NDSS 2025 – “Who Is Trying To Access My Account?”

Risk‑based authentication (RBA) has emerged as a frontline defense against unauthorized account access, delivering real‑time alerts when suspicious login activity occurs. While the technology promises swift user awareness, its effectiveness hinges on how recipients interpret and act on those notifications. The NDSS study highlights a paradox: users recognize the importance of RBA alerts yet experience heightened anxiety and suspicion, especially when the alerts originate from actions they did not perform. This emotional response can blur the line between legitimate security warnings and phishing lures, challenging designers to balance urgency with clarity.

The research surveyed 273 participants, revealing that 46% of users initially label unexpected RBA messages as potential phishing attempts. Despite this skepticism, a majority—65%—still proceed to log into their accounts to inspect activity, indicating a willingness to verify but also exposing a window for credential‑stealing attacks if the notification itself is malicious. The lack of detailed context within current alerts—such as location, device type, or risk level—contributes to mistrust and may inadvertently drive users toward unsafe verification practices, like clicking embedded links.

To bridge this gap, the authors propose five design enhancements, including richer contextual data, clear risk explanations, and actionable security options directly within the notification. Implementing these recommendations can elevate user confidence, reduce false‑positive phishing concerns, and strengthen overall account protection. As organizations increasingly adopt RBA, aligning notification design with human‑centered security principles will be critical for mitigating threats and fostering a resilient digital ecosystem.