Risk based authentication—otherwise known as RBA—is when an authentication system assesses the risk associated with each unique profile attempting to gain access to the network (or application). It analyzes the likelihood of an account compromise or other type of data breach with each login attempt, based not just who is trying to log in, but other information surrounding the circumstances of that login attempt (more on that in a minute)..
Ultimately, companies do this to some extent every day, but may not be taking that extra critical step to protect themselves. For organizations who want to ensure that they have those security checkpoints at every stage of access, it may be time to consider risk based authentication and make sure your customers are who they say they are.
But, where to begin? This ultimate guide to risk based authentication will cover:
What is Risk Based Authentication?
The Difference Between RBA vs. Regular Authentication
How Does Risk Based Authentication Work?
Risk Based Authentication Pros & Cons
Time to Invest in Risk Based Authentication?
What is Risk-based Authentication (RBA)?
Risk based authentication is a form of identity intelligence which hones in on who is logging in, their identity profile, and anything about their login attempt that might be suspicious and thus indicative of a potential data-breach.
Based on the analysis, the system may prompt the person logging in to provide more authentication credentials such as multi-factor authentication (MFA), especially in instances in which the system recognizes their identity but not other attributes associated with their login—protecting both you and them in the process.
For example, if an employee who regularly logs in to the HR system from New York suddenly tries to log in from Paris, that may be an indication that his credentials have been compromised. Depending on the policies in place, the high-risk user may be required to provide an additional form of authentication, re-authenticate, reset their password, or may be granted reduced access to the application.
Risk-based authentication can also identify times when risk is low and the user is within normal standards of behavior and context. In these circumstances, the system can decrease the steps required to gain access, making it easier and faster for the employee or customer to log in.
Risk-based authentication examples:
There are many different scenarios in which RBA would recognize a potential threat. Whether it's intentional or unintentional (many data breaches happen accidentally and Verizon's 2021 Data Breach Investigations Report found that 17% of threats come from insiders), you can think of RBA as a bouncer that's double checking the guest list even when they recognize the people in line.
Geographic region: If the identity is recognized but logging in from a location they normally don't log in from, or log in attempts occur between two locations it's impossible to travel between in the given amount of time.
Time of day: If the identity is recognized but logging in during a time of day that's unusual for them.
Unrecognized device: If the identity is recognized but logging in from a device that the identity does not normally log in from.
IP reputation: If the IP address of the user is associated with fraudulent and other malicious activities
Privilege access anomaly: when a user has access to a specific system or app yet has not used it before, or rarely uses it
The Difference Between RBA vs. Regular Authentication
Any company should have a baseline authentication system, and some will be more complex than others. But if you're wondering what distinguishes RBA from regular authentication methods, there are some important differences to note.
First and foremost, regular authentication typically asks for just one process of authentication for all users, interactions, transactions, etc. This is typically done with a username and password, sometimes applying MFA across the board as well. As we know all too well, passwords can easily be stolen or compromised, especially if there are no other authentication systems in place.
The difference with risk-based authentication is context. Each user and their login is looked at within the specific context, including geography, time, device, posture, and access as mentioned above. Based on the overall risk assessment, the authentication process is then altered to achieve a sufficient amount of certainty around the user's identity, rather than applying the same authentication requirements to all.
How Does Risk-based Authentication Work?
RBA uses real-time intelligence to gain a holistic view of the context behind each login. It takes into account the profile of the identity requesting access, and determines the risk of that profile by looking at other circumstances surrounding the identity (some of these are mentioned above) and the action they are attempting to take. Based on what the system determines about the profile, it signals additional authentication.
The best risk-based authentication systems use machine learning to establish a baseline of typical behavior for a particular group of users and then detect behavioral anomalies as they occur in real-time, categorizing them into different risk levels. The administrator or security team can assign specific actions for each risk category.
For instance, one RBA example is "geofencing", which is when a company implements a virtual fence around the geographical region(s) they expect their users and employees to be logging in from, such as corporate headquarters. When a user tries to log in elsewhere, this gets automatically flagged via your risk-based authentication solution, and responds accordingly by presenting additional authentication, such as:
A temporary pin code sent to text or email (One Time Password)
An alternate email address
Answering a security question or giving a security code/answer
Biometrics, such as face detection or a fingerprint
Risk-based Authentication Pros & Cons
Risk-based authentication is a good move for any company that wants to ensure they are protecting their customers and employees and balancing the right levels of security and convenience. But, with any big decision, it's important to understand if there are any downsides to consider. While risk-based authentication adds only benefits for your company, there may be some pros and cons when it comes to taking that next step:
Pros of Risk-based Authentication:
Mitigates risk and improves security
Flexible policies based on risk assessment to balance security and convenience
A rather easy alternative to other security measures
Cost-effective when you consider the potential savings long-term when RBA prevents a data breach
Cons of Risk-based Authentication:
Admins have to learn a new system more complicated than a standard authentication policy across the board
Can be challenging to implement
Hard to put trust in a new security system
Choosing the right risk-based authentication solution and policies
Time to Invest in Risk-based Authentication?
Implementing RBA can have enormous benefits, yet too often we see organizations wait until a breach has occured to take it seriously.
Investing in a risk-based authentication solution is a no-brainer for any business leader or IT decision maker that wants to optimize security while generally enhancing the user experience for their employees and customers. The first step is to get your questions and concerns answered, so you can feel more comfortable with making the switch. To learn more about risk based management, take a look at PingOne Risk.