Usability of Risk-based Implicit Authentication


Das Forschungsprojekt URIA beschäftigt sich mit der weit verbreiteten passwortbasierten Authentifizierung – sei es bei E-Mail-Diensten, Online-Shops oder Online-Banking. Wohl jeder kennt die Qual gute Passwörter zu wählen und vor allem zu behalten. Darüber hinaus bergen passwortgesicherte Systeme hohe Sicherheitsrisiken, da sie schnell zu „knacken“ sind. Passwortbasierte Authentifizierung hat daher nicht nur Schwächen in der Usability sondern auch in der Sicherheit. Risikobasierte Authentifizierung hat hingegen das Potential die Sicherheit zu erhöhen ohne die Usability zu beeinträchtigen.

Projektdauer: April 2018 - August 2021


Luigi Lo Iacono

Luigi Lo Iacono


+49 2241 865 9557
Stephan Wiefling

Stephan Wiefling

Wissenschaftlicher Mitarbeiter

+49 2241 865 9567


Das Projekt URIA ist eines der sieben Forschungstandems des landesweiten Graduiertenkollegs "Human Centered Systems Security – North Rhine Westphalian Experts on Research in Digitalization" (NERD NRW) und wird vom Ministerium für Kultur und Wissenschaft des Landes Nordrhein-Westfalen gefördert.

, , , (), p.,


  author = {S. Wiefling and M. D\"{u}rmuth and L. Lo Iacono},
  title = {What’s in {Score} for {Website} {Users}: {A} {Data}-driven {Long}-term {Study} on {Risk}-based {Authentication} {Characteristics}},
  booktitle = {25th {International} {Conference} on {Financial} {Cryptography} and {Data} {Security}},
  series = {{FC} '21},
  location = {Grenada},
  month = mar,
  year = {2021},
	abstract = {Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users. To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.},
  url = {}

  author = {S. Wiefling and M. D\"{u}rmuth and L. Lo Iacono},
  title = {{More} {Than} {Just} {Good} {Passwords}? A {Study} on {Usability} and {Security} {Perceptions} of {Risk-based} {Authentication}},
  booktitle = {36th {Annual} {Computer} {Security} {Applications} {Conference} ({ACSAC} '20))},
  series = {{ACSAC} '20},
  publisher = {ACM},
  month = dec,
  year = {2020},
  doi = {10.1145/3427228.3427243},
  isbn = {978-1-4503-8858-0/20/12},
  url = {},
  abstract = {Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

  We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance.}

	title = {{Evaluation} of {Risk-based} {Re}-{Authentication} {Methods}},
	booktitle = {35th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2020)},
	series = {\{IFIP} {Advances} in {Information} and {Communication} {Technology}},
	author = {S. Wiefling and T. Patil and M. D\"{u}rmuth and L. Lo Iacono},
	publisher = {Springer International Publishing},
	location = {Maribor, Slovenia},
	month = sep,
	year = {2020},
	doi = {10.1007/978-3-030-58201-2_19},
	url = {},
	abstract = {Risk-ba­sed Au­then­ti­ca­ti­on (RBA) is an ad­ap­ti­ve se­cu­ri­ty me­a­su­re that im­pro­ves the se­cu­ri­ty of pass­word-ba­sed au­then­ti­ca­ti­on by pro­tec­ting against creden­ti­al stuf­f­ing, pass­word gues­sing, or phis­hing at­tacks. RBA mo­ni­tors extra fea­tures du­ring login and re­quests for an ad­di­tio­nal au­then­ti­ca­ti­on step if the ob­ser­ved fea­ture va­lues de­via­te from the usual ones in the login his­to­ry. In sta­te-of-the-art RBA re-au­then­ti­ca­ti­on de­ploy­ments, users re­cei­ve an email with a nu­me­ri­cal code in its body, which must be en­t­e­red on the on­line ser­vice. Alt­hough this pro­ce­du­re has a major im­pact on RBA's time ex­po­su­re and usa­bi­li­ty, these as­pects were not stu­died so far.

	We in­tro­du­ce two RBA re-au­then­ti­ca­ti­on va­ri­ants sup­ple­men­ting the de facto stan­dard with a link-ba­sed and ano­ther code-ba­sed ap­proach. Then, we pre­sent the re­sults of a bet­ween-group study (N=592) to eva­lua­te these three ap­proa­ches. Our ob­ser­va­tions show with si­gni­fi­cant re­sults that there is po­ten­ti­al to speed up the RBA re-au­then­ti­ca­ti­on pro­cess wi­thout re­du­cing neit­her its se­cu­ri­ty pro­per­ties nor its se­cu­ri­ty per­cep­ti­on. The link-ba­sed re-au­then­ti­ca­ti­on via "magic links", howe­ver, makes users si­gni­fi­cant­ly more an­xious than the code-ba­sed ap­proa­ches when per­cei­ved for the first time. Our eva­lua­ti­ons un­der­li­ne the fact that RBA re-au­then­ti­ca­ti­on is not a uni­form pro­ce­du­re. We sum­ma­ri­ze our fin­dings and pro­vi­de re­com­men­da­ti­ons.}

  title = {Usability, {Sicherheit} und {Privatsphäre} von risikobasierter {Authentifizierung}},
  language = {de},
  booktitle = {Sicherheit 2020},
  series = {Lecture {Notes} in {Informatics} ({LNI})},
  author = {S. Wiefling},
  publisher = {Gesellschaft für Informatik},
  address = {Bonn},
  doi = {10.18420/sicherheit2020_12},
  month = mar,
  year = {2020},
  pages = {129--134},
  url = {},
  abstract = {Risikobasierte Authentifizierung (RBA) ist eine adaptive Sicherheitsmaßnahme zur Stärkung passwortbasierter Authentifizierung. Sie zeichnet Merkmale während des Logins auf und fordert zusätzliche Authentifizierung an, wenn sich Ausprägungen dieser Merkmale signifikant von den bisher bekannten unterscheiden. RBA bietet das Potenzial für gebrauchstauglichere Sicherheit. Bisher jedoch wurde RBA noch nicht ausreichend im Bezug auf Usability, Sicherheit und Privatsphäre untersucht. Dieser Extended Abstract legt das geplante Dissertationsvorhaben zur Erforschung von RBA dar. Innerhalb des Vorhabens konnte bereits eine Grundlagenstudie und eine darauf aufbauende Laborstudie durchgeführt werden. Wir präsentieren erste Ergebnisse dieser Studien und geben einen Ausblick auf weitere Schritte.},

	title = {Even {Turing} {Should} {Sometimes} {Not} {Be} {Able} {To} {Tell}: {Mimicking} {Humanoid} {Usage} {Behavior} for {Exploratory} {Studies} of {Online} {Services}},
	booktitle = {24th {Nordic} {Conference} on {Secure} {IT} {Systems} ({NordSec} 2019)},
	series = {{Lecture} {Notes} in {Computer} {Science}},
	author = {S. Wiefling and N. Gruschka and L. Lo Iacono},
	volume = {11875},
	isbn = {978-3-030-35055-0},
	doi = {10.1007/978-3-030-35055-0_12},
	publisher = {Springer Nature},
	location = {Aalborg, Denmark},
	month = nov,
	year = {2019},
	url = {},
	abstract = {Online services such as social networks, online shops, and search engines deliver different content to users depending on their location, browsing history, or client device. Since these services have a major influence on opinion forming, understanding their behavior from a social science perspective is of greatest importance. In addition, technical aspects of services such as security or privacy are becoming more and more relevant for users, providers, and researchers. Due to the lack of essential data sets, automatic black box testing of online services is currently the only way for researchers to investigate these services in a methodical and reproducible manner. However, automatic black box testing of online services is difficult since many of them try to detect and block automated requests to prevent bots from accessing them.

	In this paper, we introduce a testing tool that allows researchers to create and automatically run experiments for exploratory studies of online services. The testing tool performs programmed user interactions in such a manner that it can hardly be distinguished from a human user. To evaluate our tool, we conducted - among other things - a large-scale research study on Risk-based Authentication (RBA), which required human-like behavior from the client. We were able to circumvent the bot detection of the investigated online services with the experiments. As this demonstrates the potential of the presented testing tool, it remains to the responsibility of its users to balance the conflicting interests between researchers and service providers as well as to check whether their research programs remain undetected.}

	title = {Is {This} {Really} {You}? {An} {Empirical} {Study} on {Risk}-{Based} {Authentication} {Applied} in the {Wild}},
	booktitle = {34th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2019)},
	series = {{IFIP} {Advances} in {Information} and {Communication} {Technology}},
	author = {S. Wiefling and L. Lo Iacono and M. Dürmuth},
	volume = {562},
	pages = {134--148},
	isbn = {978-3-030-22311-3},
	doi = {10.1007/978-3-030-22312-0_10},
	publisher = {Springer International Publishing},
	location = {Lisbon, Portugal},
	month = jun,
	year = {2019},
	abstract = {Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA.

	In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.},
	url = {}