Ev Eval aluat ation of of Ri Risk-base based Re Re-Au - PowerPoint PPT Presentation

Ev Eval aluat ation of of Ri Risk-base based Re Re-Au Authenticat ation Me Meth thods Stephan Wiefling* # , Tanvi Patil + , Markus Dürmuth # , Luigi Lo Iacono* H-BRS University of Applied Sciences (*) Ruhr University Bochum ( # ) UNC Charlotte ( + ) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 1

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 2

Akamai: Credential Stuffing: Attacks and Economies. In: [state of the internet] Mo Moti tivati tion l Weaknesses in password-based authentication increase l Large-scale password database leaks l Credential Stuffing l Intelligent password guessing* l Phishing / security, vol. 5 (2019) *D. Wang et al.: Targeted online password guessing: An underestimated threat. In CCS ’16. ACM (2016) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 3

Mo Moti tivati tion l 2F 2FA is unpopular l <10% <10% of all Google accounts used ed 2F 2FA in January 2018* 2018* à Us Usin ing Ris Risk-ba based Authentication to to incre reas ase ac account securi rity ty wi with mini nimal impact on on us user int nteraction on *Milka, G.: Anatomy of Account Takeover. In: Enigma 2018. USENIX (Jan 2018) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 4

IP address User agent ... Username Password Risk estimation Risk: Low Medium High Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 5

IP: H-BRS, DE Chrome Windows 10 ... Username Password Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 6

IP: H-BRS, DE Chrome Windows 10 „Same device as ... always“ Username Password Risk estimation Low risk Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 7

IP: Ma Marib ibor, SI Chrome An Android 8. 8.1 ... Username Password Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 8

IP: Ma Marib ibor, SI Chrome „There‘s Android 8. An 8.1 something ... different here“ Username Password Additional Risk estimation Authentication Medium risk Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 9

IP: Ma Marib ibor, SI Chrome „There‘s Android 8. An 8.1 something ... different here“ Username Password Additional Risk estimation Authentication Medium risk Proof for additional authentication Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 10

Ri Risk-base based Au Authenticat ation l Recommended by NIST digital identity guidelines [1] l Used by large online services [2] l More usable than comparable 2FA methods [3] [1] Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) [2] Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ‘19. Springer (2019) [3] Wiefling et al.: More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication. In: ACSAC ’20. ACM (2020) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 11

Servic Se ice Requested authentic Re icatio ion factors Cu Current practice* § Verificat Ve ation code ( em email *, text message) Ama Amazon § Fa Faceb ebook ook Approve login on another computer § l Email verification Identify photos of friends § Asking friends for help § Ve Verificat ation code (text message) l Six digit code § Verificat Ve ation code ( em email )* GO GOG. G.com l Major impact on time exposure and § Enter the city you usually sign in from Go Google usability § Ve Verificat ation code ( em email , text message, app, phone call) l But not studied so far! § Press confirmation button on second device § Ve Verificat ation code ( em email )* Linke Li kedIn *Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ‘19. Springer (2019) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 12

Over Overvi view ew l Study l Results l Conclusion Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 13

Overvi Over view ew l Stu Study l Results l Conclusion Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 14

Study Proced St edure l 1. 1. Re Regis istra tratio tion l 2. Login l 3. Exit survey Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 15

St Study Proced edure l 1. Registration l 2. 2. Login in l Re-Authentication requested l Method differed in each condition l 3. Exit survey Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 16

Meth Me thod 1: Sta tate te of th the Art Art (i (in use) l Code-based method l Code in email body Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 17

Meth Me thod 2: Subject ct Line (n (new) w) l Code-based method l Code in email body an and subject ct line Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 18

Meth Me thod 3: Link (n (new) w) l Link-based method l Verification link in email body Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 19

Me Meth thod 3: Link (n (new) w) l Extra confirmation when confirmation device is different* *Based on Google‘s Android device confirmation dialog Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 20

Me Meth thod 3: Link (n (new) w) l Amazon deployed method one year after our study Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 21

Ti Timings: Mea easurem emen ent Enter code Identity confirmation Open Link Confirm Device appears Retrieve Code/Link Re-Authentication Challenge Completion Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 22

Ti Timings: Mea easurem emen ent Enter code Identity confirmation Open Link Confirm Device appears Retrieve Code/Link Re Re-Au Authentication Ch Challenge ge Co Compl pletion Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 23

Study Proced St edure l 1. Registration l 2. Login l 3. 3. Exit it surv rvey Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 24

Over Overvi view ew l Study l Re Results lts l Conclusion Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 25

Res Results: Dem emographics l Recruited via MTurk N=592 Participated n=499 Completed Passed tests à Taken for results n=451 Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 26

Res Results: Dem emographics (n=451) 451) l Associate degree or Gender higher (63%) 0% 20% 40% 60% 80% 100% l No computer science Female Male Non-Binary background (74%) Age 0% 20% 40% 60% 80% 100% 18-24 25-34 45-54 55-64 65-74 Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 27

Res Results: Ti Timings l Challenge completion time: l Median: 6 seconds l No significant differences between devices l Re-Authentication time: l Median: 34 seconds Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 28

Res Results: Challen enge Complet etion Ti Time l Faster in two cases (each p<0.01) l Code-based: Desktop PC for login + authentication l Link-based: Desktop PC for login, mobile device for authentication Desktop/Desktop Desktop/Mobile Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 29

Results: Re Res Re-Au Authenticat ation Time l Faster with code in subject line and body l Desktop PC for login + authentication (p=0.02) Desktop/Desktop Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 30

Res Results: Feel Feelings l Question in exit survey* *Question similar to Golla et al. (CCS ‘18) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 31

Res Results: Feel Feelings l Similar number of mentions in all conditions l With three exceptions Link-based Code in body + subject line State of the art (Code in body) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 32

Results: Feel Res Feelings l Link-based method made users significantly more anxious than code-based methods p=0.02 Link-based State of the art (Code in body) Stephan Wiefling, Tanvi Patil, Markus Dürmuth, Luigi Lo Iacono Maribor, Slovenia | IFIP SEC 2020 33

Ev Eval aluat ation of of Ri Risk-base based Re Re-Au - PowerPoint PPT Presentation

Ev Eval aluat ation of of Ri Risk-base based Re Re-Au Authenticat ation Me Meth thods Stephan Wiefling* # , Tanvi Patil + , Markus Drmuth # , Luigi Lo Iacono* H-BRS University of Applied Sciences (*) Ruhr University Bochum ( # ) UNC

Ar Are e you u ev eval aluat uating ng what wh at you u thi hink nk you u ar are?

3D 3D Pos ose e Estimat ation on and and Mod odel el Ret Retriev eval al in n the he

The BeSt Eval at the 2016 NIST TAC KBP Overview BeSt Eval Task

61A Lecture 27 Announcements Interpreting Scheme The Structure of an Interpreter 4 The

Risk-Based Coding and Reimbursement What is Risk-Based Coding? Risk-Based Coding Overview A

Model-based ased Ve Veri rific icatio ation, Optim imiz ization ation, Sy Synthesi hesis

By Millike n De ve lopme nt Cor por ation SI T E MAP WE ST VANCOUVE R Ne e d fo r

Field-Based Risk Reduction Presented to AOC Garden State Chapter Dr. Richard H. Wittstruck

MUL TI -DISC IPLINARY RISK IDENTIFIC ATION AND EVALUATION FOR THE TIDAL INDUSTRY Athanasi sios

Risk sk s strat tratif ific icat ation a and nd inc ncidenc nce o e of f acute c e

Co mpe te nc y-Base d T e ac he r De ve lo pme nt o n ICT in Ne pal NE PAL South Asia Re g

Ross ss C. Brownson nson Washin hingt gton on Uni Univer ersity sity in St. . Louis is

Tokeni z ation and Lemmati z ation FE ATU R E E N G IN E E R IN G FOR N L P IN P YTH ON Ro u

Mau aus in in th the C e Clas assroom sroom: : A A Comi mic-based based Cit itat ation

The application of risk assessment in food safety control in Risk Risk Assessment Management

Relati v e Val u ation E QU ITY VAL U ATION IN R Cli Ang Senior Vice President , Compass Le

FORM BASE CODING What are Form Base Codes? A form-based code (FBC) is a way to regulate

Vis u ali z ation of Linear Models C OR R E L ATION AN D R E G R E SSION IN R Ben Ba u mer

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-Based Regulation - Presentation to Central BOF Steve Bickley, Director Safety and Risk 9

Test Autom ation and Test Autom ation and Keyw ord-driven testing Brian Nielsen,

Model e v al u ation and implementation C R E D IT R ISK MOD E L IN G IN P YTH ON Michael

eval/apply Simon Marlow Simon Peyton Jones The question Consider the call (f x y). We can

More NSE Recall function dplyr base R Get an unevaluated quo() quote() expression/call