Evaluating Login Challenges as a Defense Against Account Takeover
Abstract
In this paper, we study the efficacy of login challenges at preventing account
takeover, as well as evaluate the amount of friction these challenges create for
normal users. These secondary authentication factors---presently deployed at
Google, Microsoft, and other major identity providers as part of risk-aware
authentication---trigger in response to a suspicious login or account recovery
attempt. Using Google as a case study, we evaluate the effectiveness of fourteen
device-based, delegation-based, knowledge-based, and resource-based challenges
at preventing over 350,000 real-world hijacking attempts stemming from automated
bots, phishers, and targeted attackers. We show that knowledge-based challenges
prevent as few as 10% of hijacking attempts rooted in phishing and 73% of
automated hijacking attempts. Device-based challenges provide the best
protection, blocking over 94% of hijacking attempts rooted in phishing and
100% of automated hijacking attempts. We evaluate the usability limitations of
each challenge based on a sample of 1.2M legitimate users. Our results
illustrate that login challenges act as an important barrier to hijacking, but
that friction in the process leads to 52% of legitimate users failing to
sign-in---though 97% of users eventually access their account in a short period.
takeover, as well as evaluate the amount of friction these challenges create for
normal users. These secondary authentication factors---presently deployed at
Google, Microsoft, and other major identity providers as part of risk-aware
authentication---trigger in response to a suspicious login or account recovery
attempt. Using Google as a case study, we evaluate the effectiveness of fourteen
device-based, delegation-based, knowledge-based, and resource-based challenges
at preventing over 350,000 real-world hijacking attempts stemming from automated
bots, phishers, and targeted attackers. We show that knowledge-based challenges
prevent as few as 10% of hijacking attempts rooted in phishing and 73% of
automated hijacking attempts. Device-based challenges provide the best
protection, blocking over 94% of hijacking attempts rooted in phishing and
100% of automated hijacking attempts. We evaluate the usability limitations of
each challenge based on a sample of 1.2M legitimate users. Our results
illustrate that login challenges act as an important barrier to hijacking, but
that friction in the process leads to 52% of legitimate users failing to
sign-in---though 97% of users eventually access their account in a short period.