On Risk-Based Authentication

Interesting usability study: “More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication“:

Abstract: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.

Paper’s website. I’ve blogged about risk-based authentication before.

Tags: academic papers, authentication, passwords, risk assessment, risks, usability

Posted on October 5, 2020 at 11:47 AM • 19 Comments

Comments

Clive Robinson • October 5, 2020 12:22 PM

@ ALL,

From the intro,

“RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones…”

This is a clasic example of “Victorian artisanal thinking”. Not Science, not Engineering, not even common sense.

That is we’ve known for over half a century that password systems are “broken” in more ways than most could list in half an hour.

So rather than fix the actuall problem RBA just “bolts a bit on” then another bit and so on. Each “bolt on” adds unecessary complexity and code surface, that we know makes the likelihood of vulneradilities greater.

So maybe people should think about how to solve the actual problem of replacing passwords, not give the broken one multiple crutches to hobble along on and trip up on for the next fifty years of vulnerabilities…

Phaete • October 5, 2020 12:44 PM

Clive wrote

Is the problem solveable?

I think we can only complicate it (ie. bigger needs to crack the barrier), not really solve it.

If you incorporate one of your favourite; unknown unkowns, i don’t think you could say the problem is solveable.
Or do you?

Phaete • October 5, 2020 12:47 PM

Site Unavailable after posting…
That’s a new one.

PattiM • October 5, 2020 12:49 PM

I don’t like the idea of being locked out of an important transaction because a computer algorithm doesn’t “like me” at the moment.

name.withheld.for.obvious.reasons • October 5, 2020 4:51 PM

The use of behavioral analysis in deterministic security processes seems inherently much like the credit scoring (dossier) companies such as Experian (TRW), Trans Union, and whomever is third–too lazy to chase it down. If one critically reviews how these organizations manage, codify, acquire, and assume a behavioral profile based on a persons data impression should understand that these systems are designed to serve the owners of the data (which is not the person generating or the source of data). Many times my own activity will reflect several behavioral profiles (administration, content authorship, systems development and design, research and analysis) at any one time but my own OPSEC requires they be compartmentalized–but that is only due to the level of resources available. Persons without extensive resources (whether as independent or as an employee) pursuing the above described activity will be penalized for such activities without cause and this is systemic prejudice.

Witnessing that here, the site is a great resource but recently added a blunt edge. Have to wonder if it is a reflection/reaction to current socio-political environment (all topics are affected by shifting base norms) or to pre-empt an internal or external source of pressure (threats or potential form of harms economic/physical/reputation).

Adrian • October 5, 2020 7:27 PM

At work, we have risk-based authentication. Most mornings, I just have to provide a password. Others, I have to also provide a second factor and/or provide my username. Sometimes, even though I’ve already been “logged in” for hours, I’ll face a random challenge from out of the blue. That challenge might just be a second factor tap on a hardware key, or it might be the whole username, password, and second factor routine.

As a user, I find the unpredictability rather disorienting and concerning. When it happens at an odd time (e.g., in the middle of composing an email message), should I be concerned about phishing?

I rather reflexively enter my password, since that’s where things usually start. But occasionally, it wants me to enter my username again, and I end up bashing out my password in clear text across the username field before I realize what I’ve done.

Matthias Hörmann • October 6, 2020 1:53 AM

This sort of authentication feels like it would add a real pain to people’s authentication in situations where they would have to focus on other things in their lives, e.g. when sickness or injury make it impossible to type at the same speed as they normally would, or while holding a small child,…

I also agree that we should try to get rid of passwords completely (except maybe for local cryptographic verification by using the password as a key, e.g. with disk encryption or password-encrypted private keys) rather than trying to prolong their lifespan.

Winter • October 6, 2020 3:00 AM

@Clive
“So maybe people should think about how to solve the actual problem of replacing passwords, ”

But aren’t you asking for a burglar secure lock?

We know there are no locks that can keep out burglars, just locks to delay them. Every safe can be opened, given enough time.

Isn’t the same true for authentication systems?

Clive Robinson • October 6, 2020 6:52 AM

@ Phaete,

Is the problem solveable?

Is a question we can not answer without considering it as solvable thus looking for the solution.

It may be it may not, but the former is way more likely than the latter,

That is what we do know is that,

1 Passwords would work if not for human failings.

And provided passwords are also in effect

2, One time use at any given point in time and of sufficient entropy content.

There are other issues but getting the first problem solved is going to be the hardest.

Clive Robinson • October 6, 2020 6:52 AM

@ Winter,

We know there are no locks that can keep out burglars, just locks to delay them. Every safe can be opened, given enough time.

You are assuming a traditional lock where there is in effect no temporal or spacial component, just a key that remains valid.

We now can make “magical[1]” locks where time and space have meaning.

I’ve been pointing out for a while that the authentication factors normally quoted are deficient.

That is,

1, Something you are.
2, Something you have.
3, Something you know.

Actually deficient in two ways. Obviously the first two are insecure and even the slowness of the legal system recognises this failing.

That is you can be compelled by a court via indefinate detention or direct force to give up either your “body part” or “token you own”.

Which leaves “something you know” which can be coerced from you by either detention or force.

So at first sight is no better than the first two.

That is because people do not consider “temporal” or “spacial” asspects of “what you know”.

A pasword is usless if it is either “one time and used” or “expired”. Because in either case it is invalid and will not work, thus you giving it up is of no use to any one using detention or force after it is expired.

Likewise if a device is now locked, and it can determin where it is it can use it’s position as part of it making a new “something you know” valid. If that place is beyond the jusrisdictional or other spacial limitation such as geo-politico, then the attacker has difficulties.

If you thus make both the device and the source of the new “something you know” out of the jurisdiction then detention and force are pointless, provided you add other precautions such as “something you are”.

Thus 3 above becomes,

3A, Something you remember.
3B, A time you remember.
3C, A place you remember.

[1] Arthur C. Clark made the point about any sufficiently advanced science looks like magic. Thus the modern “System on a Chip”(SoC) micro-electronics can do what would have seemed like magic when I was young. And probably still does to many locksmiths who still think of levers and tumblers.

Winter • October 6, 2020 7:21 AM

@Clive
“Likewise if a device is now locked, and it can determin where it is it can use it’s position as part of it making a new “something you know” valid. ”

If it is physical, and not time, it can be spoofed.

It is possible to spoof GPS signals, or earth magnetic field etc.. Maybe we cannot spoof earth’s gravitational field, but I wonder whether that would be practical.

If your lock needs the light of a full moon at midnight, when seeing your face in infrared, hearing you say the magic words, while triangulating your favorite FM stations, I think that that can be arranged on any midnight at any place without your presence.

Clive Robinson • October 6, 2020 7:25 AM

@ name.withheld…,

… these systems are designed to serve the owners of the data (which is not the person generating or the source of data). Many times my own activity will reflect several behavioral profiles …

Your two points are important.

Firstly “the owners” do not of necessity have to be the “system owners”. Any third party can get access to “your norms” of behaviour and thus “fake them”. So the reality is they realy do not serve any security purpose other than adding an argument that benifits them not you, thus alowing them to “externalise risk” onto you more easily.

Secondly you are hitting on one of my longterm annoyances. Which is “We have multiple roles in life”. Governments and technologists have some kind of perverted view of the world that we are always a single entity.

With a moments thought most should realise that there realy is little connection between “You the employee” and “You the consumer” or any other of the multiple roles you have in life. Importantly the follow on thought of “Nor should there be” follows almost naturaly. Thus why do so many people “try to force there to be”.

From the old saying about “putting all your eggs in one basket” we should know it’s a very very bad idea.

In fact for those with longer memories it’s exactly the same point our host @Bruce Schneier gave for not having single reposotories of information for authentication as “it is a single point of failure”.

Winter • October 6, 2020 7:52 AM

@Clive
“Firstly “the owners” do not of necessity have to be the “system owners”. ”

The first question is who wants to authenticate you?

In general, all these elaborated systems are not put in place because YOU want to make sure only YOU can authenticate as you. Instead, someone else, eg, your employer, wants to make sure no one but YOU uses your account.

The result is, that those services which are important to YOU, you personal email, your bank account, your credit card, your credit rating, your health information, your phone, have bad security, even if you would like them to be better.

However, those accounts YOU care less about, e.g., your work, have elaborate security policies that makes your life miserable. At the same time, these security policies might not make your account any more secure because they are only box-ticking exercises in mandatory security.

Clive Robinson • October 6, 2020 8:08 AM

@ Winter,

If your lock needs the light of a full moon at midnight, when seeing your face in infrared, hearing you say the magic words, while triangulating your favorite FM stations, I think that that can be arranged on any midnight at any place without your presence.

You’ve forgoton the “coven”, and one or two other things.

For instance certain “Near Field Communications” and it’s bigger cousin “MIMO”. Can not be easily spoofed especially when under control of a group of other parties who have to verify you in person, and they can remain anonymous in what they decide via “shared secrets”.

I’ve been through this in the past on this blog with amongst others @Nick P, @RobertT and @Wael.

Billy • October 6, 2020 8:08 AM

I don’t like the idea of being locked out of an important transaction because a computer algorithm doesn’t “like me” at the moment.

I’ve run into this. A transaction failed with the statement that my bank rejected it. Contacted the bank, who said they had no record of any attempted transaction. Contacted the site to ask whether they’d even tried to send it to the bank—they had no idea and no relevant records, but suggested trying a different browser. That worked—apparently, blocking third-party domains and/or scripts makes the site’s payment processor block the transaction and blame my bank.

So now, instead of using a secured browser profile, I have to use a default profile that allows who-knows-what from who-knows-where… and just hope nobody’s broken any of the several third-party servers or hundreds of CAs.

(And for some reason the preview button doesn’t do a damn thing in this new blog theme, so let’s hope I got this right.)

Clive Robinson • October 6, 2020 8:15 AM

@ Winter,

The first question is who wants to authenticate you?

I prefere to flip it over to,

“The first question is who wants to impersonate you?”

To them the things you mention probably become reversed. That is they are not interested in your personal accounts (unless money etc). But they are very likely to be interrsted in your work accounts. It is at the end of the day what political or corporate APT espionage is all about, as has been evidenced many times including the theft of the RSA tokens “secrets”.

Clive Robinson • October 6, 2020 8:21 AM

@ Billy,

And for some reason the preview button doesn’t do a damn thing in this new blog theme, so let’s hope I got this right.

As far as I’m aware you now need “javascript” for the preview function to work.

Thus I suspect you like me might have it off by default and cookies as well.

Phaete • October 6, 2020 10:48 AM

As long as there is human that needs to be authenticated by a machine, there will be no perfect system.
Just for the fact that almost all signals can be faked, and you can make people do almost anything with personalised repercussions. (bodily harm to them or loved ones)

You can make the hurdles so high it will become impractical to impersonate, but those will also be impractical in daily use.

For machine-machine authentication there is a perfect solution.
(just keep the humans away from them in several regards).

name.withheld.for.obvious.reasons • October 6, 2020 3:09 PM

@ Clive
Thanks Clive, I knew you’d get it and put into words what I had said in sentences. My brevity is limited by my bombastic prose.

Side note, there are interlopers about…

And by the by, yes coding near metal is a wise choice. I am a big fan of macro assemblers. Using lexical parsing and expressions can achieve much and reduce obfuscation; from string and macro expression, lexical analyzer, and code emitters in multi-stage compilers–reducing the symbolic processing path can be benefical. Don’t waste time replying, I already know your answer, one sentence for my three.

On Risk-Based Authentication

Comments

Leave a comment Cancel reply