Evaluating login challenges as a defense against account takeover

Periwinkle Doerfler, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, Damon McCoy, Kurt Thomas

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    In this paper, we study the efficacy of login challenges at preventing account takeover, as well as evaluate the amount of friction these challenges create for normal users. These secondary authentication factors-presently deployed at Google, Microsoft, and other major identity providers as part of risk-aware authentication-trigger in response to a suspicious login or account recovery attempt. Using Google as a case study, we evaluate the effectiveness of fourteen device-based, delegation-based, knowledge-based, and resource-based challenges at preventing over 350,000 real-world hijacking attempts stemming from automated bots, phishers, and targeted attackers. We show that knowledge-based challenges prevent as few as 10% of hijacking attempts rooted in phishing and 73% of automated hijacking attempts. Device-based challenges provide the best protection, blocking over 94% of hijacking attempts rooted in phishing and 100% of automated hijacking attempts. We evaluate the usability limitations of each challenge based on a sample of 1.2M legitimate users. Our results illustrate that login challenges act as an important barrier to hijacking, but that friction in the process leads to 52% of legitimate users failing to sign-in-though 97% of users eventually access their account in a short period.

    Original languageEnglish (US)
    Title of host publicationThe Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019
    PublisherAssociation for Computing Machinery, Inc
    Pages372-382
    Number of pages11
    ISBN (Electronic)9781450366748
    DOIs
    StatePublished - May 13 2019
    Event2019 World Wide Web Conference, WWW 2019 - San Francisco, United States
    Duration: May 13 2019May 17 2019

    Publication series

    NameThe Web Conference 2019 - Proceedings of the World Wide Web Conference, WWW 2019

    Conference

    Conference2019 World Wide Web Conference, WWW 2019
    Country/TerritoryUnited States
    CitySan Francisco
    Period5/13/195/17/19

    Keywords

    • Account recovery
    • Account takeover
    • Two-factor authentication

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Software

    Fingerprint

    Dive into the research topics of 'Evaluating login challenges as a defense against account takeover'. Together they form a unique fingerprint.

    Cite this