{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T10:44:07Z","timestamp":1773312247657,"version":"3.50.1"},"publisher-location":"Cham","reference-count":33,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032006387","type":"print"},{"value":"9783032006394","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-032-00639-4_10","type":"book-chapter","created":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T09:58:02Z","timestamp":1754733482000},"page":"166-180","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Authentication Inconsistencies Across Online Services: A Multi-Scenario Security Analysis"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0138-366X","authenticated-orcid":false,"given":"Andre","family":"B\u00fcttner","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7360-8314","authenticated-orcid":false,"given":"Nils","family":"Gruschka","sequence":"additional","affiliation":[]},{"given":"Sverre Stafsengen","family":"Broen","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6373-3637","authenticated-orcid":false,"given":"Daniela","family":"P\u00f6hn","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,8,10]]},"reference":[{"key":"10_CR1","doi-asserted-by":"publisher","unstructured":"von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: Captcha: using hard AI problems for security. In: Biham, E. (ed.) Advances in Cryptology \u2014 EUROCRYPT 2003, pp. 294\u2013311. Springer Berlin Heidelberg, Berlin, Heidelberg (2003). https:\/\/doi.org\/10.1007\/3-540-39200-9_18","DOI":"10.1007\/3-540-39200-9_18"},{"key":"10_CR2","unstructured":"American Psychological Association: Ethical principles of psychologists and code of conduct (2017). https:\/\/www.apa.org\/ethics\/code"},{"key":"10_CR3","doi-asserted-by":"publisher","unstructured":"Amft, S., et al.: Lost and not found: an investigation of recovery methods for multi-factor authentication. CoRR (2023). https:\/\/doi.org\/10.60882\/cispa.25186640.v1","DOI":"10.60882\/cispa.25186640.v1"},{"key":"10_CR4","doi-asserted-by":"publisher","unstructured":"Baig, A.F., Eskeland, S.: Security, privacy, and usability in continuous authentication: a survey. Sensors 21(17) (2021). https:\/\/doi.org\/10.3390\/s21175967, https:\/\/www.mdpi.com\/1424-8220\/21\/17\/5967","DOI":"10.3390\/s21175967"},{"key":"10_CR5","doi-asserted-by":"publisher","unstructured":"Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75\u201388. CCS \u201908, Association for Computing Machinery, New York, NY, USA (2008). https:\/\/doi.org\/10.1145\/1455770.1455782","DOI":"10.1145\/1455770.1455782"},{"key":"10_CR6","unstructured":"Berufsverband Deutscher Psychologinnen und Psychologen e.V., Deutsche Gesellschaft f\u00fcr Psychologie e.V.: Berufsethische Richtlinien des Berufsverbandes Deutscher Psychologinnen und Psychologen e.V. und der Deutschen Gesellschaft f\u00fcr Psychologie e.V. https:\/\/www.bdp-verband.de\/fileadmin\/user_upload\/BDP\/website\/dokumente\/PDF\/Profession\/Berufsethik\/BER-Foederation-20230426-Web-1.pdf (2022)"},{"key":"10_CR7","doi-asserted-by":"publisher","unstructured":"Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C.: Security analysis of subject access request procedures. In: Naldi, M., Italiano, G.F., Rannenberg, K., Medina, M., Bourka, A. (eds.) Privacy Technologies and Policy, pp. 182\u2013209. Springer International Publishing, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-21752-5_12","DOI":"10.1007\/978-3-030-21752-5_12"},{"key":"10_CR8","unstructured":"Broen, S.S.: Observational Study of the Right of Access and Erasure-From the Perspective of the Data Subject and the Data Controller. Master\u2019s thesis, University of Oslo (2024). https:\/\/www.duo.uio.no\/handle\/10852\/116541"},{"key":"10_CR9","doi-asserted-by":"publisher","unstructured":"Burgers, W., Verdult, R., van Eekelen, M.: Prevent session hijacking by binding the session to the cryptographic network credentials. In: Riis\u00a0Nielson, H., Gollmann, D. (eds.) Secure IT Systems, pp. 33\u201350. Springer, Berlin, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-41488-6_3","DOI":"10.1007\/978-3-642-41488-6_3"},{"key":"10_CR10","doi-asserted-by":"publisher","unstructured":"B\u00fcttner, A., Pedersen, A.T., Wiefling, S., Gruschka, N., Lo\u00a0Iacono, L.: Is it really you who forgot the password? When account recovery meets risk-based authentication. In: Wang, G., Wang, H., Min, G., Georgalas, N., Meng, W. (eds.) Ubiquitous Security, pp. 401\u2013419. Springer Nature Singapore, Singapore (2024). https:\/\/doi.org\/10.1007\/978-981-97-1274-8_26","DOI":"10.1007\/978-981-97-1274-8_26"},{"key":"10_CR11","doi-asserted-by":"publisher","unstructured":"B\u00fcttner, A., Gruschka, N.: Evaluating the influence of multi-factor authentication and recovery settings on the security and accessibility of user accounts. In: Proceedings of the 10th International Conference on Information Systems Security and Privacy - ICISSP, pp. 691\u2013700. INSTICC, SciTePress (2024). https:\/\/doi.org\/10.5220\/0012319000003648","DOI":"10.5220\/0012319000003648"},{"key":"10_CR12","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2022-0037","author":"M Di Martino","year":"2022","unstructured":"Di Martino, M., Meers, I., Quax, P., Andries, K., Lamotte, W.: Revisiting identification issues in GDPR \u2018right of access\u2019 policies: a technical and longitudinal analysis. Proc. Priv. Enhancing Technol. (2022). https:\/\/doi.org\/10.2478\/popets-2022-0037","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"10_CR13","doi-asserted-by":"crossref","unstructured":"Edgar, T.W., Manz, D.O.: Research Methods for Cyber Security. Syngress Publishing, 1st edn. (2017)","DOI":"10.1016\/B978-0-12-805349-2.00031-5"},{"key":"10_CR14","doi-asserted-by":"publisher","unstructured":"Freeman, D.M., Jain, S., D\u00fcrmuth, M., Biggio, B., Giacinto, G.: Who are you? A statistical approach to measuring user authenticity. In: Proceedings of the USENIX Network and Distributed System Security (NDSS) Symposium. San Francisco, CA (2016). https:\/\/doi.org\/10.14722\/ndss.2016.23240","DOI":"10.14722\/ndss.2016.23240"},{"key":"10_CR15","unstructured":"Gavazzi, A., et al.: A study of multi-factor and risk-based authentication availability. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 2043\u20132060. USENIX Association, Anaheim, CA (2023). https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/gavazzi"},{"key":"10_CR16","unstructured":"Security, I.: X-Force 2025 Threat Intelligence Index. Tech. rep, IBM (2025)"},{"key":"10_CR17","doi-asserted-by":"publisher","unstructured":"Joukov, A., Joukov, N.: Six-year study of emails sent to unverified addresses. In: Furnell, S., Clarke, N. (eds.) Human Aspects of Information Security and Assurance, pp. 337\u2013345. Springer Nature Switzerland, Cham (2023). https:\/\/doi.org\/10.1007\/978-3-031-38530-8_27","DOI":"10.1007\/978-3-031-38530-8_27"},{"key":"10_CR18","doi-asserted-by":"publisher","unstructured":"Klivan, S., et al.: We\u2019ve Disabled MFA for You: an evaluation of the security and usability of multi-factor authentication recovery deployments. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp. 3138\u20133152. CCS \u201923, Association for Computing Machinery, New York, NY, USA (2023). https:\/\/doi.org\/10.1145\/3576915.3623180","DOI":"10.1145\/3576915.3623180"},{"key":"10_CR19","doi-asserted-by":"publisher","unstructured":"Kraus, L., Svidronov\u00e1, M., Stobert, E.: How do users chain email accounts together? In: J\u00f8sang, A., Futcher, L., Hagen, J. (eds.) ICT Systems Security and Privacy Protection, pp. 416\u2013429. Springer International Publishing, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-78120-0_27","DOI":"10.1007\/978-3-030-78120-0_27"},{"key":"10_CR20","doi-asserted-by":"publisher","unstructured":"Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczy\u0144ski, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium. NDSS 2019 (2019). https:\/\/doi.org\/10.14722\/ndss.2019.23386","DOI":"10.14722\/ndss.2019.23386"},{"issue":"1","key":"10_CR21","doi-asserted-by":"publisher","first-page":"620","DOI":"10.1109\/TDSC.2020.2975789","volume":"19","author":"Y Li","year":"2022","unstructured":"Li, Y., Chen, Z., Wang, H., Sun, K., Jajodia, S.: Understanding account recovery in the wild and its security implications. IEEE Trans. Dependable Secure Comput. 19(1), 620\u2013634 (2022). https:\/\/doi.org\/10.1109\/TDSC.2020.2975789","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"10_CR22","doi-asserted-by":"publisher","unstructured":"Makowski, J.P., P\u00f6hn, D.: Evaluation of real-world risk-based authentication at online services revisited: complexity wins. In: Proceedings of the 18th International Conference on Availability, Reliability and Security. ARES \u201923, Association for Computing Machinery, New York, NY, USA (2023). https:\/\/doi.org\/10.1145\/3600160.3605024","DOI":"10.1145\/3600160.3605024"},{"key":"10_CR23","unstructured":"Naprys, E.: Password crisis deepens in 2025: lazy, reused, and stolen (2025). https:\/\/cybernews.com\/security\/password-leak-study-unveils-2025-trends-reused-and-lazy\/"},{"key":"10_CR24","unstructured":"Paine, L., Singhal, H.: Raising the bar for software security: GitHub 2FA begins March 13 (2023). https:\/\/github.blog\/news-insights\/product-news\/raising-the-bar-for-software-security-github-2fa-begins-march-13\/"},{"key":"10_CR25","doi-asserted-by":"publisher","unstructured":"P\u00f6hn, D., Gruschka, N.: Qualitative in-depth analysis of GDPR data subject access requests and responses from major online services. In: Proceedings of the 11th International Conference on Information Systems Security and Privacy, vol. 1: ICISSP, pp. 149\u2013156. INSTICC, SciTePress (2025). https:\/\/doi.org\/10.5220\/0013093000003899","DOI":"10.5220\/0013093000003899"},{"key":"10_CR26","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103515","volume":"135","author":"D P\u00f6hn","year":"2023","unstructured":"P\u00f6hn, D., Gruschka, N., Ziegler, L., B\u00fcttner, A.: A framework for analyzing authentication risks in account networks. Comput. Secur. 135, 103515 (2023). https:\/\/doi.org\/10.1016\/j.cose.2023.103515","journal-title":"Comput. Secur."},{"key":"10_CR27","doi-asserted-by":"publisher","unstructured":"Ruth, K., Kumar, D., Wang, B., Valenta, L., Durumeric, Z.: Toppling top lists: evaluating the accuracy of popular website lists. In: Proceedings of the 22nd ACM Internet Measurement Conference, pp. 374\u2013387. IMC \u201922, Association for Computing Machinery, New York, NY, USA (2022). https:\/\/doi.org\/10.1145\/3517745.3561444","DOI":"10.1145\/3517745.3561444"},{"key":"10_CR28","unstructured":"Spotify AB: Protect your Spotify account (2025). https:\/\/support.spotify.com\/uk\/article\/protect-your-account\/"},{"key":"10_CR29","unstructured":"The European Parliament and the Council of the European Union: Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation) (2016)"},{"key":"10_CR30","doi-asserted-by":"publisher","unstructured":"Tiefenau, E., Grohs, J.A., H\u00e4ring, M., Smith, M., Tiefenau, C.: They are responsible for ensuring that I can continue to use the service. Investigating Users\u2019 Expectations Towards 2FA Recovery in Germany. In: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems. CHI \u201925, Association for Computing Machinery, New York, NY, USA (2025). https:\/\/doi.org\/10.1145\/3706598.3714245","DOI":"10.1145\/3706598.3714245"},{"key":"10_CR31","doi-asserted-by":"publisher","unstructured":"Wang, X., Yan, Z., Zhang, R., Zhang, P.: Attacks and defenses in user authentication systems: a survey. J. Network Comput. Appl. 188, 103080 (2021). https:\/\/doi.org\/10.1016\/j.jnca.2021.103080, https:\/\/www.sciencedirect.com\/science\/article\/pii\/S1084804521001028","DOI":"10.1016\/j.jnca.2021.103080"},{"key":"10_CR32","doi-asserted-by":"publisher","unstructured":"Wauters, E., Lievens, E., Valcke, P.: Towards a better protection of social media users: a legal perspective on the terms of use of social networking sites. Int. J. Law Inf. Technol. 22(3), 254\u2013294 (2014). https:\/\/doi.org\/10.1093\/ijlit\/eau002","DOI":"10.1093\/ijlit\/eau002"},{"key":"10_CR33","doi-asserted-by":"publisher","unstructured":"Wiefling, S., Lo\u00a0Iacono, L., D\u00fcrmuth, M.: Is this really you? An empirical study on risk-based authentication applied in the wild. In: ICT Systems Security and Privacy Protection: 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings 34, pp. 134\u2013148. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-22312-0_10","DOI":"10.1007\/978-3-030-22312-0_10"}],"container-title":["Lecture Notes in Computer Science","Availability, Reliability and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-00639-4_10","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T16:16:51Z","timestamp":1773245811000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-00639-4_10"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783032006387","9783032006394"],"references-count":33,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-00639-4_10","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"10 August 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"The authors have no competing interests to declare that are relevant to the content of this article.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Disclosure of Interests"}},{"value":"ARES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Availability, Reliability and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ghent","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Belgium","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ares-12025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/2025.ares-conference.eu","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}