📆 August 10, 2023 | ⏱️ 1 minute read | 🏷️ computing

Re: Against risk-based authentication (or, why I wouldn't trust Google Cloud)

I found another article written by Hugo Landau which discusses the unavailability of risk-based authentication (non-deterministic login). For those who don’t want to read the entire article, here’s a short quote which captures the essence of Hugo’s critique:

“The problem is precisely this: The credentials you require to access a Google account are essentially indeterminate. Supposedly, for a simple Google account without 2FA enabled, knowledge of the account email and password should be sufficient to access an account; except sometimes, they aren’t. Sometimes, Google might randomly decide your login attempt is suspicious, and demand you complete some additional verification step.

This sounds potentially innocuous until you then realise that there’s no guarantee you can actually complete this additional verification step. There are to my recollection numerous stories of people being locked out of accounts which they have the passwords for because Google has decided that things are suspicious and having the password is not enough.”

Apart from the availability issue that Hugo brought up, my problem with risk-based authentication is that it usually relies on collecting and indefinitely storing sensitive data about the user for later comparison, which violates their privacy and creates needless risk of sensitive data exposure.

Hopefully risk-based authentication will fade away and online services will switch to better alternatives.