Conference paper

Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication

Authors listBüttner, Andre; Pedersen, Andreas Thue; Wiefling, Stephan; Gruschka, Nils; Lo Iacono, Luigi

Appeared inUbiquitous Security

Editor listGuojun Wang, H.

Publication year2024

Pages401-419

ISBN978-981-97-1273-1

eISBN978-981-97-1274-8

DOI Linkhttps://doi.org/10.1007/978-981-97-1274-8_26

Conference3rd International Conference on Ubiquitous Security (UbiSec 2023)

Title of seriesCommunications in Computer and Information Science

Number in series2034


Abstract

Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authentication has mainly focused on the login process. However, recent attacks have revealed vulnerabilities in other parts of the authentication process, specifically in the account recovery function. Consequently, to ensure comprehensive authentication security, the use of anomaly detection in the context of account recovery must also be investigated.
This paper presents the first study to investigate risk-based account recovery (RBAR) in the wild. We analyzed the adoption of RBAR by five prominent online services (that are known to use RBA). Our findings confirm the use of RBAR at Google, LinkedIn, and Amazon. Furthermore, we provide insights into the different RBAR mechanisms of these services and explore the impact of multi-factor authentication on them. Based on our findings, we create a first maturity model for RBAR challenges. The goal of our work is to help developers, administrators, and policy-makers gain an initial understanding of RBAR and to encourage further research in this direction.




Citation Styles

Harvard Citation styleBüttner, A., Pedersen, A., Wiefling, S., Gruschka, N. and Lo Iacono, L. (2024) Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication, in Guojun Wang, H. (ed.) Ubiquitous Security. Singapore: Springer. pp. 401-419. https://doi.org/10.1007/978-981-97-1274-8_26

APA Citation styleBüttner, A., Pedersen, A., Wiefling, S., Gruschka, N., & Lo Iacono, L. (2024). Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication. In Guojun Wang, H. (Ed.), Ubiquitous Security. (pp. 401-419). Springer. https://doi.org/10.1007/978-981-97-1274-8_26


Last updated on 2025-05-08 at 10:49