swiefling

swiefling, 2 days ago (edited 1 day ago) to security

Privacy matters! But what if the tools meant to protect us are being misused? Our latest study (to appear ARES '24) reveals surprising facts about HTTP Client Hints (HTTP CHs) on the Web. [THREAD]

Paper + Website: https://rbainfo.org/clienthints

#CyberSecurity #Privacy #Tracking #HTTP #UserAgent #OpenAccess #WWW #Chrome #Edge #Safari #Brave #Browser

swiefling, 2 months ago to Cybersecurity German

Worried about account takeover? You're not alone! Attackers often misuse the "forgot password" mechanism to hack us.

Our latest study revealed a game-changer to counter this: Risk-Based Account Recovery! Platforms like Google now tailor recovery mechanisms based on your device and location context, making it hard for bad actors but easy for legitimate users.

Read more in our paper: https://riskbasedauthentication.org/state-of-practice/account-recovery/

#CyberSecurity #InfoSec #HCI #UX #Password #Authentication #Research #OpenAccess

Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication Abstract Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authentication has mainly focused on the login process. However, recent attacks have revealed vulnerabilities in other parts of the authentication process, specifically in the account recovery function. Consequently, to ensure comprehensive authentication security, the use of anomaly detection in the context of account recovery must also be investigated. This paper presents the first study to investigate risk-based account recovery (RBAR) in the wild. We analyzed the adoption of RBAR by five prominent online services (that are known to use RBA). Our findings confirm the use of RBAR at Google, LinkedIn, and Amazon. Furthermore, we provide insights into the different RBAR mechanisms of these services and explore the impact of multi-factor authentication on them. Based on our findings, we create a first maturity model for RBAR challenges. The goal of our work is to help developers, administrators, and policy-makers gain an initial understanding of RBAR...

swiefling, 7 months ago to python

The third issue of our book "Programmieren trainieren" (Exercise programming) has just been released. It contains 150 coding exercises in Java and Python. One of them I was even given myself in a job interview at a well-known company. Therefore, this book might help to grow your coding skills.

This time, we have 20 new exercises and a foreword by game developer Kathrin Radtke (Spellgarden Games).

More information: https://protrain.github.io/

#Python #Java #Book #Programming

alarith, 9 months ago to random German

Two personal updates: I have passed my defense yesterday at the University of Siegen! I am quite happy and relieved that everything worked well. Many thanks to my defense committee, Marc Hassenzahl, Susanne Boll, and Gunnar Stevens!

In other news I will start a postdoc position at the University of Tokyo in two weeks! I was accepted for this position a few months ago under the condition that I pass my defense, so I guess now it's official! 😊 I will work with Hideaki Kuzuoka and at Tokyo College

m33x, 9 months ago to random

Super proud: Alexandra Nisenoff just presented our paper on password reuse at the university of Chicago at #usesec23. This has been a 6 years long lasting effort. Very happy the paper has won a distinguished paper award 🥇
Summary: https://www.usenix.org/publications/loginonline/measuring-risk-password-reuse-poses-university
Full paper: https://www.usenix.org/conference/usenixsecurity23/presentation/nisenoff-retrospective

swiefling, 10 months ago to UX

My PhD thesis on the usability, security, and privacy of Risk-Based Authentication (RBA) is now published. For free, for everyone, as I believe that publicly funded research should be open to the public.

On 239 pages, you will learn how to strengthen password-based authentication with RBA while being privacy-enhanced and accepted by users.

Thesis PDF: https://doi.org/10.13154/294-9901

Defense Slides: https://www.stephanwiefling.de/slides/rba-thesis-defense23.pdf

#password #ux #hci #authentication #cybersecurity #privacy #openaccess #phd

Three softcover books of the dissertation "Usability, Security, and Privacy of Risk-Based Authentication" in front of a building showing the logo of Ruhr University Bochum on a sunny day.

swiefling, 1 year ago to random

Happy to annouce that I successfully defended my doctoral thesis "Usability, Security, and Privacy of Risk-Based Authentication" at Ruhr University Bochum.

It started in 2017 with a study on RBA use on popular websites. Never thought that this would end in 7 publications, >125 citations, public recognition by people I'm a big fan of, a DAAD RISE Germany scholarship, an internship at Meta, and the Open Data Impact Award 2022.

#password #authentication #ux #hci #academia #cybersecurity #privacy