Analysis of (Multi-)Account Security and Accessibility

Identity management includes all measures for the secure access of people and computers to the network and to applications. Thus, every user has at least one digital identity linked to authentication methods and permissions. Many providers nowadays require multiple authentication methods (e.g. password + SMS). The combination of information required by the provider also partly depends on a risk assessment and can be different for each login process. If authentication methods are currently not (or no longer) available, access is via so-called fallback methods, e.g. security questions. These complex relationships make it difficult to assess the security, but also the possibilities of user account recovery. Furthermore, it is not uncommon for multiple authentication methods to be tied to the same device (typically the smartphone) and loss of which can render both authentication and recovery impossible. After all, multiple user accounts are often related: either through federated identity management (e.g. via SAML or OAuth/OpenID Connect) or by sending recovery emails to other accounts. This allows user accounts to form complex networks, further complicating security or recovery assessments.

Various topics are possible in this area, for example:

  • Analysis of risk-based authentication at large providers such as Google and Facebook
  • Analysis of fallback methods for large providers and users
  • Development of tools for evaluating and displaying authentication graphs
  • Usability analysis of these tools
  • Analysis of known account takeover attacks

Possible Tasks:

  • literature research
  • requirements analysis
  • conception
  • Prototype implementation
  • user study evaluation


  • Pöhn, Daniela, Nils Gruschka, and Leonhard Ziegler. "Multi-Account Dashboard for Authentication Dependency Analysis." In Proceedings of the 17th International Conference on Availability, Reliability and Security, pp. 1-13. 2022.
  • Hammann, Sven, Michael Crabb, Sasa Radomirovic, Ralf Sasse, and David Basin. "I’m Surprised So Much Is Connected." In CHI Conference on Human Factors in Computing Systems, pp. 1-13. 2022.
Publisert 19. sep. 2022 10:52 - Sist endret 19. sep. 2022 11:37


Omfang (studiepoeng)