world ready? In: EuroSec 2015, pp. 4:1–4:7. ACM (2015)Google Scholar
- 23.Quermann, N., Harbach, M., Dürmuth, M.: The state of user authentication in the wild. In: Who are you? Adventures in Authentication Workshop 2018, August 2018Google Scholar
- 24.Shepard, L., Chen, W., Perry, T., Popov, L.: Using social information for authenticating a user session, December 2014Google Scholar
- 25.Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: EuroSec 2015, pp. 6:1–6:6. ACM (2015)Google Scholar
- 26.Steinegger, R.H., Deckers, D., Giessler, P., Abeck, S.: Risk-based authenticator for web applications. In: Proceedings of EuroPlop 2016, pp. 16:1–16:11. ACM (2016)Google Scholar
- 27.Traore, I., Woungang, I., Obaidat, M.S., Nakkabi, Y., Lai, I.: Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In: Proceedings of ICDH 2012, pp. 138–145. IEEE, November 2012Google Scholar
- 28.Vastel, A.: Detecting Chrome headless (2018). https://antoinevastel.com/bot%20detection/2018/01/17/detect-chrome-headless-v2.html
- 29.Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: CCS 2016, pp. 1242–1254. ACM (2016)Google Scholar
- 30.Wang, X., Kohno, T., Blakley, B.: Polymorphism as a defense for automated attack of websites. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 513–530. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07536-5_30CrossRefGoogle Scholar
- 31.Wiefling, S., Lo Iacono, L., Dürmuth, M.: Risk-Based Authentication (2019). https://riskbasedauthentication.org