Due to the large number of online services people use these days, users find so-called login notifications in their email inboxes on a daily basis. "It's typically an email that you receive after logging in to an online service," explains CISPA Faculty Dr. Maximilian Golla. "This email informs users that they have just logged in. If they have actually logged in, they can safely ignore the email. But if they are not sure whether they really did so, it is recommended that they change the password. In order to help users decide, the email also provides further information, such as where the login took place and which device was used." The widespread use of login notifications in users' everyday lives inspired Golla and his colleagues to conduct a study on this topic so they can find out how useful the notifications are in practice and how users react to them.
First, the researchers carried out a comparative study of login notifications from 72 different websites, including well-known services such as google.com and facebook.com. The aim of the study was to investigate the specific content of the emails. "Then we identified the most frequent and most common components of the content. This included information such as the account name, browser, and operating system used. Based on this, we created a generic login notification without branding and used it for our study," explains Golla. To ensure that the participants were able to react without bias, the researchers disguised the actual study behind another study. This study involved a test on spatial reasoning known from the field of psychology, for which the participants had to register on a website. The participants were randomly divided into two groups and were either sent an email immediately after completing the test with information about their actual login or after a few days with made-up login information. At the end of the test, the 229 participants from the US were interviewed about their experiences.
Login Notifications Help Prevent Attacks
"The result of our study is that 20 percent of users from the group that was informed about a potentially dangerous login correctly changed their password. In the group of people who received a notification after their actual login, none changed their password, which is good, as there was no need to do so. We conclude from this that people understand what login notifications are about." It is important for Golla to put the 20 percent into context: "It may not sound like much, but these emails do not replace a password. They are simply an additional security mechanism to everything else we know. A strong password already protects you from most attacks. In addition, there are login notifications, which can help to prevent worse in 20% of the cases where the password fails. If you need even more protection, it is best to use two-factor authentication. Due to all these protective measures, an attack is becoming increasingly complex." It can, therefore, be concluded that login notifications can be a valuable aid to increase your own account security.
Recommendations for Companies and Future Research
For Golla, the most important practical takeaway from the study is that users do want to receive login notifications, especially for suspicious logins, but not for every regular login. In addition, the information in the email should be as specific as possible and already appear in the subject line. "In any case, the account name, the location, the time, and the used device should be mentioned," explains Golla. Based on this data, users can check whether they have logged in themselves or not. "The question of what an ideal login notification would look like remains open for research," concludes the CISPA researcher. "This would require testing different variants. Besides, many of the analyzed login notifications have not been sufficiently tested. Especially if you live and work in the Franco-German border region, as we do here in Saarland, the services have problems processing and displaying location information correctly. Furthermore, many of the tips we found in the emails, such as paying attention to HTTPS in the address bar, are questionable and outdated." So, there is still a lot to do in this field of research.
