Hi everyone,
you've probably heard about Risk-based Authentication (RBA), which is recommended by NIST to improve password account security without decreasing usability. Some big online services use it, but keep it a secret. Well, this doesn't help smaller websites to protect their users against credential stuffing or password database leaks.
For this reason we black box tested eight popular online services [1] to find out more about their RBA implementations [2].
The technical paper and all the results:
https://riskbasedauthentication.org/
(Paper is accepted for IFIP SEC 2019)
[1] Facebook, Google, LinkedIn, Amazon, GOG.com, Steam, Twitch and iCloud
[2] We also disclose a vulnerability on Facebook which is now fixed.