research-article

A study of multi-factor and risk-based authentication availability

AUTHORs:

Anthony Gavazzi,

Tim LeekAuthors Info & Claims

SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium

Article No.: 115, Pages 2043 - 2060

Published: 09 August 2023 Publication History

Abstract

Password-based authentication (PBA) remains the most popular form of user authentication on the web despite its long-understood insecurity. Given the deficiencies of PBA, many online services support multi-factor authentication (MFA) and/or risk-based authentication (RBA) to better secure user accounts. The security, usability, and implementations of MFA and RBA have been studied extensively, but attempts to measure their availability among popular web services have lacked breadth. Additionally, no study has analyzed MFA and RBA prevalence together or how the presence of Single-Sign-On (SSO) providers affects the availability of MFA and RBA on the web.

In this paper, we present a study of 208 popular sites in the Tranco top 5K that support account creation to understand the availability of MFA and RBA on the web, the additional authentication factors that can be used for MFA and RBA, and how logging into sites through more secure SSO providers changes the landscape of user authentication security. We find that only 42.31% of sites support any form of MFA, and only 22.12% of sites block an obvious account hijacking attempt. Though most sites do not offer MFA or RBA, SSO completely changes the picture. If one were to create an account for each site through an SSO provider that offers MFA and/or RBA, whenever available, 80.29% of sites would have access to MFA and 72.60% of sites would stop an obvious account hijacking attempt. However, this proliferation through SSO comes with a privacy trade-off, as nearly all SSO providers that support MFA and RBA are major third-party trackers.

References

[1]

2fa.directory. https://2fa.directory/.

[2]

Mcafee - customer url ticketing system. https://trustedsource.org/en/feedback/url.

[3]

Joseph Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In 2012 IEEE Symposium on Security and Privacy, pages 538- 552. IEEE, 2012.

Digital Library

[4]

Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In 2012 IEEE Symposium on Security and Privacy, pages 553-567. IEEE, 2012.

Digital Library

[5]

Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. Passwords and the evolution of imperfect authentication. Communications of the ACM, 58(7):78-87, 2015.

Digital Library

[6]

Michele Campobasso and Luca Allodi. Impersonation-asa-service: Characterizing the emerging criminal infrastructure for user impersonation at scale. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1665-1680, 2020.

Digital Library

[7]

Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. The tangled web of password reuse. In NDSS, volume 14, pages 23-26, 2014.

[8]

Sanchari Das, Andrew Dingman, and L Jean Camp. Why johnny doesn't use two factor a two-phase usability study of the fido u2f security key. In International Conference on Financial Cryptography and Data Security, pages 160-179. Springer, 2018.

Digital Library

[9]

Disconnect.me. Disconnect tracking protection. https://github.com/disconnectme/disconnect-tracking-protection/blob/056d0f19c211b5a6f7a456a36238a12b7198be3b/entities.json, 2022.

[10]

Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. The cookie hunter: Automated black-box auditing for web authentication and authorization flaws. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1953-1970, 2020.

Digital Library

[11]

Jonathan Dutson, Danny Allen, Dennis Eggett, and Kent Seamons. Don't punish all of us: measuring user attitudes about two-factor authentication. In 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 119-128. IEEE, 2019.

[12]

Steven Englehardt and Arvind Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 1388- 1401, 2016.

Digital Library

[13]

Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. O single sign-off, where art thou? an empirical analysis of single sign-on account hijacking and session management on the web. In 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, 2018. USENIX Association.

[14]

Google. Puppeteer. https://github.com/googlechrome/puppeteer, 2021.

[15]

Paul A Grassi, James L Fenton, Elaine M Newton, Ray Perlner, Andrew Regenscheid, William E Burr, Justin P Richer, Naomi Lefkovitz, Jamie M Danker, Yee-Yin Choong, et al. Digital identity guidelines: Authentication and lifecycle management [includes updates as of 03-02-2020]. 2020.

[16]

Christos Iliou, Theodoros Kostoulas, Theodora Tsikrika, Vasilis Katos, Stefanos Vrochidis, and Ioannis Kompatsiaris. Detection of advanced web bots by combining web logs with mouse behavioural biometrics. Digital Threats: Research and Practice, 2(3):1-26, 2021.

Digital Library

[17]

Tommaso Innocenti, Seyed Ali Mirheidari, Amin Kharraz, Bruno Crispo, and Engin Kirda. You've got (a reset) mail: A security analysis of email-based password reset procedures. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 1-20. Springer, 2021.

[18]

Hugo Jonker, Stefan Karsch, Benjamin Krumnow, and Marc Sleegers. Shepherd: a generic approach to automating website login. 2020.

[19]

Hugo Jonker, Benjamin Krumnow, and Gabry Vlot. Fingerprint surface-based detection of web bot detectors. In European Symposium on Research in Computer Security, pages 586-605. Springer, 2019.

Digital Library

[20]

Roger Piqueras Jover. Security analysis of sms as a second factor of authentication: The challenges of multifactor authentication based on sms, including cellular security deficiencies, ss7 exploits, and sim swapping. Queue, 18(4):37-60, 2020.

Digital Library

[21]

Tom Kellermann. Peter the great versus sun tzu. Trend Micro Incorporated Opinion Piece, 2012.

[22]

Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and M Angela Sasse. "they brought in the horrible key ring thing!" analysing the usability of two-factor authentication in uk online banking. arXiv preprint arXiv:1501.04434, 2015.

[23]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. Tranco: A research-oriented top sites ranking hardened against manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019, February 2019.

[24]

Xu Lin, Panagiotis Ilia, Saumya Solanki, and Jason Polakis. Phish in sheep's clothing: Exploring the authentication pitfalls of browser fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22), pages 1651- 1668, 2022.

[25]

Grzergor Milka. Anatomy of account takeover. In Enigma 2018 (Enigma 2018), 2018.

[26]

Collin Mulliner, Ravishankar Borgaonkar, Patrick Stewin, and Jean-Pierre Seifert. Sms-based one-time passwords: attacks and defense. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 150-159. Springer, 2013.

Digital Library

[27]

Bijeeta Pal, Tal Daniel, Rahul Chatterjee, and Thomas Ristenpart. Beyond credential stuffing: Password similarity models using neural networks. In 2019 IEEE Symposium on Security and Privacy (SP), pages 417- 434. IEEE, 2019.

[28]

Thanasis Petsas, Giorgos Tsirantonakis, Elias Athanasopoulos, and Sotiris Ioannidis. Two-factor authentication: is the world ready? quantifying 2fa adoption. In Proceedings of the eighth european workshop on system security, pages 1-7, 2015.

Digital Library

[29]

Nils Quermann, Marian Harbach, and Markus Durmuth. The state of user authentication in the wild. Who are you, 2018.

[30]

San-Tsai Sun and Konstantin Beznosov. The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 378-390, 2012.

Digital Library

[31]

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, et al. Data breaches, phishing, or malware? understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pages 1421-1434, 2017.

Digital Library

[32]

Giridhari Venkatadri, Elena Lucherini, Piotr Sapiezynski, and Alan Mislove. Investigating sources of pii used in facebook's targeted advertising. Proc. Priv. Enhancing Technol., 2019(1):227-244, 2019.

[33]

Ding Wang, Zijian Zhang, Ping Wang, Jeff Yan, and Xinyi Huang. Targeted online password guessing: An underestimated threat. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 1242-1254, 2016.

Digital Library

[34]

Stephan Wiefling, Markus Durmuth, and Luigi Lo Iacono. What's in score for website users: A data-driven long-term study on risk-based authentication characteristics. arXiv preprint arXiv:2101.10681, 2021.

[35]

Stephan Wiefling, Markus Durmuth, and Luigi Lo Iacono. More than just good passwords? a study on usability and security perceptions of risk-based authentication. In Annual Computer Security Applications Conference, pages 203-218, 2020.

Digital Library

[36]

Stephan Wiefling, Nils Gruschka, and Luigi Lo Iacono. Even Turing Should Sometimes Not Be Able To Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services. In 24th Nordic Conference on Secure IT Systems (NordSec 2019), volume 11875 of Lecture Notes in Computer Science, pages 188-203. Springer Nature, November 2019.

[37]

Stephan Wiefling, Luigi Lo Iacono, and Markus Durmuth. Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In 34th IFIP TC-11 International Conference on Information Security and Privacy Protection (IFIP SEC 2019), volume 562 of IFIP Advances in Information and Communication Technology, pages 134-148. Springer International Publishing, June 2019.

[38]

Haitao Xu, Zhao Li, Chen Chu, Yuanmi Chen, Yifan Yang, Haifeng Lu, Haining Wang, and Angelos Stavrou. Detecting and characterizing web bot traffic in a large ecommerce marketplace. In European Symposium on Research in Computer Security, pages 143-163. Springer, 2018.

Digital Library

[39]

Ronghai Yang, Guanchen Li, Wing Cheong Lau, Kehuan Zhang, and Pili Hu. Model-based security testing: An empirical study on oauth 2.0 implementations. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 651- 662, 2016.

Digital Library

[40]

Yuchen Zhou and David Evans. Ssoscan: Automated testing of web applications for single sign-on vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14), pages 495-510, 2014.

Cited By

Nosouhi MBaig ZDoss RMahansaria DPrasad Pati DGauravaram PPan LSood K(2024)Towards Availability of Strong Authentication in Remote and Disruption-Prone Operational Technology EnvironmentsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3671411(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3671411
Wiefling SHönscheid MLo Iacono L(2024)A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the WebProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664478(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664478

Recommendations

Multi-factor biometrics for authentication: a false sense of security
MM&Sec '10: Proceedings of the 12th ACM workshop on Multimedia and security

Multi-factor biometric authentications have been proposed recently to strengthen security and/or privacy of biometric systems in addition to enhancing authentication accuracy. An important approach to multi-factor biometric authentication is to apply ...
On Data Protection Using Multi-Factor Authentication
ISSM 2019: Proceedings of the 2019 International Conference on Information System and System Management

Multi-Factor Authentication (MFA) has been around for three decades and now authentication and security has taken priority in securing data. Cyber-attacks have become widely popular and successful because organizations are poorly prepared to handle ...
Multi factor user authentication mechanism using internet of things
ICAICR '19: Proceedings of the Third International Conference on Advanced Informatics for Computing Research

IoT (Internet of Things) has been one among the key areas of research; here huge number of things i.e. smart devices is connected over internet. Users are connected over internet with different devices using Internet of Things where the data is ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium

August 2023

7552 pages

ISBN:978-1-939133-37-3

Editors:
Joe Calandrino
Federal Trade Commission
,
Carmela Troncoso
EPFL

Copyright © 2023 The USENIX Association.

Sponsors

Meta
Google Inc.
NSF
IBM
Futurewei Technologies

Publisher

USENIX Association

United States

Publication History

Published: 09 August 2023

Qualifiers

Research-article
Research
Refereed limited

Acceptance Rates

Overall Acceptance Rate 40 of 100 submissions, 40%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nosouhi MBaig ZDoss RMahansaria DPrasad Pati DGauravaram PPan LSood K(2024)Towards Availability of Strong Authentication in Remote and Disruption-Prone Operational Technology EnvironmentsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3671411(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3671411
Wiefling SHönscheid MLo Iacono L(2024)A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the WebProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664478(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664478

View Options

View options

Figures

Tables

Media

View Table of Conten