Passwords are used for user authentication by almost every Internet service today, despite a number of well- known weaknesses. Numerous attempts to replace passwords have failed, in part because changing users’ behavior has proven to be difficult. One approach to strengthening password-based authentication without changing user experience is to classify login attempts into normal and suspicious activity based on a number of parameters such as source IP, geo-location, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by a number of Internet services but have never been studied publicly. In this work, we perform the first public evaluation of a classification system for user authentication. In particular: (i) We develop a statistical framework for identifying suspicious login attempts. (ii) We provide a systematic study of possible attackers against such a system, including attackers targeting the classifier itself. (iii) We develop a fully functional prototype implementation, that can be evaluated efficiently on large datasets. (iv) We validate our system on a sample of real-life login data from LinkedIn as well as simulated attacks, and demonstrate that a majority of attacks can be prevented by imposing additional verification steps on only a small fraction of users.
Who are you? A statistical approach to measuring user authenticity
BIGGIO, BATTISTA;GIACINTO, GIORGIO
2016-01-01
Abstract
Passwords are used for user authentication by almost every Internet service today, despite a number of well- known weaknesses. Numerous attempts to replace passwords have failed, in part because changing users’ behavior has proven to be difficult. One approach to strengthening password-based authentication without changing user experience is to classify login attempts into normal and suspicious activity based on a number of parameters such as source IP, geo-location, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by a number of Internet services but have never been studied publicly. In this work, we perform the first public evaluation of a classification system for user authentication. In particular: (i) We develop a statistical framework for identifying suspicious login attempts. (ii) We provide a systematic study of possible attackers against such a system, including attackers targeting the classifier itself. (iii) We develop a fully functional prototype implementation, that can be evaluated efficiently on large datasets. (iv) We validate our system on a sample of real-life login data from LinkedIn as well as simulated attacks, and demonstrate that a majority of attacks can be prevented by imposing additional verification steps on only a small fraction of users.File | Dimensione | Formato | |
---|---|---|---|
freeman16-ndss-final.pdf
accesso aperto
Tipologia:
versione editoriale (VoR)
Dimensione
763.88 kB
Formato
Adobe PDF
|
763.88 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.