Any authentication better than none, Google, NYU say

A research paper by Google and New York University, titled Evaluating Login Challenges as a Defense Against Account Takeover, found that two-factor authentication can prevent bad actors from confiscating log-in credentials. This conclusion supports prior studies with comparable findings, but the research goes further by adding new metrics to the mix.

“Our analysis reveals that even weak, knowledge-based challenges can offer hijacking protections against automation to billions of users without requiring any enrollment,” researchers wrote. “That said, the security posture of users plays an important role in protecting against more sophisticated attacks.”

Presented at the 30th annual Web Conference, held May 17 to 19, 2019, in San Francisco, the report evaluated risk-based authentication methods. Consumers who use devices and secondary accounts to verify their identities are 10 times more protected against phishing and targeted attacks, according to the study. However, researchers found that even weak authentication can thwart hostile account takeovers.

Mounir Hahad, head of Juniper Threat Labs, Juniper Networks, remarked that Google and NYU researchers provided useful metrics but could have made specific recommendations based on their findings. Security analysts already know which methods are stronger than others, he stated.

“This study does not introduce any new protection mechanism,” Hahad said. “It only studies real world effectiveness of existing methods. We kind of knew qualitatively which methods are stronger than others and which created more friction with users, but having a quantitative study is very good so that risk can be better evaluated.”

Reinforcing passwords

Google and NYU researchers pointed out that while security analysts have been urging consumers to move beyond simple passwords, challenge questions and multifactor authentication methods can reinforce password security. They recommend using password keys to protect login credentials.

Following are additional key findings cited in the report:

• Knowledge-based challenges, such as recalling a secondary email address, prevented more than 73 percent of automated hijacking attempts but only 10 percent of phishing attacks.

• On-device prompts provide the strongest protection, blocking up to 99 percent of phishing attacks and 90 percent of targeted attacks.

• SMS-based challenges provided weaker protections, preventing only 96 percent of phishing attacks and 76 percent of targeted attacks.

• Risk-aware authentication in aggregate prevented over 99.99 percent of automated hijacking attempts and over 92 percent of phishing attacks.

• Within a short period of seeing a challenge, 97 percent of users regained access after being temporarily locked out of their accounts.

Hahad pointed out that consumers want simple, transparent, frictionless authentication, and they may reject complicated or cumbersome security schemes. Privacy concerns are also a factor. “Who among the general population knows how to or wants to go through the use of a third-party authenticator app or carry around a hardware token key?” he said.

He also discussed consumers’ reservations about SMS authentication. “As for the SMS code method, well, people will start giving Google their phone number when Google agrees to only use it solely for this purpose,” he said, adding that Google can already map Android users’ online activities with their phone numbers. “In general, it is a very good idea to enable two-factor authentication wherever you can,” he noted.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.