"As soon as it's a risk, I want to require MFA": How Administrators Configure Risk-based Authentication


Philipp Markert and Theodor Schnitzler, Ruhr University Bochum; Maximilian Golla, Max Planck Institute for Security and Privacy; Markus Dürmuth, Leibniz University Hannover


Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. Thus, it is crucial to understand how administrators interact with off-the-shelf RBA systems that assign a risk score to a login and require administrators to configure adequate responses.

In this paper, we let n=28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent semi-structured interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. We find that administrators want to have a thorough understanding of the system they configure, show the importance of default settings as they are either directly adopted or depict an important orientation, and identify several confusing wordings. Based on our findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {281234,
author = {Philipp Markert and Theodor Schnitzler and Maximilian Golla and Markus D{\"u}rmuth},
title = {"As soon as it{\textquoteright}s a risk, I want to require {MFA"}: How Administrators Configure Risk-based Authentication},
booktitle = {Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022)},
year = {2022},
isbn = {978-1-939133-30-4},
address = {Boston, MA},
pages = {483--501},
url = {https://www.usenix.org/conference/soups2022/presentation/markert},
publisher = {USENIX Association},
month = aug

Presentation Video