Passwords are used for user authentication by almost every Internet service today, despite a number of well-known weaknesses: passwords are often simple and easy to guess; they are re-used across sites; and they are susceptible to phishing. Numerous methods to replace or supplement passwords have been proposed, such as two-factor authentication or biometric authentication, but none has been adopted widely, leaving most accounts on most websites protected by a password only.
One approach to strengthening password-based authentication without changing user experience is to classify login attempts into *normal* and *suspicious* activity based on a number of parameters such as source IP, geolocation, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by many Internet services but have never been studied publicly.
In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser's useragent. We find that we can achieve good accuracy using only *user login history* and *reputation systems*; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.