Skip to Main content Skip to Navigation
New interface
Conference papers

Evaluation of Risk-Based Re-Authentication Methods

Abstract : Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA’s time exposure and usability, these aspects were not studied so far. We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N = 592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via “magic links”, however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.
Document type :
Conference papers
Complete list of metadata

https://hal.inria.fr/hal-03440816
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Monday, November 22, 2021 - 3:31:18 PM
Last modification on : Friday, August 5, 2022 - 3:04:31 PM
Long-term archiving on: : Wednesday, February 23, 2022 - 7:56:14 PM

File

 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2023-01-01

Please log in to resquest access to the document

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Collections

Citation

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo iacono. Evaluation of Risk-Based Re-Authentication Methods. 35th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2020, Maribor, Slovenia. pp.280-294, ⟨10.1007/978-3-030-58201-2_19⟩. ⟨hal-03440816⟩

Share

Metrics

Record views

13