Evaluation of Real-World Risk-Based Authentication at Online Services Revisited: Complexity Wins

TL;DR

This study investigates how real-world risk-based authentication systems operate in major online services, revealing differences and limitations through black box testing of Google, Amazon, and Facebook.

Contribution

It provides the first comprehensive black box analysis of RBA systems at large providers, highlighting their operational differences and testing limitations.

Findings

Differences in RBA implementation at Google, Amazon, Facebook.

Many test cases rarely trigger RBA, indicating potential gaps.

Insights into the complexity and variability of RBA systems.

Abstract

Risk-based authentication (RBA) aims to protect end-users against attacks involving stolen or otherwise guessed passwords without requiring a second authentication method all the time. Online services typically set limits on what is still seen as normal and what is not, as well as the actions taken afterward. Consequently, RBA monitors different features, such as geolocation and device during login. If the features' values differ from the expected values, then a second authentication method might be requested. However, only a few online services publish information about how their systems work. This hinders not only RBA research but also its development and adoption in organizations. In order to understand how the RBA systems online services operate, black box testing is applied. To verify the results, we re-evaluate the three large providers: Google, Amazon, and Facebook. Based on our test setup and the test cases, we notice differences in RBA based on account creation at Google. Additionally, several test cases rarely trigger the RBA system. Our results provide new insights into RBA systems and raise several questions for future work.