TY - GEN

T1 - "As soon as it's a risk, i want to require MFA" How Administrators Configure Risk-based Authentication

AU - Markert, Philipp

AU - Schnitzler, Theodor

AU - Golla, Maximilian

AU - Dürmuth, Markus

N1 - Funding Information: We thank Julian Vogt for his help with the implementation of the study website. We also thank our shepherd and the reviewers for their insightful comments and feedback. This research was supported by the research training group "Human Centered Systems Security" sponsored by the state of North Rhine-Westphalia and funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy - EXC 2092 CASA - 390781972.

PY - 2022

Y1 - 2022

N2 - Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. Thus, it is crucial to understand how administrators interact with off-the-shelf RBA systems that assign a risk score to a login and require administrators to configure adequate responses. In this paper, we let n = 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent semi-structured interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. We find that administrators want to have a thorough understanding of the system they configure, show the importance of default settings as they are either directly adopted or depict an important orientation, and identify several confusing wordings. Based on our findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.

AB - Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. Thus, it is crucial to understand how administrators interact with off-the-shelf RBA systems that assign a risk score to a login and require administrators to configure adequate responses. In this paper, we let n = 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent semi-structured interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. We find that administrators want to have a thorough understanding of the system they configure, show the importance of default settings as they are either directly adopted or depict an important orientation, and identify several confusing wordings. Based on our findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.

UR - http://www.scopus.com/inward/record.url?scp=85140890062&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85140890062

SP - 483

EP - 501

BT - Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) : August 7-9, 2022, Boston, MA, USA

CY - [Berkeley, CA]

T2 - 18th Symposium on Usable Privacy and Security, SOUPS 2022

Y2 - 7 August 2022 through 9 August 2022

ER -