Evaluation of Risk-based Re-Authentication Methods
Stephan Wiefling, Tanvi Patil, Markus D\"urmuth, Luigi Lo Iacono
TL;DR
This study evaluates different re-authentication methods in risk-based authentication, demonstrating potential for faster processes without compromising security, but highlighting user anxiety with link-based approaches.
Contribution
Introduces two new RBA re-authentication variants and empirically compares their usability and security perceptions against the standard method.
Findings
Potential to speed up RBA re-authentication without losing security
Link-based re-authentication increases user anxiety initially
Different re-authentication methods impact user perception and usability
Abstract
Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far. We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N=592) to evaluate these three approaches. Our…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.