Abstract
Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authentication has mainly focused on the login process. However, recent attacks have revealed vulnerabilities in other parts of the authentication process, specifically in the account recovery function. Consequently, to ensure comprehensive authentication security, the use of anomaly detection in the context of account recovery must also be investigated.
This paper presents the first study to investigate risk-based account recovery (RBAR) in the wild. We analyzed the adoption of RBAR by five prominent online services (that are known to use RBA). Our findings confirm the use of RBAR at Google, LinkedIn, and Amazon. Furthermore, we provide insights into the different RBAR mechanisms of these services and explore the impact of multi-factor authentication on them. Based on our findings, we create a first maturity model for RBAR challenges. The goal of our work is to help developers, administrators, and policy-makers gain an initial understanding of RBAR and to encourage further research in this direction.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To the best of our knowledge, there is no standard term for it yet.
- 2.
All results for the tests on Google are published on https://github.com/AndreasTP/GoogleAccountRecovery.
References
Addas, A., Salehi-Abari, A., Thorpe, J.: Geographical security questions for fallback authentication. In: PST 2019. IEEE (2019). https://doi.org/10.1109/PST47121.2019.8949063
Akamai: Credential Stuffing: Attacks and Economies. [state of the internet]/security 5(Special Media Edition) (2019). https://web.archive.org/web/20210824114851/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-credential-stuffing-attacks-and-economies-report-2019.pdf
Akamai: Loyalty for Sale - Retail and Hospitality Fraud. [state of the internet]/security 6(3) (2020). https://web.archive.org/web/20201101013317/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-loyalty-for-sale-retail-and-hospitality-fraud-report-2020.pdf
Amazon: Reset Your Password (2023). https://web.archive.org/web/20210918230138/https://www.amazon.com/gp/help/customer/display.html?nodeId=GH3NM2YWEFEL2CQ4
Amazon Web Services Inc: What is a CAPTCHA puzzle? (2023). https://docs.aws.amazon.com/waf/latest/developerguide/waf-captcha-puzzle.html
Amft, S., et al.: Lost and not found: an investigation of recovery methods for multi-factor authentication. arXiv:2306.09708 (2023)
Bonneau, J., Bursztein, E., Caron, I., Jackson, R., Williamson, M.: Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at Google. In: WWW 2015. ACM (2015). https://doi.org/10.1145/2736277.2741691
Campobasso, M., Allodi, L.: Impersonation-as-a-service: characterizing the emerging criminal infrastructure for user impersonation at scale. In: CCS 2020. ACM (2020). https://doi.org/10.1145/3372297.3417892
Conners, J.S., Zappala, D.: Let’s authenticate: automated cryptographic authentication for the web with simple account recovery. In: WAY 2019 (2019)
Dropbox: Change or reset your Dropbox password (2023). https://web.archive.org/web/20230518113022/https://help.dropbox.com/security/password-reset
Federal Bureau of Investigation: Internet Crime Report 2022 (2023). https://web.archive.org/web/20230311011752/, https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
Freeman, D., Jain, S., Dürmuth, M., Biggio, B., Giacinto, G.: Who are you? A statistical approach to measuring user authenticity. In: NDSS 2016. Internet Society (2016). https://doi.org/10.14722/ndss.2016.23240
Garfinkel, S.L.: Design principles and patterns for computer systems that are simultaneously secure and usable. Ph.D. thesis, Massachusetts Institute of Technology (2005)
Gavazzi, A., et al.: A study of multi-factor and risk-based authentication availability. In: USENIX Security 2023. USENIX Association (2023)
GOG: How do I reset my password? (2023). https://web.archive.org/web/20230317223608/, https://support.gog.com/hc/en-us/articles/212185409-How-do-I-reset-my-password-?product=gog
Golla, M.: I had a chat about RBA with @Google in April 2016. the short story: “RBA is an arms race, and we are not revealing any details that could potentially help attackers” (2019). https://web.archive.org/web/20210812104239/, https://twitter.com/m33x/status/1120979096547274752
Google: reCAPTCHA v2 \(|\) Google Developers (2021). https://developers.google.com/recaptcha/docs/display
Google: Tips to complete account recovery steps (2023). https://web.archive.org/web/20230422113749/https://support.google.com/accounts/answer/7299973
Hang, A., De Luca, A., Hussmann, H.: I know what you did last week! Do you?: Dynamic security questions for fallback authentication on smartphones. In: CHI 2015. ACM (2015). https://doi.org/10.1145/2702123.2702131
Hill, B.: Moving account recovery beyond email and the “secret” question. In: Enigma 2017. USENIX Association (2017)
Hossen, M.I., et al.: An object detection based solver for Google’s image reCAPTCHA v2. In: RAID 2020. USENIX Association (2020)
Javed, A., Bletgen, D., Kohlar, F., Dürmuth, M., Schwenk, J.: Secure fallback authentication and the trusted friend attack. In: ICDCSW 2014. ACM (2014). https://doi.org/10.1109/ICDCSW.2014.30
Li, Y., Chen, Z., Wang, H., Sun, K., Jajodia, S.: Understanding account recovery in the wild and its security implications. IEEE TDSC 19(1) (2020). https://doi.org/10.1109/TDSC.2020.2975789
Li, Y., Wang, H., Sun, K.: Email as a master key: analyzing account recovery in the wild. In: INFOCOM 2018. IEEE (2018). https://doi.org/10.1109/INFOCOM.2018.8486017
LinkedIn: Password Reset Basics (2023). https://web.archive.org/web/20221229120339/, https://www.linkedin.com/help/linkedin/answer/a1382101
Markert, P., Golla, M., Stobert, E., Dürmuth, M.: Work in progress: a comparative long-term study of fallback authentication. In: USEC 2019. Internet Society (2019). https://doi.org/10.14722/usec.2019.23030
Microsoft Detection and Response Team: DEV-0537 criminal actor targeting organizations for data exfiltration and destruction (2022). https://www.microsoft.com/security/blog/dev-0537
Milka, G.: Anatomy of account takeover. In: Enigma 2018. USENIX Association (2018)
MITRE Corporation: CWE-640: Weak Password Recovery Mechanism for Forgotten Password (2021). https://cwe.mitre.org/data/definitions/640.html
Pöhn, D., Gruschka, N., Ziegler, L.: Multi-account dashboard for authentication dependency analysis. In: ARES 2022. ACM (2022)
Quermann, N., Harbach, M., Dürmuth, M.: The state of user authentication in the wild. In: WAY 2018 (2018). https://wayworkshop.org/2018/papers/way2018-quermann.pdf
Sukhani, K., Sawant, S., Maniar, S., Pawar, R.: Automating the bypass of image-based captcha and assessing security. In: ICCCNT 2021. IEEE (2021). https://doi.org/10.1109/ICCCNT51525.2021.9580020
Thomas, K., et al.: Data breaches, phishing, or malware?: Understanding the risks of stolen credentials. In: CCS 2017. ACM (2017). https://doi.org/10.1145/3133956.3134067
Wiefling, S., Dürmuth, M., Lo Iacono, L.: More than just good passwords? A study on usability and security perceptions of risk-based authentication. In: ACSAC 2020. ACM (2020). https://doi.org/10.1145/3427228.3427243
Wiefling, S., Dürmuth, M., Lo Iacono, L.: Verify it’s you: how users perceive risk-based authentication. IEEE Secur. Priv. 19(6) (2021). https://doi.org/10.1109/MSEC.2021.3077954
Wiefling, S., Dürmuth, M., Lo Iacono, L.: What’s in score for website users: a data-driven long-term study on risk-based authentication characteristics. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 361–381. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64331-0_19
Wiefling, S., Jørgensen, P.R., Thunem, S., Lo Iacono, L.: Pump up password security! evaluating and enhancing risk-based authentication on a real-world large-scale online service. ACM TOPS 26(1) (2023). https://doi.org/10.1145/3546069
Wiefling, S., Lo Iacono, L., Dürmuth, M.: Is this really you? An empirical study on risk-based authentication applied in the wild. In: Dhillon, G., Karlsson, F., Hedström, K., Zúquete, A. (eds.) SEC 2019. IAICT, vol. 562, pp. 134–148. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22312-0_10
Yan, J., El Ahmad, A.S.: Usability of CAPTCHAs or usability issues in CAPTCHA design. In: Proceedings of the 4th symposium on Usable privacy and security, pp. 44–52 (2008)
Acknowledgments
Stephan Wiefling did this research while working at H-BRS University of Applied Sciences.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Büttner, A., Pedersen, A.T., Wiefling, S., Gruschka, N., Lo Iacono, L. (2024). Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication. In: Wang, G., Wang, H., Min, G., Georgalas, N., Meng, W. (eds) Ubiquitous Security. UbiSec 2023. Communications in Computer and Information Science, vol 2034. Springer, Singapore. https://doi.org/10.1007/978-981-97-1274-8_26
Download citation
DOI: https://doi.org/10.1007/978-981-97-1274-8_26
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-1273-1
Online ISBN: 978-981-97-1274-8
eBook Packages: Computer ScienceComputer Science (R0)