Implementing Risk-Based Account Recovery

Many popular online services, such as Google, Meta, or LinkedIn, use risk-based decision-making to authenticate a user. This approach, called risk-based authentication (RBA), aims to make authentication more difficult for suspicious clients while relaxing the authentication procedure for trusted clients. For that, the online service calculates a risk score based on certain client features, e.g. IP location, user agent, etc. Similarly, this approach can be helpful when it comes to account recovery. The goal of this thesis is to explore the possibilities of risk-based account recovery (RBAR) and the potential security and usability gain. A possible outcome would be the development and implementation of an RBAR system.