On Risk-Based Authentication
Interesting usability study: “More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication“:
Abstract: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.
We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.
Paper’s website. I’ve blogged about risk-based authentication before.
Clive Robinson • October 5, 2020 12:22 PM
@ ALL,
From the intro,
This is a clasic example of “Victorian artisanal thinking”. Not Science, not Engineering, not even common sense.
That is we’ve known for over half a century that password systems are “broken” in more ways than most could list in half an hour.
So rather than fix the actuall problem RBA just “bolts a bit on” then another bit and so on. Each “bolt on” adds unecessary complexity and code surface, that we know makes the likelihood of vulneradilities greater.
So maybe people should think about how to solve the actual problem of replacing passwords, not give the broken one multiple crutches to hobble along on and trip up on for the next fifty years of vulnerabilities…