Evaluating Login Challenges as a Defense Against Account Takeover
ABSTRACT
In this paper, we study the efficacy of login challenges at preventing
account takeover, as well as evaluate the amount of friction these
challenges create for normal users. These secondary authentication
factors—presently deployed at Google, Microsoft, and other major
identity providers as part of risk-aware authentication—trigger in
response to a suspicious login or account recovery attempt. Using
Google as a case study, we evaluate the effectiveness of fourteen
device-based, delegation-based, knowledge-based, and resourcebased challenges at preventing over 350,000 real-world hijacking
attempts stemming from automated bots, phishers, and targeted
attackers. We show that knowledge-based challenges prevent as
few as 10% of hijacking attempts rooted in phishing and 73% of
automated hijacking attempts. Device-based challenges provide the
best protection, blocking over 94% of hijacking attempts rooted in
phishing and 100% of automated hijacking attempts. We evaluate
the usability limitations of each challenge based on a sample of
1.2M legitimate users. Our results illustrate that login challenges
act as an important barrier to hijacking, but that friction in the
process leads to 52% of legitimate users failing to sign-in—though
97% of users eventually access their account in a short period.
Hugh Taylor
Hugh Taylor is a Certified Information Security Manager (CISM). In addition to editing Journal of Cyber Policy, he writes about cybersecurity, compliance and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google and Advanced Micro Devices. Prior to launching his freelance writing career, he served in executive roles at Microsoft, IBM and several venture-backed technology startups.