💾 Archived View for tilde.club › ~verdantmoss › risk-based-authentication.gmi captured on 2023-04-26 at 13:40:56. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-03-20)
-=-=-=-=-=-=-
Risk-based authentication, which I'll shorten to RBA, fucking sucks. For the unaware, RBA is an method for authentication that takes into account details about the agent requesting access to a system, such as IP address, time, user-agent, etc. to determine what credentials are sufficient to successfully authenticate.
Risk-based authentication - Wikipedia
The reason that I think RBA sucks so bad is that I find it, on a personal, anecdotal level, to be totally dehumanising. It's unpleasant. I have my username and password, yes, but things that I have limited control over have been fed into some machine learning model which has decided that I'm too suspicious to be let in at the moment. I should come back later.
It makes access to accounts that use RBA - and while I avoid these personally now, this includes major accounts like Google or Microsoft accounts - precarious and unreliable. These aren't trivial accounts either - many people, at the behest of Google or Microsoft rely heavily on these accounts, and while it is true that access could be revoked at any time regardless of the use of RBA, it's use makes account lockouts more common. I personally refrain from using services that use RBA because it makes authentication unpredictable and unreliable, which are things that I seek to excise from my computing experience. It is better without them.
The thing I find egregious about RBA is how it does not (it cannot) accommodate for the messy reality of how people actually live and interact with computers. A machine learning model cannot differentiate account sharing and an attacker on the other side of the world trying to log into my account, because these are indistinguishable. It is not possible to distil the essences of "normal" and "abnormal" computer usage and tell them apart. RBA makes access to online resources feel tenuous and inscrutable, because no human need be involved to lock you out of your account. In the end, you're left asking why you aren't /normal/ enough to be permitted access.
last updated: 2023-02-09