Papers
Topics
Authors
Recent
Search
2000 character limit reached

Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication

Published 18 Mar 2024 in cs.CR | (2403.11798v1)

Abstract: Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authentication has mainly focused on the login process. However, recent attacks have revealed vulnerabilities in other parts of the authentication process, specifically in the account recovery function. Consequently, to ensure comprehensive authentication security, the use of anomaly detection in the context of account recovery must also be investigated. This paper presents the first study to investigate risk-based account recovery (RBAR) in the wild. We analyzed the adoption of RBAR by five prominent online services (that are known to use RBA). Our findings confirm the use of RBAR at Google, LinkedIn, and Amazon. Furthermore, we provide insights into the different RBAR mechanisms of these services and explore the impact of multi-factor authentication on them. Based on our findings, we create a first maturity model for RBAR challenges. The goal of our work is to help developers, administrators, and policy-makers gain an initial understanding of RBAR and to encourage further research in this direction.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (14)
  1. Akamai: Credential Stuffing: Attacks and Economies. [state of the internet] / security 5(Special Media Edition) (2019), https://web.archive.org/web/20210824114851/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-credential-stuffing-attacks-and-economies-report-2019.pdf
  2. Akamai: Loyalty for Sale – Retail and Hospitality Fraud. [state of the internet] / security 6(3) (2020), https://web.archive.org/web/20201101013317/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-loyalty-for-sale-retail-and-hospitality-fraud-report-2020.pdf
  3. Amazon: Reset Your Password (2023), https://web.archive.org/web/20210918230138/https://www.amazon.com/gp/help/customer/display.html?nodeId=GH3NM2YWEFEL2CQ4
  4. Dropbox: Change or reset your Dropbox password (2023), https://web.archive.org/web/20230518113022/https://help.dropbox.com/security/password-reset
  5. Federal Bureau of Investigation: Internet Crime Report 2022 (Mar 2023), https://web.archive.org/web/20230311011752/https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
  6. GOG: How do I reset my password? (2023), https://web.archive.org/web/20230317223608/https://support.gog.com/hc/en-us/articles/212185409-How-do-I-reset-my-password-?product=gog
  7. Golla, M.: I Had a Chat about RBA with @Google in April 2016. The Short Story: “RBA Is an Arms Race, and We Are Not Revealing Any Details That Could Potentially Help Attackers.” (Apr 2019), https://web.archive.org/web/20210812104239/https://twitter.com/m33x/status/1120979096547274752
  8. Google: reCAPTCHA v2 | Google Developers (2021), https://developers.google.com/recaptcha/docs/display
  9. Google: Tips to complete account recovery steps (2023), https://web.archive.org/web/20230422113749/https://support.google.com/accounts/answer/7299973
  10. Hill, B.: Moving Account Recovery beyond Email and the "Secret" Question. In: Enigma ’17. USENIX Association (2017)
  11. LinkedIn: Password Reset Basics (2023), https://web.archive.org/web/20221229120339/https://www.linkedin.com/help/linkedin/answer/a1382101
  12. Microsoft Detection and Response Team: DEV-0537 criminal actor targeting organizations for data exfiltration and destruction (2022), https://www.microsoft.com/security/blog/dev-0537
  13. Milka, G.: Anatomy of Account Takeover. In: Enigma ’18. USENIX Association (Jan 2018)
  14. MITRE Corporation: CWE-640: Weak Password Recovery Mechanism for Forgotten Password (2021), https://cwe.mitre.org/data/definitions/640.html

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up