What’s in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics

Abstract: Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge an… Show more

“…We answered the questions with the collected data. Two of the following research questions (RQ1a and RQ1c) replicate a related study [70], while the other research questions aim at enhancing our understanding of RBA on a large online service.…”

“…This is done by monitoring and recording a set of features that are available in the login context. Potential features range from network (e.g., IP address), device or client (e.g., user agent string), to behavioral biometric information (e.g., login time) [70]. Based on the feature values of the current login attempt and those of previous ones stored in a login history, RBA calculates a risk score related to the login attempt.…”

“…Some popular online services started using RBA [43,70,71]. However, there is still a lack of open resources to support research and development.…”

“…For real-world large-scale online services, however, RBA has not been widely understood to date. This is crucial, as even small coniguration errors may largely impact usability and security for many users [70]. Previous studies already investigated RBA on a small online service [70,73], but they have limitations: They are limited to a small online service with a user base mostly located in one city.…”

“…The RBA performance of current algorithms likely degrades substantially with large global login history sizes, as is the case with large-scale online services [70]. To tackle this problem, we also developed an algorithm optimization to speed up RBA authentication for large-scale online services.…”

Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service

“…We answered the questions with the collected data. Two of the following research questions (RQ1a and RQ1c) replicate a related study [70], while the other research questions aim at enhancing our understanding of RBA on a large online service.…”

“…This is done by monitoring and recording a set of features that are available in the login context. Potential features range from network (e.g., IP address), device or client (e.g., user agent string), to behavioral biometric information (e.g., login time) [70]. Based on the feature values of the current login attempt and those of previous ones stored in a login history, RBA calculates a risk score related to the login attempt.…”

“…Some popular online services started using RBA [43,70,71]. However, there is still a lack of open resources to support research and development.…”

“…For real-world large-scale online services, however, RBA has not been widely understood to date. This is crucial, as even small coniguration errors may largely impact usability and security for many users [70]. Previous studies already investigated RBA on a small online service [70,73], but they have limitations: They are limited to a small online service with a user base mostly located in one city.…”

“…The RBA performance of current algorithms likely degrades substantially with large global login history sizes, as is the case with large-scale online services [70]. To tackle this problem, we also developed an algorithm optimization to speed up RBA authentication for large-scale online services.…”

Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service

Asset Sensitivity for Aligning Risk Assessment Across Multiple Units in Complex Organizations

Applying Zero Trust Architecture and Probability-Based Authentication to Preserve Security and Privacy of Data in the Cloud