{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T05:32:43Z","timestamp":1769319163813,"version":"3.49.0"},"publisher-location":"Singapore","reference-count":39,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789819712731","type":"print"},{"value":"9789819712748","type":"electronic"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"DOI":"10.1007\/978-981-97-1274-8_26","type":"book-chapter","created":{"date-parts":[[2024,3,12]],"date-time":"2024-03-12T19:20:02Z","timestamp":1710271202000},"page":"401-419","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Is It Really You Who Forgot the\u00a0Password? When Account Recovery Meets Risk-Based Authentication"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0138-366X","authenticated-orcid":false,"given":"Andre","family":"B\u00fcttner","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0009-8509-554X","authenticated-orcid":false,"given":"Andreas Thue","family":"Pedersen","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7917-6065","authenticated-orcid":false,"given":"Stephan","family":"Wiefling","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7360-8314","authenticated-orcid":false,"given":"Nils","family":"Gruschka","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7863-0622","authenticated-orcid":false,"given":"Luigi","family":"Lo Iacono","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,3,13]]},"reference":[{"key":"26_CR1","doi-asserted-by":"publisher","unstructured":"Addas, A., Salehi-Abari, A., Thorpe, J.: Geographical security questions for fallback authentication. In: PST 2019. IEEE (2019). https:\/\/doi.org\/10.1109\/PST47121.2019.8949063","DOI":"10.1109\/PST47121.2019.8949063"},{"key":"26_CR2","unstructured":"Akamai: Credential Stuffing: Attacks and Economies. [state of the internet]\/security 5(Special Media Edition) (2019). https:\/\/web.archive.org\/web\/20210824114851\/https:\/\/www.akamai.com\/us\/en\/multimedia\/documents\/state-of-the-internet\/soti-security-credential-stuffing-attacks-and-economies-report-2019.pdf"},{"key":"26_CR3","unstructured":"Akamai: Loyalty for Sale - Retail and Hospitality Fraud. [state of the internet]\/security 6(3) (2020). https:\/\/web.archive.org\/web\/20201101013317\/https:\/\/www.akamai.com\/us\/en\/multimedia\/documents\/state-of-the-internet\/soti-security-loyalty-for-sale-retail-and-hospitality-fraud-report-2020.pdf"},{"key":"26_CR4","unstructured":"Amazon: Reset Your Password (2023). https:\/\/web.archive.org\/web\/20210918230138\/https:\/\/www.amazon.com\/gp\/help\/customer\/display.html?nodeId=GH3NM2YWEFEL2CQ4"},{"key":"26_CR5","unstructured":"Amazon Web Services Inc: What is a CAPTCHA puzzle? (2023). https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/waf-captcha-puzzle.html"},{"key":"26_CR6","unstructured":"Amft, S., et al.: Lost and not found: an investigation of recovery methods for multi-factor authentication. arXiv:2306.09708 (2023)"},{"key":"26_CR7","doi-asserted-by":"publisher","unstructured":"Bonneau, J., Bursztein, E., Caron, I., Jackson, R., Williamson, M.: Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at Google. In: WWW 2015. ACM (2015). https:\/\/doi.org\/10.1145\/2736277.2741691","DOI":"10.1145\/2736277.2741691"},{"key":"26_CR8","doi-asserted-by":"publisher","unstructured":"Campobasso, M., Allodi, L.: Impersonation-as-a-service: characterizing the emerging criminal infrastructure for user impersonation at scale. In: CCS 2020. ACM (2020). https:\/\/doi.org\/10.1145\/3372297.3417892","DOI":"10.1145\/3372297.3417892"},{"key":"26_CR9","unstructured":"Conners, J.S., Zappala, D.: Let\u2019s authenticate: automated cryptographic authentication for the web with simple account recovery. In: WAY 2019 (2019)"},{"key":"26_CR10","unstructured":"Dropbox: Change or reset your Dropbox password (2023). https:\/\/web.archive.org\/web\/20230518113022\/https:\/\/help.dropbox.com\/security\/password-reset"},{"key":"26_CR11","unstructured":"Federal Bureau of Investigation: Internet Crime Report 2022 (2023). https:\/\/web.archive.org\/web\/20230311011752\/, https:\/\/www.ic3.gov\/Media\/PDF\/AnnualReport\/2022_IC3Report.pdf"},{"key":"26_CR12","doi-asserted-by":"publisher","unstructured":"Freeman, D., Jain, S., D\u00fcrmuth, M., Biggio, B., Giacinto, G.: Who are you? A statistical approach to measuring user authenticity. In: NDSS 2016. Internet Society (2016). https:\/\/doi.org\/10.14722\/ndss.2016.23240","DOI":"10.14722\/ndss.2016.23240"},{"key":"26_CR13","unstructured":"Garfinkel, S.L.: Design principles and patterns for computer systems that are simultaneously secure and usable. Ph.D. thesis, Massachusetts Institute of Technology (2005)"},{"key":"26_CR14","unstructured":"Gavazzi, A., et al.: A study of multi-factor and risk-based authentication availability. In: USENIX Security 2023. USENIX Association (2023)"},{"key":"26_CR15","unstructured":"GOG: How do I reset my password? (2023). https:\/\/web.archive.org\/web\/20230317223608\/, https:\/\/support.gog.com\/hc\/en-us\/articles\/212185409-How-do-I-reset-my-password-?product=gog"},{"key":"26_CR16","unstructured":"Golla, M.: I had a chat about RBA with @Google in April 2016. the short story: \u201cRBA is an arms race, and we are not revealing any details that could potentially help attackers\u201d (2019). https:\/\/web.archive.org\/web\/20210812104239\/, https:\/\/twitter.com\/m33x\/status\/1120979096547274752"},{"key":"26_CR17","unstructured":"Google: reCAPTCHA v2 $$|$$ Google Developers (2021). https:\/\/developers.google.com\/recaptcha\/docs\/display"},{"key":"26_CR18","unstructured":"Google: Tips to complete account recovery steps (2023). https:\/\/web.archive.org\/web\/20230422113749\/https:\/\/support.google.com\/accounts\/answer\/7299973"},{"key":"26_CR19","doi-asserted-by":"publisher","unstructured":"Hang, A., De Luca, A., Hussmann, H.: I know what you did last week! Do you?: Dynamic security questions for fallback authentication on smartphones. In: CHI 2015. ACM (2015). https:\/\/doi.org\/10.1145\/2702123.2702131","DOI":"10.1145\/2702123.2702131"},{"key":"26_CR20","unstructured":"Hill, B.: Moving account recovery beyond email and the \u201csecret\u201d question. In: Enigma 2017. USENIX Association (2017)"},{"key":"26_CR21","unstructured":"Hossen, M.I., et al.: An object detection based solver for Google\u2019s image reCAPTCHA v2. In: RAID 2020. USENIX Association (2020)"},{"key":"26_CR22","doi-asserted-by":"publisher","unstructured":"Javed, A., Bletgen, D., Kohlar, F., D\u00fcrmuth, M., Schwenk, J.: Secure fallback authentication and the trusted friend attack. In: ICDCSW 2014. ACM (2014). https:\/\/doi.org\/10.1109\/ICDCSW.2014.30","DOI":"10.1109\/ICDCSW.2014.30"},{"key":"26_CR23","doi-asserted-by":"publisher","unstructured":"Li, Y., Chen, Z., Wang, H., Sun, K., Jajodia, S.: Understanding account recovery in the wild and its security implications. IEEE TDSC 19(1) (2020). https:\/\/doi.org\/10.1109\/TDSC.2020.2975789","DOI":"10.1109\/TDSC.2020.2975789"},{"key":"26_CR24","doi-asserted-by":"publisher","unstructured":"Li, Y., Wang, H., Sun, K.: Email as a master key: analyzing account recovery in the wild. In: INFOCOM 2018. IEEE (2018). https:\/\/doi.org\/10.1109\/INFOCOM.2018.8486017","DOI":"10.1109\/INFOCOM.2018.8486017"},{"key":"26_CR25","unstructured":"LinkedIn: Password Reset Basics (2023). https:\/\/web.archive.org\/web\/20221229120339\/, https:\/\/www.linkedin.com\/help\/linkedin\/answer\/a1382101"},{"key":"26_CR26","doi-asserted-by":"publisher","unstructured":"Markert, P., Golla, M., Stobert, E., D\u00fcrmuth, M.: Work in progress: a comparative long-term study of fallback authentication. In: USEC 2019. Internet Society (2019). https:\/\/doi.org\/10.14722\/usec.2019.23030","DOI":"10.14722\/usec.2019.23030"},{"key":"26_CR27","unstructured":"Microsoft Detection and Response Team: DEV-0537 criminal actor targeting organizations for data exfiltration and destruction (2022). https:\/\/www.microsoft.com\/security\/blog\/dev-0537"},{"key":"26_CR28","unstructured":"Milka, G.: Anatomy of account takeover. In: Enigma 2018. USENIX Association (2018)"},{"key":"26_CR29","unstructured":"MITRE Corporation: CWE-640: Weak Password Recovery Mechanism for Forgotten Password (2021). https:\/\/cwe.mitre.org\/data\/definitions\/640.html"},{"key":"26_CR30","doi-asserted-by":"crossref","unstructured":"P\u00f6hn, D., Gruschka, N., Ziegler, L.: Multi-account dashboard for authentication dependency analysis. In: ARES 2022. ACM (2022)","DOI":"10.1145\/3538969.3538987"},{"key":"26_CR31","unstructured":"Quermann, N., Harbach, M., D\u00fcrmuth, M.: The state of user authentication in the wild. In: WAY 2018 (2018). https:\/\/wayworkshop.org\/2018\/papers\/way2018-quermann.pdf"},{"key":"26_CR32","doi-asserted-by":"publisher","unstructured":"Sukhani, K., Sawant, S., Maniar, S., Pawar, R.: Automating the bypass of image-based captcha and assessing security. In: ICCCNT 2021. IEEE (2021). https:\/\/doi.org\/10.1109\/ICCCNT51525.2021.9580020","DOI":"10.1109\/ICCCNT51525.2021.9580020"},{"key":"26_CR33","doi-asserted-by":"publisher","unstructured":"Thomas, K., et al.: Data breaches, phishing, or malware?: Understanding the risks of stolen credentials. In: CCS 2017. ACM (2017). https:\/\/doi.org\/10.1145\/3133956.3134067","DOI":"10.1145\/3133956.3134067"},{"key":"26_CR34","doi-asserted-by":"publisher","unstructured":"Wiefling, S., D\u00fcrmuth, M., Lo Iacono, L.: More than just good passwords? A study on usability and security perceptions of risk-based authentication. In: ACSAC 2020. ACM (2020). https:\/\/doi.org\/10.1145\/3427228.3427243","DOI":"10.1145\/3427228.3427243"},{"key":"26_CR35","doi-asserted-by":"publisher","unstructured":"Wiefling, S., D\u00fcrmuth, M., Lo Iacono, L.: Verify it\u2019s you: how users perceive risk-based authentication. IEEE Secur. Priv. 19(6) (2021). https:\/\/doi.org\/10.1109\/MSEC.2021.3077954","DOI":"10.1109\/MSEC.2021.3077954"},{"key":"26_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"361","DOI":"10.1007\/978-3-662-64331-0_19","volume-title":"Financial Cryptography and Data Security","author":"S Wiefling","year":"2021","unstructured":"Wiefling, S., D\u00fcrmuth, M., Lo Iacono, L.: What\u2019s in score for website users: a data-driven long-term study on risk-based authentication characteristics. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 361\u2013381. Springer, Heidelberg (2021). https:\/\/doi.org\/10.1007\/978-3-662-64331-0_19"},{"key":"26_CR37","doi-asserted-by":"publisher","unstructured":"Wiefling, S., J\u00f8rgensen, P.R., Thunem, S., Lo Iacono, L.: Pump up password security! evaluating and enhancing risk-based authentication on a real-world large-scale online service. ACM TOPS 26(1) (2023). https:\/\/doi.org\/10.1145\/3546069","DOI":"10.1145\/3546069"},{"key":"26_CR38","series-title":"IFIP Advances in Information and Communication Technology","doi-asserted-by":"publisher","first-page":"134","DOI":"10.1007\/978-3-030-22312-0_10","volume-title":"ICT Systems Security and Privacy Protection","author":"S Wiefling","year":"2019","unstructured":"Wiefling, S., Lo Iacono, L., D\u00fcrmuth, M.: Is this really you? An empirical study on risk-based authentication applied in the wild. In: Dhillon, G., Karlsson, F., Hedstr\u00f6m, K., Z\u00faquete, A. (eds.) SEC 2019. IAICT, vol. 562, pp. 134\u2013148. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-22312-0_10"},{"key":"26_CR39","doi-asserted-by":"crossref","unstructured":"Yan, J., El Ahmad, A.S.: Usability of CAPTCHAs or usability issues in CAPTCHA design. In: Proceedings of the 4th symposium on Usable privacy and security, pp. 44\u201352 (2008)","DOI":"10.1145\/1408664.1408671"}],"container-title":["Communications in Computer and Information Science","Ubiquitous Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-97-1274-8_26","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,12]],"date-time":"2024-03-12T19:23:40Z","timestamp":1710271420000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-97-1274-8_26"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9789819712731","9789819712748"],"references-count":39,"URL":"https:\/\/doi.org\/10.1007\/978-981-97-1274-8_26","relation":{},"ISSN":["1865-0929","1865-0937"],"issn-type":[{"value":"1865-0929","type":"print"},{"value":"1865-0937","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"13 March 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"UbiSec","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Ubiquitous Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Exeter","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"United Kingdom","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"1 November 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"3 November 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ubisec2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/hpcn.exeter.ac.uk\/ubisec2023\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"MyReview","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"91","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"29","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"32% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"4","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}