Konferenzpaper
Autorenliste: Büttner, Andre; Pedersen, Andreas Thue; Wiefling, Stephan; Gruschka, Nils; Lo Iacono, Luigi
Erschienen in: Ubiquitous Security
Herausgeberliste: Guojun Wang, H.
Jahr der Veröffentlichung: 2024
Seiten: 401-419
ISBN: 978-981-97-1273-1
eISBN: 978-981-97-1274-8
DOI Link: https://doi.org/10.1007/978-981-97-1274-8_26
Konferenz: 3rd International Conference on Ubiquitous Security (UbiSec 2023)
Serientitel: Communications in Computer and Information Science
Serienzählung: 2034
Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authentication has mainly focused on the login process. However, recent attacks have revealed vulnerabilities in other parts of the authentication process, specifically in the account recovery function. Consequently, to ensure comprehensive authentication security, the use of anomaly detection in the context of account recovery must also be investigated.
Abstract:
This paper presents the first study to investigate risk-based account recovery (RBAR) in the wild. We analyzed the adoption of RBAR by five prominent online services (that are known to use RBA). Our findings confirm the use of RBAR at Google, LinkedIn, and Amazon. Furthermore, we provide insights into the different RBAR mechanisms of these services and explore the impact of multi-factor authentication on them. Based on our findings, we create a first maturity model for RBAR challenges. The goal of our work is to help developers, administrators, and policy-makers gain an initial understanding of RBAR and to encourage further research in this direction.
Zitierstile
Harvard-Zitierstil: Büttner, A., Pedersen, A., Wiefling, S., Gruschka, N. and Lo Iacono, L. (2024) Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication, in Guojun Wang, H. (ed.) Ubiquitous Security. Singapore: Springer. pp. 401-419. https://doi.org/10.1007/978-981-97-1274-8_26
APA-Zitierstil: Büttner, A., Pedersen, A., Wiefling, S., Gruschka, N., & Lo Iacono, L. (2024). Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication. In Guojun Wang, H. (Ed.), Ubiquitous Security. (pp. 401-419). Springer. https://doi.org/10.1007/978-981-97-1274-8_26
