Who are you? A statistical approach to measuring user authenticity

Passwords are used for user authentication by almost every Internet service today, despite a number of well- known weaknesses. Numerous attempts to replace passwords have failed, in part because changing users’ behavior has proven to be difficult. One approach to strengthening password-based authentication without changing user experience is to classify login attempts into normal and suspicious activity based on a number of parameters such as source IP, geo-location, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by a number of Internet services but have never been studied publicly. In this work, we perform the first public evaluation of a classification system for user authentication. In particular: (i) We develop a statistical framework for identifying suspicious login attempts. (ii) We provide a systematic study of possible attackers against such a system, including attackers targeting the classifier itself. (iii) We develop a fully functional prototype implementation, that can be evaluated efficiently on large datasets. (iv) We validate our system on a sample of real-life login data from LinkedIn as well as simulated attacks, and demonstrate that a majority of attacks can be prevented by imposing additional verification steps on only a small fraction of users.