short-paper

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example

Authors:

Stephan Wiefling,

Luigi Lo IaconoAuthors Info & Claims

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

Pages 237 - 243

https://doi.org/10.1145/3577923.3583634

Published: 24 April 2023 Publication History

Abstract

Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing. Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.

References

[1]

Akamai. 2019. Credential Stuffing: Attacks and Economies. [state of the internet] / security, Vol. 5, Special Media Edition (April 2019). https://web.archive.org/web/20210824114851/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-credential-stuffing-attacks-and-economies-report-2019.pdf

[2]

Furkan Alaca and P. C. van Oorschot. 2016. Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods. In 32nd Annual Computer Security Applications Conference (ACSAC '16). ACM, 289--301. https://doi.org/10.1145/2991079.2991091

Digital Library

[3]

Nampoina Andriamilanto, Tristan Allard, and Gaëtan Le Guelvouit. 2021. "Guess Who?" Large-Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication. In Innovative Mobile and Internet Services in Ubiquitous Computing. Springer, Cham, 161--172. https://doi.org/10.1007/978--3-030--50399--4_16

[4]

Australian Cyber Security Centre. 2021. Australian Government Information Security Manual. Technical Report. https://web.archive.org/web/20210830131917/https://www.cyber.gov.au/sites/default/files/2021-06/01.%20ISM%20-%20Using%20the%20Australian%20Government%20Information%20Security%20Manual%20(June%202021).pdf

[5]

Joseph R. Biden Jr. 2021. Executive Order on Improving the Nation's Cybersecurity. The White House (May 2021). https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

[6]

Anne Bumiller, Olivier Barais, Nicolas Aillery, and Gael Le Lan. 2022. Towards a Better Understanding of Impersonation Risks. In 15th International Conference on Security of Information and Networks (SIN '22). IEEE, Sousse, Tunisia. https://doi.org/10.1109/SIN56466.2022.9970540

[7]

Periwinkle Doerfler, Kurt Thomas, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, and Damon McCoy. 2019. Evaluating Login Challenges as a Defense Against Account Takeover. In The World Wide Web Conference (WWW '19). ACM, 372--382. https://doi.org/10.1145/3308558.3313481

Digital Library

[8]

Jonathan Dutson, Danny Allen, Dennis Eggett, and Kent Seamons. 2019. "Don't punish all of us": Measuring User Attitudes about Two-Factor Authentication. In 4th European Workshop on Usable Security (EuroUSEC '19). https://doi.org/10.1109/EuroSPW.2019.00020

[9]

David Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, and Giorgio Giacinto. 2016. Who Are You? A Statistical Approach to Measuring User Authenticity. In NDSS, Vol. 16. 21--24.

[10]

Ajit Gaddam. 2019. Usage of Behavioral Biometric Technologies to Defend Against Bots. In Enigma 2019. USENIX Association.

[11]

Simson L. Garfinkel. 2005. Design principles and patterns for computer systems that are simultaneously secure and usable.

[12]

Anthony Gavazzi, Ryan Williams, Engin Kirda, Long Lu, Andre King, Andy Davis, and Tim Leek. 2023. A Study of Multi-Factor and Risk-Based Authentication Availability. In 32nd USENIX Security Symposium (USENIX Security '23). USENIX Association, Anaheim, CA, USA.

[13]

P. A. Grassi, M. E. Garcia, and J. L. Fenton. 2017. Digital Identity Guidelines. NIST Special Publication 800--63--3. National Institute of Standards and Technology, Gaithersburg, MD 20899--2000. https://doi.org/10.6028/NIST.SP.800--63--3

[14]

J. Hawkinson. 1996. Guidelines for creation, selection, and registration of an Autonomous System (AS). RFC 1930. https://www.rfc-editor.org/rfc/rfc1930.html

Digital Library

[15]

ISO 3166 Maintenance Agency. 2020. ISO 3166--1:2020(en) Codes for the representation of names of countries and their subdivisions - Part 1: Country code. ISO 3166--1. https://www.iso.org/obp/ui/#iso:std:iso:3166:-1:ed-4:v1:en

[16]

Tom Le Bras. 2015. Online Overload -- It's Worse Than You Thought. https://web.archive.org/web/20150919202348/https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

[17]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczynski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In 2019 Network and Distributed System Security Symposium (NDSS '19). Internet Society. https://doi.org/10.14722/ndss.2019.23386

[18]

Philipp Markert, Theodor Schnitzler, Maximilian Golla, and Markus Dürmuth. 2022. "As soon as ittextquoterights a risk, I want to require MFA": How Administrators Configure Risk-based Authentication. In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022). USENIX Association, Boston, MA, 483--501. https://www.usenix.org/conference/soups2022/presentation/markert

[19]

Grzergor Milka. 2018. Anatomy of Account Takeover. In Enigma 2018. USENIX Association. https://www.usenix.org/node/208154

[20]

Paul Miller and Lauren E Nelson. 2015. Brief: OpenStack Is Now Ready For Business. Forrester Report Brief (Sept. 2015).

[21]

Robert Morris and Ken Thompson. 1979. Password security: A case history. Commun. ACM, Vol. 22, 11 (Nov. 1979), 594--597. https://doi.org/10.1145/359168.359172

Digital Library

[22]

D. M'Raihi, M. Bellare, F. Hoornaert, D. Naccache, and O. Ranen. 2005. HOTP: An HMAC-Based One-Time Password Algorithm. RFC 4226. https://doi.org/10.17487/RFC4226

Digital Library

[23]

National Cyber Security Centre. 2018. Cloud security guidance: 10, Identity and authentication. Technical Report. https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles/identity-and-authentication

[24]

Lily Hay Newman. 2021. Facebook Will Force More At-Risk Accounts to Use Two-Factor. https://web.archive.org/web/20211212185008/https://www.wired.com/story/facebook-protect-two-factor-authentication-requirement/

[25]

Thanasis Petsas, Giorgos Tsirantonakis, Elias Athanasopoulos, and Sotiris Ioannidis. 2015. Two-factor Authentication: Is the World Ready?: Quantifying 2FA Adoption. In Eighth European Workshop on System Security (EuroSec '15). ACM. https://doi.org/10.1145/2751323.2751327

Digital Library

[26]

PyData Development Team. 2020. pandas documentation. https://pandas.pydata.org/pandas-docs/version/1.1.5/.

[27]

Nils Quermann, Marian Harbach, and Markus Dürmuth. 2018. The State of User Authentication in the Wild. In Who are you?! Adventures in Authentication Workshop 2018 (WAY '18). https://wayworkshop.org/2018/papers/way2018-quermann.pdf

[28]

Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS '19). USENIX Association, 357--370. https://www.usenix.org/conference/soups2019/presentation/reese

[29]

IEEE Spectrum. 2022. Top Programming Languages 2022. https://spectrum.ieee.org/top-programming-languages-2022

[30]

Costas Tsaousis. 2022. All Cybercrime IP Feeds. https://iplists.firehol.org/.

[31]

Twitter. 2022. Account Security - Twitter Transparency Center. https://web.archive.org/web/20220211182429/https://transparency.twitter.com/en/reports/account-security.html#2021-jan-jun

[32]

Stephan Wiefling. 2022. Basic Algorithm for Risk-Based Authentication. https://github.com/das-group/rba-algorithm

[33]

Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono. 2020a. More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication. In 36th Annual Computer Security Applications Conference (ACSAC '20). ACM, 203--218. https://doi.org/10.1145/3427228.3427243

Digital Library

[34]

Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono. 2021a. What's in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics. In 25th International Conference on Financial Cryptography and Data Security (FC '21). Springer, 361--381. https://doi.org/10.1007/978--3--662--64331-0_19

Digital Library

[35]

Stephan Wiefling, Paul René Jørgensen, Sigurd Thunem, and Luigi Lo Iacono. 2023. Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service. ACM Transactions on Privacy and Security, Vol. 26, 1, Article 6 (2023). https://doi.org/10.1145/3546069

Digital Library

[36]

Stephan Wiefling, Luigi Lo Iacono, and Markus Dürmuth. 2019. Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In 34th IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC '19). Springer, 134--148. https://doi.org/10.1007/978--3-030--22312-0_10

[37]

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, and Luigi Lo Iacono. 2020b. Evaluation of Risk-based Re-Authentication Methods. In 35th IFIP International Conference on ICT Systems Security and Privacy Protection. Springer, 280--294. https://doi.org/10.1007/978--3-030--58201--2_19

[38]

Stephan Wiefling, Jan Tolsdorf, and Luigi Lo Iacono. 2021b. Privacy Considerations for Risk-Based Authentication Systems. In 2021 International Workshop on Privacy Engineering (IWPE '21). IEEE, 320--327. https://doi.org/10.1109/EuroSPW54576.2021.00040

Cited By

Wiefling SHönscheid MLo Iacono L(2024)A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the WebProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664478(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664478

Index Terms

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example

Recommendations

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to ...
Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption
EUROCRYPT'10: Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques

We present two fully secure functional encryption schemes: a fully secure attribute-based encryption (ABE) scheme and a fully secure (attribute-hiding) predicate encryption (PE) scheme for inner-product predicates. In both cases, previous constructions ...
Fully Secure Lattice-Based ABE from Noisy Linear Functional Encryption
Information Security and Cryptology
Abstract
Constructing lattice-based fully secure attribute-based encryption (ABE) has always been a challenging task. Although there are many selective secure ABE schemes from the hardness of learning with errors (LWE) problem, it is hard to extend them to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

April 2023

304 pages

ISBN:9798400700675

DOI:10.1145/3577923

General Chair:
Mohamed Shehab
University of North Carolina at Charlotte, USA
,
Program Chairs:
Maribel Fernandez
King's College London, UK
,
Ninghui Li
Purdue University, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 April 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CODASPY '23

Sponsor:

SIGSAC

CODASPY '23: Thirteenth ACM Conference on Data and Application Security and Privacy

April 24 - 26, 2023

NC, Charlotte, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
140
Total Downloads

Downloads (Last 12 months)79
Downloads (Last 6 weeks)9

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wiefling SHönscheid MLo Iacono L(2024)A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the WebProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664478(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664478

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents