On Risk-Based Authentication

On Risk-Based Authentication

Interesting usability study: “More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication“:

Abstract: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.

Paper’s website. I’ve blogged about risk-based authentication before.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Nihilistic Password Security Questions

Farewell and adieu to you…September 18, 2020 4:59 PM


I don’t know what the laws are like where most people are but,

“What is your ex-wife’s newest lastname?”

Would be considered a celebration, not Nihilistic in a number of places.

Because that would mean she had got married again which under archaic laws she’s someone elses legal responsibility now. So,

1, No more alimony check,

And in some places,

2, No more child support,

3, The required selling out from under the new “happy couple” of the old matrimonial home…

But at the very least you will know you are not the only one without “the sense God gave a goose” and in all probability she was better looking back when you made that mistake so your excuse is slightly better.

But joking aside, the sad truth is the only people that win in divorces are those shark lawyers.

So the way to stop them taking a bite out of either of the now nolonger happy couple is don’t get in their clutches…

And the best way to do that as it’s been said on this blog,

“The prelude to divorce is marriage, if you don’t get married you can’t get divorced”

Also remember pre-nups may not be valid if you move or a legislator inks a new law…

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don’t like picking or remembering new passwords. Instead, they’ll do something like pick a simple password and then increment a number on the end of the password, making it easy to “generate” a new password whenever they’re forced to.

In the early days of computing, this might have been a sensible trade-off, because cracking passwords was relatively slow. But these days, with rainbow tables, GPU acceleration, and the massive computational power of the cloud, that’s no longer the case—short passwords are a liability, so any policy that makes people favor short passwords is a bad policy. It’s better instead to choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.

The baseline configs are often used by auditors, with companies dinged for each baseline policy they don’t follow. Accordingly, Microsoft is making a few other changes to the baseline in an effort to ensure that audits only pick up security configurations that are truly important. Previously, the baseline would require that the strongest possible disk encryption is used (256-bit); it no longer does so. Some devices have a meaningful performance difference between 128- and 256-bit encryption, making 256-bit encryption undesirable. Others, like the Surface, ship with 128-bit encryption rather than 256-bit. Abiding by the policy means decrypting the disk and then re-encrypting it. Microsoft believes that 128-bit full-disk encryption is sufficient for most situations, and hence demanding 256-bit does little to improve security but hurts performance and requires tedious re-encryption.

In the new baseline, Microsoft is also considering dropping the long-standing requirement to disable the Guest account and the default Administrator account. Windows 10 disables the Guest account by default already, meaning that if it’s enabled, it’s probably for a good reason and shouldn’t be picked up in an audit.

The built-in Administrator account is also disabled by default in Windows 10, with the operating system creating a separate Administrator-privileged account during installation. However, the built-in account has certain properties that make it better—it isn’t subject to account lockout policies, and it can’t be removed from the Administrators group. As such, the decision to use the built-in Administrator account or a different one is more a matter of taste than security.