Usability of Risk-based Implicit Authentication


Das Forschungsprojekt URIA beschäftigt sich mit der weit verbreiteten passwortbasierten Authentifizierung – sei es bei E-Mail-Diensten, Online-Shops oder Online-Banking. Wohl jeder kennt die Qual gute Passwörter zu wählen und vor allem zu behalten. Darüber hinaus bergen passwortgesicherte Systeme hohe Sicherheitsrisiken, da sie schnell zu „knacken“ sind. Passwortbasierte Authentifizierung hat daher nicht nur Schwächen in der Usability sondern auch in der Sicherheit. Risikobasierte Authentifizierung hat hingegen das Potential die Sicherheit zu erhöhen ohne die Usability zu beeinträchtigen.

Projektdauer: April 2018 - April 2021


Luigi Lo Iacono

Luigi Lo Iacono


ZW 10-4
+49 221-8275-2527
Stephan Wiefling

Stephan Wiefling

Wissenschaftlicher Mitarbeiter

ZW 10-23
+49 221-8275-4233


Das Projekt URIA ist eines der sieben Forschungstandems des landesweiten Graduiertenkollegs "Human Centered Systems Security – North Rhine Westphalian Experts on Research in Digitalization" (NERD NRW) und wird vom Ministerium für Kultur und Wissenschaft des Landes Nordrhein-Westfalen gefördert.

, , , (), p.,


	title = {Is {This} {Really} {You}? {An} {Empirical} {Study} on {Risk}-{Based} {Authentication} {Applied} in the {Wild}},
	booktitle = {34th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2019)},
	series = {{IFIP} {Advances} in {Information} and {Communication} {Technology}},
	author = {S. Wiefling and L. Lo Iacono and M. Dürmuth},
	volume = {562},
	pages = {134--148},
	isbn = {978-3-030-22311-3},
	doi = {10.1007/978-3-030-22312-0_10},
	publisher = {Springer International Publishing},
	location = {Lisbon, Portugal},
	month = jun,
	year = {2019},
	abstract = {Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA.

	In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.},
	url = {}