Ev Eval aluat ation of of Ri Risk-base based Re Re-Au - - PowerPoint PPT Presentation

ev eval aluat ation of of ri risk base based re re au
SMART_READER_LITE
LIVE PREVIEW

Ev Eval aluat ation of of Ri Risk-base based Re Re-Au - - PowerPoint PPT Presentation

Dec 11, 2023 538 likes •925 views

Ev Eval aluat ation of of Ri Risk-base based Re Re-Au Authenticat ation Me Meth thods Stephan Wiefling* # , Tanvi Patil + , Markus Drmuth # , Luigi Lo Iacono* H-BRS University of Applied Sciences (*) Ruhr University Bochum ( # ) UNC

slide-1
SLIDE 1

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

1

Ev Eval aluat ation of

  • f Ri

Risk-base based Re Re-Au Authenticat ation Me Meth thods

Stephan Wiefling*#, Tanvi Patil+, Markus Dürmuth#, Luigi Lo Iacono*

H-BRS University of Applied Sciences (*) Ruhr University Bochum (#) UNC Charlotte (+)

slide-2
SLIDE 2

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

2

slide-3
SLIDE 3

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

3

Mo Moti tivati tion

l Weaknesses in password-based

authentication increase

l Large-scale password database leaks

l Credential Stuffing

l Intelligent password guessing* l Phishing

*D. Wang et al.: Targeted online password guessing: An underestimated threat. In CCS ’16. ACM (2016)

Akamai: Credential Stuffing: Attacks and Economies. In: [state of the internet] / security, vol. 5 (2019)

slide-4
SLIDE 4

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

4

Mo Moti tivati tion

l 2F

2FA is unpopular

l <10%

<10% of all Google accounts used ed 2F 2FA in January 2018* 2018* à Us Usin ing Ris Risk-ba based Authentication to to incre reas ase ac account securi rity ty wi with mini nimal impact on

  • n us

user int nteraction

  • n

*Milka, G.: Anatomy of Account Takeover. In: Enigma 2018. USENIX (Jan 2018)

slide-5
SLIDE 5

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

5

Username Password Risk estimation Low Medium High Risk: IP address User agent ...

slide-6
SLIDE 6

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

6

Username Password IP: H-BRS, DE Chrome Windows 10 ...

slide-7
SLIDE 7

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

7

„Same device as always“ Risk estimation Low risk Username Password IP: H-BRS, DE Chrome Windows 10 ...

slide-8
SLIDE 8

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

8

IP: Ma Marib ibor, SI Chrome An Android 8. 8.1 ... Username Password

slide-9
SLIDE 9

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

9

„There‘s something different here“ Risk estimation Medium risk Additional Authentication IP: Ma Marib ibor, SI Chrome An Android 8. 8.1 ... Username Password

slide-10
SLIDE 10

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

10

„There‘s something different here“ Risk estimation Medium risk Additional Authentication Proof for additional authentication IP: Ma Marib ibor, SI Chrome An Android 8. 8.1 ... Username Password

slide-11
SLIDE 11

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

11

Ri Risk-base based Au Authenticat ation

l Recommended by NIST digital identity

guidelines[1]

l Used by large online services[2] l More usable than comparable 2FA methods[3]

[1] Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) [2] Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the

  • Wild. In: IFIP SEC ‘19. Springer (2019)

[3] Wiefling et al.: More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication. In: ACSAC ’20. ACM (2020)

slide-12
SLIDE 12

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

12

Cu Current practice*

l Email verification l Six digit code

l Major impact on time exposure and

usability

l But not studied so far! *Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ‘19. Springer (2019)

Se Servic ice Re Requested authentic icatio ion factors Ama Amazon § Ve Verificat ation code (em email*, text message) Fa Faceb ebook

  • ok

§ Approve login on another computer § Identify photos of friends § Asking friends for help § Ve Verificat ation code (text message) GO GOG. G.com § Ve Verificat ation code (em email)* Go Google § Enter the city you usually sign in from § Ve Verificat ation code (em email, text message, app, phone call) § Press confirmation button on second device Li Linke kedIn § Ve Verificat ation code (em email)*

slide-13
SLIDE 13

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

13

l Study l Results l Conclusion

Over Overvi view ew

slide-14
SLIDE 14

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

14

l Stu

Study

l Results l Conclusion

Over Overvi view ew

slide-15
SLIDE 15

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

15

l 1.

  • 1. Re

Regis istra tratio tion

l 2. Login l 3. Exit survey

St Study Proced edure

slide-16
SLIDE 16

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

16

l 1. Registration l 2.

  • 2. Login

in

l Re-Authentication requested l Method differed in each condition

l 3. Exit survey

St Study Proced edure

slide-17
SLIDE 17

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

17

l Code-based method l Code in email body

Me Meth thod 1: Sta tate te of th the Art Art (i (in use)

slide-18
SLIDE 18

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

18

l Code-based method l Code in email body an

and subject ct line

Me Meth thod 2: Subject ct Line (n (new) w)

slide-19
SLIDE 19

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

19

l Link-based method l Verification link in email body

Me Meth thod 3: Link (n (new) w)

slide-20
SLIDE 20

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

20

l Extra confirmation when confirmation device is different*

Me Meth thod 3: Link (n (new) w)

*Based on Google‘s Android device confirmation dialog

slide-21
SLIDE 21

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

21

l Amazon deployed method one year after our study

Me Meth thod 3: Link (n (new) w)

slide-22
SLIDE 22

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

22

Ti Timings: Mea easurem emen ent

Identity confirmation appears Confirm Device Re-Authentication Open Link Retrieve Code/Link Challenge Completion Enter code

slide-23
SLIDE 23

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

23

Ti Timings: Mea easurem emen ent

Identity confirmation appears Confirm Device Re Re-Au Authentication Open Link Retrieve Code/Link Ch Challenge ge Co Compl pletion Enter code

slide-24
SLIDE 24

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

24

l 1. Registration l 2. Login l 3.

  • 3. Exit

it surv rvey

St Study Proced edure

slide-25
SLIDE 25

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

25

l Study l Re

Results lts

l Conclusion

Over Overvi view ew

slide-26
SLIDE 26

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

26

Res Results: Dem emographics

l Recruited via MTurk

N=592 n=499 n=451 Participated Completed Passed tests à Taken for results

slide-27
SLIDE 27

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

27

Res Results: Dem emographics (n=451) 451)

0% 20% 40% 60% 80% 100% Gender Female Male Non-Binary 0% 20% 40% 60% 80% 100% Age 18-24 25-34 45-54 55-64 65-74

l Associate degree or

higher (63%)

l No computer science

background (74%)

slide-28
SLIDE 28

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

28

l Challenge completion time:

l Median:

6 seconds

l No significant differences between devices

l Re-Authentication time:

l Median:

34 seconds

Res Results: Ti Timings

slide-29
SLIDE 29

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

29

l Faster in two cases (each p<0.01)

l Code-based: Desktop PC for login + authentication l Link-based: Desktop PC for login, mobile device for authentication

Res Results: Challen enge Complet etion Ti Time

Desktop/Desktop Desktop/Mobile

slide-30
SLIDE 30

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

30

l Faster with code in subject line and body

l Desktop PC for login + authentication (p=0.02)

Res Results: Re Re-Au Authenticat ation Time

Desktop/Desktop

slide-31
SLIDE 31

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

31

Res Results: Feel Feelings

*Question similar to Golla et al. (CCS ‘18)

l Question in exit survey*

slide-32
SLIDE 32

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

32

Res Results: Feel Feelings

State of the art (Code in body) Link-based Code in body + subject line

l Similar number of mentions in all conditions l With three exceptions

slide-33
SLIDE 33

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

33

l Link-based method made users significantly more anxious than code-based

methods

Res Results: Feel Feelings

p=0.02 State of the art (Code in body) Link-based

slide-34
SLIDE 34

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

34

l Code in subject line and body made significantly less nervous

Res Results: Feel Feelings

State of the art (Code in body) Code in body + subject line p=0.03

slide-35
SLIDE 35

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

35

l Code in subject line significantly more neutral (p=0.04)

Res Results: Feel Feelings

State of the art (Code in body)

St Stat ate of

  • f th

the ar art Co Code de in bo body dy + sub subject ct lin line Li Link nk-ba based 4. 4.1% 1% 0.7% 0.6%

slide-36
SLIDE 36

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

36

l Study l Results l Conc

Conclus usion

  • n

Over Overvi view ew

slide-37
SLIDE 37

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

37

Co Conclusion

l Code in subject and body performed

best

l Faster re-authentication time l Significantly less nervous

àNot current RBA state of the art!

l Link-based method:

l Re-authentication time did not

improve

l More anxious when perceived for first

time

slide-38
SLIDE 38

Maribor, Slovenia | IFIP SEC 2020

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono

38

Th Thank you you

stephan.wiefling@h-brs.de @swiefling riskbasedauthentication.org das.h-brs.de