Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication (2403.11798v1)
Abstract: Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authentication has mainly focused on the login process. However, recent attacks have revealed vulnerabilities in other parts of the authentication process, specifically in the account recovery function. Consequently, to ensure comprehensive authentication security, the use of anomaly detection in the context of account recovery must also be investigated. This paper presents the first study to investigate risk-based account recovery (RBAR) in the wild. We analyzed the adoption of RBAR by five prominent online services (that are known to use RBA). Our findings confirm the use of RBAR at Google, LinkedIn, and Amazon. Furthermore, we provide insights into the different RBAR mechanisms of these services and explore the impact of multi-factor authentication on them. Based on our findings, we create a first maturity model for RBAR challenges. The goal of our work is to help developers, administrators, and policy-makers gain an initial understanding of RBAR and to encourage further research in this direction.
- Akamai: Credential Stuffing: Attacks and Economies. [state of the internet] / security 5(Special Media Edition) (2019), https://web.archive.org/web/20210824114851/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-credential-stuffing-attacks-and-economies-report-2019.pdf
- Akamai: Loyalty for Sale – Retail and Hospitality Fraud. [state of the internet] / security 6(3) (2020), https://web.archive.org/web/20201101013317/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-loyalty-for-sale-retail-and-hospitality-fraud-report-2020.pdf
- Amazon: Reset Your Password (2023), https://web.archive.org/web/20210918230138/https://www.amazon.com/gp/help/customer/display.html?nodeId=GH3NM2YWEFEL2CQ4
- Dropbox: Change or reset your Dropbox password (2023), https://web.archive.org/web/20230518113022/https://help.dropbox.com/security/password-reset
- Federal Bureau of Investigation: Internet Crime Report 2022 (Mar 2023), https://web.archive.org/web/20230311011752/https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
- GOG: How do I reset my password? (2023), https://web.archive.org/web/20230317223608/https://support.gog.com/hc/en-us/articles/212185409-How-do-I-reset-my-password-?product=gog
- Golla, M.: I Had a Chat about RBA with @Google in April 2016. The Short Story: “RBA Is an Arms Race, and We Are Not Revealing Any Details That Could Potentially Help Attackers.” (Apr 2019), https://web.archive.org/web/20210812104239/https://twitter.com/m33x/status/1120979096547274752
- Google: reCAPTCHA v2 | Google Developers (2021), https://developers.google.com/recaptcha/docs/display
- Google: Tips to complete account recovery steps (2023), https://web.archive.org/web/20230422113749/https://support.google.com/accounts/answer/7299973
- Hill, B.: Moving Account Recovery beyond Email and the "Secret" Question. In: Enigma ’17. USENIX Association (2017)
- LinkedIn: Password Reset Basics (2023), https://web.archive.org/web/20221229120339/https://www.linkedin.com/help/linkedin/answer/a1382101
- Microsoft Detection and Response Team: DEV-0537 criminal actor targeting organizations for data exfiltration and destruction (2022), https://www.microsoft.com/security/blog/dev-0537
- Milka, G.: Anatomy of Account Takeover. In: Enigma ’18. USENIX Association (Jan 2018)
- MITRE Corporation: CWE-640: Weak Password Recovery Mechanism for Forgotten Password (2021), https://cwe.mitre.org/data/definitions/640.html