Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service

Abstract: Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from previously observed ones. It is recommended by various national security organizations, and users perceive it more usable and equally secure than equivalent two-factor authentication. Despite that, RBA is still only used by very few online services. Reasons for this include a lack of validated open resources o… Show more

“…In particular, when an abnormality on a set of attributes regarding user’s behavior has been detected (i.e., event-driven approach), a real-time risk score is estimated, and if this risk score is above an acceptable threshold (i.e., high risk score), re-authentication will be triggered. It is clear that accurate risk estimation (i.e., computation of an accurate risk score of an action or event) plays a key role in risk-based continuous user authentication as it might impact its overall usability and security [ 27 , 28 ].…”

“…On top of that, attack data might be also taken into consideration by the statistical model of Freeman et al [ 33 ] for more accurate login attempt classification (normal/suspicious). However, Wiefling et al [ 27 ] highlighted that use cases without attack data are more common in real-world applications, especially for medium- and small-sized websites that have limited storage and computing capacity. In this case, and considering that all users are equally likely to be attacked, Wiefling et al considered the attack probability as follows: , where U is the set of users and u ∈ U [ 27 ].…”

“…Wiefling et al [ 27 ] extended Equation (1) in order to include the attack probability for the selected feature values: where comprises the total number of feature value occurrences in the failed login attempts.…”

“…For example, typical classification problem is to assign a certain email to the “spam” or “non-spam” class, or, in our case, to assign an activity and/or event to the “low risk”, “medium risk” or “high risk” class. Classification algorithms have been widely used in the literature for identifying the risk associated with a particular event or action deploying risk-based user authentication [ 22 , 27 , 44 , 45 , 46 , 47 , 48 , 49 ].…”

“…Nevertheless, when the risk score is medium, uni-modal authentication (e.g., based on keystroke dynamics) will be required for re-authentication. Conversely, when the risk score is high, then multi-modal authentication (e.g., based on keystroke dynamics and voice) will be required for re-authentication to prove the claimed identity of the user and remain signed in or, otherwise, a countermeasure action will be taken (i.e., device lock) [ 12 , 27 ]. Therefore, it is clear that accurate risk estimation (i.e., computation of an accurate risk score of an action or event) plays a key role in risk-based continuous user authentication as it might impact its overall usability and security [ 27 , 28 ].…”

A Survey on Quantitative Risk Estimation Approaches for Secure and Usable User Authentication on Smartphones

“…In particular, when an abnormality on a set of attributes regarding user’s behavior has been detected (i.e., event-driven approach), a real-time risk score is estimated, and if this risk score is above an acceptable threshold (i.e., high risk score), re-authentication will be triggered. It is clear that accurate risk estimation (i.e., computation of an accurate risk score of an action or event) plays a key role in risk-based continuous user authentication as it might impact its overall usability and security [ 27 , 28 ].…”

“…On top of that, attack data might be also taken into consideration by the statistical model of Freeman et al [ 33 ] for more accurate login attempt classification (normal/suspicious). However, Wiefling et al [ 27 ] highlighted that use cases without attack data are more common in real-world applications, especially for medium- and small-sized websites that have limited storage and computing capacity. In this case, and considering that all users are equally likely to be attacked, Wiefling et al considered the attack probability as follows: , where U is the set of users and u ∈ U [ 27 ].…”

“…Wiefling et al [ 27 ] extended Equation (1) in order to include the attack probability for the selected feature values: where comprises the total number of feature value occurrences in the failed login attempts.…”

“…For example, typical classification problem is to assign a certain email to the “spam” or “non-spam” class, or, in our case, to assign an activity and/or event to the “low risk”, “medium risk” or “high risk” class. Classification algorithms have been widely used in the literature for identifying the risk associated with a particular event or action deploying risk-based user authentication [ 22 , 27 , 44 , 45 , 46 , 47 , 48 , 49 ].…”

“…Nevertheless, when the risk score is medium, uni-modal authentication (e.g., based on keystroke dynamics) will be required for re-authentication. Conversely, when the risk score is high, then multi-modal authentication (e.g., based on keystroke dynamics and voice) will be required for re-authentication to prove the claimed identity of the user and remain signed in or, otherwise, a countermeasure action will be taken (i.e., device lock) [ 12 , 27 ]. Therefore, it is clear that accurate risk estimation (i.e., computation of an accurate risk score of an action or event) plays a key role in risk-based continuous user authentication as it might impact its overall usability and security [ 27 , 28 ].…”

A Survey on Quantitative Risk Estimation Approaches for Secure and Usable User Authentication on Smartphones

Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication

A new digital signature primitive and its application in blockchain