The weaknesses of traditional password-based authentication are well known: people are not only bad at creating unique, secure passwords, but they also struggle to remember them. This results in many individuals using a specific password not just for a single online account but across multiple accounts. This presents an opportunity for attackers to compromise several online accounts of the affected person with a single stolen password.
To counter this problem, online services increasingly rely on two-factor authentication, where a second factor is required in addition to a password for a successful login. Thus, in theory, a stolen password alone is no longer sufficient for attackers to gain access to other online accounts using the same password. However, in practice, most people are extremely reluctant to use two-factor authentication, as the additional step during authentication is perceived as a significant usability impairment.
To increase acceptance among the population, a newer approach is to use risk-based authentication instead of strict two-factor authentication. In this approach, additional metadata is checked during the login process alongside the password. This metadata can include the operating system and browser used, as well as the IP address and current time of day. By comparing the current metadata with the metadata from past successful login attempts by the user, it is possible to calculate a risk. This risk assessment indicates how likely it is that the current login attempt is being made by the user, and is thus legitimate. Compared to traditional two-factor authentication, an additional factor is only queried when a corresponding risk is detected. Thus, while maintaining nearly the same level of security for the online account, usability is significantly improved.
Against the backdrop of the current development of risk-based authentication, we are exploring questions such as how users perceive risk-based authentication, how reliably a suitable risk can be determined, what metadata is required for this, and what privacy concerns should be considered when selecting suitable metadata.
Project Lead: Daniel Rotter
Period: 2024–2026
