Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing. Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.

翻译：在线服务在将密码替换为更安全的用户身份验证机制（如双因素认证，2FA）方面面临困难，部分原因在于用户倾向于拒绝在除网上银行之外的场景中使用此类机制。然而，面对凭证填充等新型攻击模式，仅依赖密码认证并不可行。在更安全的方法普及之前，基于风险的身份认证（RBA）可作为临时方案，增强基于密码的账户安全性。遗憾的是，尽管各类标准推荐使用RBA，且科学研究已证实其有效性，目前仅有少数大型在线服务采用该技术。本文旨在验证一个假设：RBA在实践中采用率低可能与其实施复杂性有关。我们为开源云管理软件OpenStack提供了一套RBA实现——这是首个基于Freeman等人算法的完整功能开源RBA实现，并附带初始参考测试，可作为开发者的指导范例和蓝图。