Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing. Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.
翻译:在在线服务中,很难用更安全的用户身份验证机制(如双因素身份验证)取代密码。这部分是因为在线银行之外的使用情况下,用户往往会拒绝这种机制。然而,仅依赖密码身份验证并不是一种选择,考虑到最近的攻击模式(如凭据填充)。基于风险的身份验证(RBA)可以作为中间解决方案,提高基于密码的帐户安全性,直到更好的方法出现。不幸的是,尽管RBA被各种标准推荐并且在科学研究中被证明非常有效,但目前只有少数几个主要的在线服务使用RBA。本文的假设是RBA在实践中低采用率可能是因为实现复杂。我们提供了一个针对开源云管理软件OpenStack的RBA实现,这是基于Freeman等人算法的第一个完全功能的开源RBA实现,并带有初步参考测试,可作为开发人员的指导示例和蓝图。