A framework for analyzing authentication risks in account networks

Abstract

Our everyday life depends more and more on online services and, therefore, access to related user accounts. The security of user accounts, again, is tied to the security of the corresponding primary and fallback authentication methods. Accounts can be linked to each other – by fallback authentication, through SSO, or by using the same authentication devices – creating an account network. These account networks enhance login comfort and are needed in case of account recovery, but they also increase each account's attack surface. In addition, misconfigurations might result in account inaccessibility. However, these problems can only be detected by analyzing single accounts first and then the resulting account networks. Despite the importance to understand account security and accessibility, almost no analysis methods exist.To address this need, this article presents the Authentication Analysis Framework (AAF). AAF evaluates account types and primary and fallback authentication methods for each account, before analyzing the overall account network. By detecting transitive risks, weak links can be discovered and subsequently strengthened. We further propose maturity models to rank the primary and fallback authentication methods based on risks and a description language to exchange the required information. AAF is implemented as a plugin for the password manager KeePass to assist end users and as a standalone tool for researchers.