Privacy Considerations for Risk-Based Authentication Systems. (arXiv:2301.01505v1 [cs.CR])

Risk-based authentication (RBA) extends authentication mechanisms to make
them more robust against account takeover attacks, such as those using stolen
passwords. RBA is recommended by NIST and NCSC to strengthen password-based
authentication, and is already used by major online services. Also, users
consider RBA to be more usable than two-factor authentication and just as
secure. However, users currently obtain RBA's high security and usability
benefits at the cost of exposing potentially sensitive personal data (e.g., IP
address or browser information). …

account account takeover account takeover attacks attacks authentication benefits cost exposing factor high major ncsc nist online services password passwords privacy risk risk-based authentication security services stolen stolen passwords systems takeover usability