As soon as it's a risk, I want to require MFA: How Administrators Configure Risk-based Authentication


Konferenz / Medium


Markus Dürmuth Maximilian Golla Theodor Schnitzler Philipp Markert

Research Hub

Research Hub D: Benutzerfreundlichkeit

Research Challenges

RC 10: Engineers and Usability


Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum. Thus, it is crucial to understand how administrators interact with off-the-shelf RBA systems that assign a risk score to a login and require administrators to configure adequate responses.

In this paper, we let n=28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent semi-structured interviews, we asked them about the intentions behind their configurations and experiences with the RBA system. We find that administrators want to have a thorough understanding of the system they configure, show the importance of default settings as they are either directly adopted or depict an important orientation, and identify several confusing wordings. Based on our findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.


Usable Security and Privacy
Understanding and Transforming Security and Privacy Behaviors