Risk-based Authentication of big online services

2 points by ldmail ↗ HN
Hi everyone, you've probably heard about Risk-based Authentication (RBA), which is recommended by NIST to improve password account security without decreasing usability. Some big online services use it, but keep it a secret. Well, this doesn't help smaller websites to protect their users against credential stuffing or password database leaks.

For this reason we black box tested eight popular online services [1] to find out more about their RBA implementations [2].

The technical paper and all the results:

https://riskbasedauthentication.org/

(Paper is accepted for IFIP SEC 2019)

[1] Facebook, Google, LinkedIn, Amazon, GOG.com, Steam, Twitch and iCloud

[2] We also disclose a vulnerability on Facebook which is now fixed.

0 comments

[ 3.1 ms ] story [ 12.2 ms ] thread

No comments yet.