research-article

Evaluating Login Challenges as aDefense Against Account Takeover

Authors:

Periwinkle Doerfler,

Maija Marincenko,

Angelika Moscicki,

Damon McCoyAuthors Info & Claims

WWW '19: The World Wide Web Conference

Pages 372 - 382

https://doi.org/10.1145/3308558.3313481

Published: 13 May 2019 Publication History

Abstract

In this paper, we study the efficacy of login challenges at preventing account takeover, as well as evaluate the amount of friction these challenges create for normal users. These secondary authentication factors-presently deployed at Google, Microsoft, and other major identity providers as part of risk-aware authentication-trigger in response to a suspicious login or account recovery attempt. Using Google as a case study, we evaluate the effectiveness of fourteen device-based, delegation-based, knowledge-based, and resource-based challenges at preventing over 350,000 real-world hijacking attempts stemming from automated bots, phishers, and targeted attackers. We show that knowledge-based challenges prevent as few as 10% of hijacking attempts rooted in phishing and 73% of automated hijacking attempts. Device-based challenges provide the best protection, blocking over 94% of hijacking attempts rooted in phishing and 100% of automated hijacking attempts. We evaluate the usability limitations of each challenge based on a sample of 1.2M legitimate users. Our results illustrate that login challenges act as an important barrier to hijacking, but that friction in the process leads to 52% of legitimate users failing to sign-in-though 97% of users eventually access their account in a short period.

References

[1]

Noura Alomar, Mansour Alsaleh, and Abdulrahman Alarifi. Social authentication applications, attacks, defense strategies and future research directions: a systematic review. IEEE Communications Surveys & Tutorials, 2017.

Digital Library

[2]

Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at google. In Proceedings of the International Conference on World Wide Web, 2015.

Digital Library

[3]

Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the Symposium on Security and Privacy, 2012.

Digital Library

[4]

John Brainard, Ari Juels, Ronald L Rivest, Michael Szydlo, and Moti Yung. Fourth-factor authentication: somebody you know. In Proceedings of the Conference on Computer and Communications Security, 2006.

Digital Library

[5]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. There is no free phish: an analysis of "free" and live phishing kits. In Proceedings of the USENIX Workshop on Offensive Technologies, 2008.

Digital Library

[6]

Sanchari Das, Andrew Dingman, and L Jean Camp. Why johnny doesn't use two factor a two-phase usability study of the fido u2f security key. In Proceedings of the International Conference on Financial Cryptography and Data Security, 2018.

Digital Library

[7]

Duo Security. Guide to two-factor authentication. https://guide.duo.com/, 2018.

[8]

Facebook. Facebook has users identify friends in photos to verify accounts, prevent unauthorized access. https://www.adweek.com/digital/facebook-photos-verify/, 2010.

[9]

Facebook. Improving account security with delegated recovery. https://www.facebook.com/notes/protect-the-graph/improving-account-security-with-delegated-recovery/1833022090271267/, 2017.

[10]

David Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, and Giorgio Giacinto. Who are you? a statistical approach to measuring user authenticity. In Proceedings of the Network and Distributed System Security Symposium, 2016.

[11]

Google. Confirm your identity using your android device. https://support.google.com/accounts/answer/6046815?hl=en, 2018.

[12]

Google. reCAPTCHA v3. https://developers.google.com/recaptcha/docs/v3, 2018.

[13]

Google. Sign in faster with 2-step verification phone prompts. https://support.google.com/accounts/answer/7026266?&hl=en, 2018.

[14]

Sakshi Jain, Juan Lang, Neil Zhenqiang Gong, Dawn Song, Sreya Basuroy, and Prateek Mittal. New directions in social authentication. In Proceedings of the Workshop on Usable Security, 2015.

[15]

Markus Jakobsson, Liu Yang, and Susanne Wetzel. Quantifying the security of preference-based authentication. In Proceedings of the Workshop on Digital Identity Management, 2008.

Digital Library

[16]

Mark Kaufman. Google Authenticator will add a formidable layer of protection to your e-mail account. https://mashable.com/2017/10/29/how-to-set-up-google-authenticator, 2017.

[17]

Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, and Sampath Srinivas. Security keys: Practical cryptographic second factors for the modern web. In Proceedings of the International Conference on Financial Cryptography and Data Security, 2016.

[18]

Microsoft. Azure active directory identity protection. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection, 2018.

[19]

Grzegorz Milka. Anatomy of account takeover. In Enigma, 2018.

[20]

Ariana Mirian, Joe DeBlasio, Stefan Savage, Geoffrey M. Voelker, and Kurt Thomas. Hack for hire: Exploring the emerging market for account hijacking. In Proceedings of The Web Conf, 2019.

Digital Library

[21]

Hossein Siadati, Toan Nguyen, Payas Gupta, Markus Jakobsson, and Nasir Memon. Mind your smses: Mitigating social engineering in second factor authentication. Computers & Security, 2017.

Digital Library

[22]

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, et al. Data breaches, phishing, or malware?: Understanding the risks of stolen credentials. In Proceedings of the Conference on Computer and Communications Security, 2017.

Digital Library

[23]

Kurt Thomas and Angelika Moscicki. New research: Understanding the root cause of account takeover. https://security.googleblog.com/2017/11/new-research-understanding-root-cause.html, 2017.

Cited By

Wiefling SHönscheid MLo Iacono L(2024)A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the WebProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664478(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664478
Markert PLassak LGolla MDürmuth M(2024)Understanding Users' Interaction with Login NotificationsProceedings of the CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642823(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642823
Woods DSeymour S(2024)Evidence-based cybersecurity policy? A meta-review of security control effectivenessJournal of Cyber Policy10.1080/23738871.2024.23354618:3(365-383)Online publication date: 7-Apr-2024
https://doi.org/10.1080/23738871.2024.2335461
Show More Cited By

Recommendations

Securing User Input as a Defense Against MitB
ICONIAAC '14: Proceedings of the 2014 International Conference on Interdisciplinary Advances in Applied Computing

In MitB is a sophisticated form of attack wherein a Trojan or a bot embedded in the browser steals and tampers with legitimate user data. Online banking websites have all along been a favourite playground for these bots. While most of these sites employ ...
A Robust User Authentication Scheme Using Dynamic Identity in Wireless Sensor Networks

In modern, wireless sensor networks (WSNs) stand for the next evolutionary and innovative development step in utilities, industrial, building, home, shipboard, and transportation systems automation. The feature of WSNs is easy to deploy and has wide ...
Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space
HCI for Cybersecurity, Privacy and Trust
Abstract
Cryptographic authentication using FIDO credentials promises to improve cybersecurity by preventing man-in-the-middle phishing attacks against traditional two-factor authentication. But the FIDO Alliance reported in a March 2022 white paper that ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '19: The World Wide Web Conference

May 2019

3620 pages

ISBN:9781450366748

DOI:10.1145/3308558

Editors:
Ling Liu
Georgia Tech, USA
,
Ryen White
Microsoft Research, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

IW3C2: International World Wide Web Conference Committee

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '19

WWW '19: The Web Conference

May 13 - 17, 2019

CA, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
759
Total Downloads

Downloads (Last 12 months)95
Downloads (Last 6 weeks)12

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wiefling SHönscheid MLo Iacono L(2024)A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the WebProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664478(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664478
Markert PLassak LGolla MDürmuth M(2024)Understanding Users' Interaction with Login NotificationsProceedings of the CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642823(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642823
Woods DSeymour S(2024)Evidence-based cybersecurity policy? A meta-review of security control effectivenessJournal of Cyber Policy10.1080/23738871.2024.23354618:3(365-383)Online publication date: 7-Apr-2024
https://doi.org/10.1080/23738871.2024.2335461
Gerlitz EHäring MMädler CSmith MTiefenau CKelley PKapadia A(2023)Adventures in recovery landProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632199(227-243)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632199
Gilsenan CShakir FAlomar NEgelman SCalandrino JTroncoso C(2023)Security and privacy failures in popular 2FA appsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620354(2079-2096)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620354
Islam MBohuk MChung PRistenpart TChatterjee RCalandrino JTroncoso C(2023)ArañaProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620295(1019-1036)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620295
Albesher A(2023)Reviewing the Usability of Web Authentication Procedures: Comparing the Current Procedures of 20 WebsitesSustainability10.3390/su15141104315:14(11043)Online publication date: 14-Jul-2023
https://doi.org/10.3390/su151411043
Han ALee D(2023)Detecting Risky Authentication Using the OpenID Connect Token Exchange TimeSensors10.3390/s2319825623:19(8256)Online publication date: 5-Oct-2023
https://doi.org/10.3390/s23198256
Unsel VWiefling SGruschka NLo Iacono LShehab MFernandez MLi N(2023)Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding ExampleProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583634(237-243)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583634
Kuchhal DSaad MOest ALi FMeng WJensen CCremers CKirda E(2023)Evaluating the Security Posture of Real-World FIDO2 DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623063(2381-2395)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623063
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents