Risk-based authentication (RBA) aims to protect end-users against attacks involving stolen or otherwise guessed passwords without requiring a second authentication method all the time. Online services typically set limits on what is still seen as normal and what is not, as well as the actions taken afterward. Consequently, RBA monitors different features, such as geolocation and device during login. If the features' values differ from the expected values, then a second authentication method might be requested. However, only a few online services publish information about how their systems work. This hinders not only RBA research but also its development and adoption in organizations. In order to understand how the RBA systems online services operate, black box testing is applied. To verify the results, we re-evaluate the three large providers: Google, Amazon, and Facebook. Based on our test setup and the test cases, we notice differences in RBA based on account creation at Google. Additionally, several test cases rarely trigger the RBA system. Our results provide new insights into RBA systems and raise several questions for future work.

翻译：基于风险的身份验证（RBA）旨在保护终端用户免受涉及被盗或猜测密码的攻击，同时无需始终要求第二种身份验证方法。在线服务通常会设定被视为正常与异常行为的界限，以及后续采取的措施。因此，RBA会监控登录过程中的不同特征（如地理位置和设备）。当特征值偏离预期值时，可能触发第二种身份验证方法的请求。然而，仅有少数在线服务公开其系统运作机制，这不仅阻碍了RBA研究的发展，也影响了其在组织中的推广与采用。为理解在线服务中RBA系统的运作方式，我们采用黑盒测试方法。为验证结果，我们对三大服务提供商（谷歌、亚马逊和脸书）进行了重新评估。基于测试配置与测试用例，我们发现谷歌账户创建过程中的RBA存在差异，且多个测试用例极少触发RBA系统。我们的研究结果为RBA系统提供了新见解，并提出了若干未来研究方向。