Two-factor authentication: is the world ready?

Petsas, Thanasis; Tsirantonakis, Giorgos; Αθανασόπουλος, Ηλίας; Ioannidis, Sotiris

doi:10.1145/2751323.2751327

Cited by 75 publications

(31 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other browser automation frameworks tried to imitate human-like useractions to a small extent. Petsas et al [29] used browser automation to evaluate the quantity of Google users with enabled Two-factor Authentication (2FA). Their framework introduced a random waiting time between clicks.…”

Section: Related Workmentioning

confidence: 99%

“…Most browser automation tools described in this section were based on the Selenium framework [15,17,12,32,19,10,34]. One tool was based on CasparJS [29]. We decided to use the high-level application programming library Puppeteer [21] as a base for our tool.…”

Section: Related Workmentioning

confidence: 99%

“…Further, when using HOSIT, researchers should carefully check not to violate the respective Terms of Service. Also, researchers should use automated browsing responsibly, e.g., by keeping the impact on the inspected online services minimal [29,45].…”

Section: Ethical Considerationsmentioning

confidence: 99%

See 2 more Smart Citations

Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services

Wiefling

Gruschka

Iacono

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Online services such as social networks, online shops, and search engines deliver different content to users depending on their location, browsing history, or client device. Since these services have a major influence on opinion forming, understanding their behavior from a social science perspective is of greatest importance. In addition, technical aspects of services such as security or privacy are becoming more and more relevant for users, providers, and researchers. Due to the lack of essential data sets, automatic black box testing of online services is currently the only way for researchers to investigate these services in a methodical and reproducible manner. However, automatic black box testing of online services is difficult since many of them try to detect and block automated requests to prevent bots from accessing them. In this paper, we introduce a testing tool that allows researchers to create and automatically run experiments for exploratory studies of online services. The testing tool performs programmed user interactions in such a manner that it can hardly be distinguished from a human user. To evaluate our tool, we conducted-among other things-a large-scale research study on Risk-based Authentication (RBA), which required human-like behavior from the client. We were able to circumvent the bot detection of the investigated online services with the experiments. As this demonstrates the potential of the presented testing tool, it remains to the responsibility of its users to balance the conflicting interests between researchers and service providers as well as to check whether their research programs remain undetected.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services

Wiefling

Gruschka

Iacono

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Petsas et al [22] estimated the quantity of Google user accounts with enabled 2FA functionality. They used headless browser automation with enhancements for user simulation.…”

Section: Related Workmentioning

confidence: 99%

“…To increase the users' security, service operators should implement additional measures. Two-factor authentication (2FA) [22] is one widely offered measure that improves account security, but is rather unpopular (e.g. in January 2018, less than 10 % of active Google accounts used 2FA [19]).…”

Section: Introductionmentioning

confidence: 99%

ICT Systems Security and Privacy Protection

2019

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA. In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.

show abstract