Bonneau et al.: Passwords and the evolution of imperfect authentication. Comm. ACM 58(7) (Jun 2015) Image: Iwona Usakiewicz / Andrij Borys Associates Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud udy on n Ri Risk-Bas Based Au Authen entication Ap Applied ed in th the Wi Wild Stephan Wiefling, Luigi Lo Iacono – TH Köln – University of Applied Sciences Markus Dürmuth – Ruhr University Bochum Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 1
Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 2
Mo Motiva tivatio tion § Weaknesses in password-based authentication increase § Large-scale password database leaks § Credential Stuffing § Intelligent password guessing* § Phishing *Wang et al.: Targeted online password guessing: An underestimated threat. In CCS ’16. ACM (2016) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 3
Mo Motiva tivatio tion § 2FA is unpopular § <10% of all Google accounts used 2FA in January 2018* à Using Risk-based Authentication to increase account security with minimal impact on user interaction *Milka, G.: Anatomy of Account Takeover. In: Enigma 2018. USENIX (Jan 2018) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 4
IP address User agent ... Username Password Risk estimation Risk: Low Medium High Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 5
IP: Lisbon, PT Chrome Windows 10 ... Username Password Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 6
IP: Lisbon, PT Chrome Windows 10 „Same device as ... always“ Username Password Risk estimation Low risk Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 7
IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ... Username Password Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 8
IP: Ber Berlin, n, DE Chrome „There‘s An Andro roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 9
IP: Ber Berlin, n, DE Chrome „There‘s Andro An roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Proof for additional authentication Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 10
IP: Ne New York, US* Ph PhantomJS Li Linux ... Username Password *Known spam IP address Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 11
IP: Ne New York, US* PhantomJS Ph „Very likely a Linux Li hacker“ ... Username Password Risk estimation High risk *Known spam IP address Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 12
Ris Risk-ba based Au Authentic icatio ion § Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed *Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 13
Ris Risk-ba based Au Authentic icatio ion § Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed § Prevents widespread adoption *Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 14
Ris Risk-ba based Au Authentic icatio ion § Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed à Black-box testing eight popular online services *Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 15
Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 16
? Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 17
Lo Login IP IP ad addre ress Us User Ag Agent ... ... ? Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 18
Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 19
Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 20
Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 21
Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 22
Lo Login IP IP ad addre ress Us User Ag Agent ... ... ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... </> 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 23
Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... </> 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... Ot Other 21 Chrome ... Co Country Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 24
Lo Login IP IP ad addre ress User Ag Us Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... </> 3 TH Köln Chrome ... ... ... ... .... , or ? 20 TH Köln Chrome ... Ot Other 21 Chrome ... Co Country Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 25
It It‘s ‘s no not t that that ea easy sy... Login history influences risk score Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 26
It It‘s ‘s no not t that that ea easy sy... Login history influences risk score Solution: Create many user accounts Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 27
It It‘s ‘s no not t that that ea easy sy... Automated testing influences result Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 28
It It‘s ‘s no not t that that ea easy sy... Automated testing influences result Solution: Create human-like browsingbehavior Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 29
28x Identities Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 30
28x Human RBA User Testing Imitation Log RBA Inspection System Identities Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 31
28x 224 User Accounts Human RBA User Testing Imitation Log RBA Inspection System Inspected Services Identities Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 32
It It‘s ‘s st still n not ot that that ea easy sy... List of potential features is huge Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 33
It It‘s ‘s st still n not ot that that ea easy sy... List of potential features is huge Solution: Test most relevant* features *Citations in literature, Highest distinguishing info in Alaca and van Oorschot Alaca, F., van Oorschot, P.C.: Device Fingerprinting for augmenting web authentication. In: Proc. ACSAC '16. pp. 289-301. ACM (2016) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 34
It It‘s ‘s st still n not ot that that ea easy sy... RB RBA references count Feature Fea re (e (except *) Di Distingui uishing info* ●●●●○ ������ IP IP a address ●●●●○ ��� Us User agent string ●●●●○ ��� Language La ●●●●○ �� Di Display resolut ution ●●●○○ ����� Lo Login time me ●●●●● � Evercookies ●●●○○ ��� Canvas fingerprinting Mouse and keystroke dynamics � - �� - Failed login attempts ●●●○○ WebRTC - ●●○○○ Counting hosts behind NAT - ●○○○○ Ad blocker detection - * Alaca, F., van Oorschot, P.C.: Device Fingerprinting for augmenting web authentication. In: Proc. ACSAC '16. pp. 289-301. ACM (2016) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 35
Recommend
More recommend