Evaluation of Real-World Risk-Based Authentication at Online Services Revisited: Complexity Wins

Proceedings of the 18th International Conference on Availability, Reliability and Security Pub Date : 2023-08-29 DOI:10.1145/3600160.3605024

Jan-Phillip Makowski, Daniela Pöhn

{"title":"Evaluation of Real-World Risk-Based Authentication at Online Services Revisited: Complexity Wins","authors":"Jan-Phillip Makowski, Daniela Pöhn","doi":"10.1145/3600160.3605024","DOIUrl":null,"url":null,"abstract":"Risk-based authentication (RBA) aims to protect end-users against attacks involving stolen or otherwise guessed passwords without requiring a second authentication method all the time. Online services typically set limits on what is still seen as normal and what is not, as well as the actions taken afterward. Consequently, RBA monitors different features, such as geolocation and device during login. If the features’ values differ from the expected values, then a second authentication method might be requested. However, only a few online services publish information about how their systems work. This hinders not only RBA research but also its development and adoption in organizations. In order to understand how the RBA systems online services operate, black box testing is applied. To verify the results, we re-evaluate the three large providers: Google, Amazon, and Facebook. Based on our test setup and the test cases, we notice differences in RBA based on account creation at Google. Additionally, several test cases rarely trigger the RBA system. Our results provide new insights into RBA systems and raise several questions for future work.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 18th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3600160.3605024","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Risk-based authentication (RBA) aims to protect end-users against attacks involving stolen or otherwise guessed passwords without requiring a second authentication method all the time. Online services typically set limits on what is still seen as normal and what is not, as well as the actions taken afterward. Consequently, RBA monitors different features, such as geolocation and device during login. If the features’ values differ from the expected values, then a second authentication method might be requested. However, only a few online services publish information about how their systems work. This hinders not only RBA research but also its development and adoption in organizations. In order to understand how the RBA systems online services operate, black box testing is applied. To verify the results, we re-evaluate the three large providers: Google, Amazon, and Facebook. Based on our test setup and the test cases, we notice differences in RBA based on account creation at Google. Additionally, several test cases rarely trigger the RBA system. Our results provide new insights into RBA systems and raise several questions for future work.

查看原文本刊更多论文

在线服务中基于风险的真实世界认证评估:复杂性胜出

基于风险的身份验证(RBA)旨在保护最终用户免受涉及被盗或以其他方式猜测密码的攻击，而无需一直使用第二种身份验证方法。在线服务通常会对什么仍然被视为正常、什么不正常以及随后采取的行动进行限制。因此，RBA在登录期间监视不同的特性，例如地理位置和设备。如果特性的值与期望值不同，则可能会请求第二种身份验证方法。然而，只有少数在线服务发布有关其系统如何工作的信息。这不仅阻碍了RBA的研究，也阻碍了RBA在组织中的开发和采用。为了了解RBA系统的在线服务是如何运作的，应用了黑盒测试。为了验证结果，我们重新评估了三家大型供应商:谷歌、亚马逊和Facebook。根据我们的测试设置和测试用例，我们注意到基于Google帐户创建的RBA的差异。另外，一些测试用例很少触发RBA系统。我们的结果为RBA系统提供了新的见解，并为未来的工作提出了几个问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 18th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量