Details
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) : August 7-9, 2022, Boston, MA, USA |
| Place of Publication | [Berkeley, CA] |
| Pages | 483-501 |
| Number of pages | 19 |
| ISBN (electronic) | 9781939133304 |
| Publication status | Published - 2022 |
| Event | 18th Symposium on Usable Privacy and Security, SOUPS 2022 - Boston, United States Duration: 7 Aug 2022 → 9 Aug 2022 |
Abstract
Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. Thus, it is crucial to understand how administrators interact with off-the-shelf RBA systems that assign a risk score to a login and require administrators to configure adequate responses. In this paper, we let n = 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent semi-structured interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. We find that administrators want to have a thorough understanding of the system they configure, show the importance of default settings as they are either directly adopted or depict an important orientation, and identify several confusing wordings. Based on our findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.
ASJC Scopus subject areas
- Computer Science(all)
- Computer Networks and Communications
- Engineering(all)
- Safety, Risk, Reliability and Quality
Cite this
- Standard
- Harvard
- Apa
- Vancouver
- BibTeX
- RIS
Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) : August 7-9, 2022, Boston, MA, USA. [Berkeley, CA], 2022. p. 483-501.
Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review
}
TY - GEN
T1 - "As soon as it's a risk, i want to require MFA" How Administrators Configure Risk-based Authentication
AU - Markert, Philipp
AU - Schnitzler, Theodor
AU - Golla, Maximilian
AU - Dürmuth, Markus
N1 - Funding Information: We thank Julian Vogt for his help with the implementation of the study website. We also thank our shepherd and the reviewers for their insightful comments and feedback. This research was supported by the research training group "Human Centered Systems Security" sponsored by the state of North Rhine-Westphalia and funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy - EXC 2092 CASA - 390781972.
PY - 2022
Y1 - 2022
N2 - Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. Thus, it is crucial to understand how administrators interact with off-the-shelf RBA systems that assign a risk score to a login and require administrators to configure adequate responses. In this paper, we let n = 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent semi-structured interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. We find that administrators want to have a thorough understanding of the system they configure, show the importance of default settings as they are either directly adopted or depict an important orientation, and identify several confusing wordings. Based on our findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.
AB - Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. Thus, it is crucial to understand how administrators interact with off-the-shelf RBA systems that assign a risk score to a login and require administrators to configure adequate responses. In this paper, we let n = 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent semi-structured interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. We find that administrators want to have a thorough understanding of the system they configure, show the importance of default settings as they are either directly adopted or depict an important orientation, and identify several confusing wordings. Based on our findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.
UR - http://www.scopus.com/inward/record.url?scp=85140890062&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85140890062
SP - 483
EP - 501
BT - Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) : August 7-9, 2022, Boston, MA, USA
CY - [Berkeley, CA]
T2 - 18th Symposium on Usable Privacy and Security, SOUPS 2022
Y2 - 7 August 2022 through 9 August 2022
ER -