Risk-based authentication is the process of verifying a user as they sign on and scoring them against a set of policies that grant or deny access to resources based on the perceived risk.
When you sign on to an important website or application, you might only need to provide your username and password. However, several other factors are likely being analyzed behind the scenes.
These days, a simple username and password combination is no longer enough to guarantee someone's identity. Businesses need to take much more into consideration when granting a user access to sensitive information.
What is risk-based authentication?
Risk-based authentication takes many unique factors into account, including:
Time of day
Device and browser info
The context of the request
These factors contribute to the risk level of a transaction. Depending on the perceived risk, users could be prompted for a second factor of authentication. For example, if you try to sign on to your bank account from a foreign country, you will most likely have to verify your identity.
On the other hand, users can have a frictionless experience if the calculated risk is low. For example, a user might not need to re-enter their credentials after their session expires if they're on the same company device and network during normal working hours.
Some risk-based authentication solutions can also build and update dynamic profiles of each user. Patterns of a user's behavior are learned by the software over time, allowing for a much more accurate risk calculation.
Many times, users won't even know that risk-based authentication is taking place. Because most transactions don't fall under high-risk, step-up authentication is only occasionally required. This is the greatest benefit of risk-based authentication: it provides a seamless user experience while adding a considerable amount of security to a company's infrastructure.
What are the benefits of using risk-based authentication?
More employees are now working from home than ever before. With a remote workforce comes an increase in identity security risks. Traditionally, organizations have leveraged company networks and firewalls to ensure that being on-premise was required to access company materials. Nowadays, being on-premise isn’t always possible.
Employees might be working from public Wi-Fi networks that are unsecure and vulnerable to eavesdropping from third parties. Risk-based authentication can easily alleviate the risks associated with public networks by denying access if one is used.
Another risk associated with remote work is the use of personal devices. Risk-based authentication detects unrecognized devices and can use step-up authentication to ensure that the user is who they claim to be.
Data breaches are increasingly common, meaning the typical username and password combination no longer guarantees that a user is who they say they are. According to IBM, leaked credentials were the most common factor causing data breaches in 2021, and security artificial intelligence (AI), such as risk-based authentication, had the greatest cost-mitigating effect of data breaches.
In addition to the extra factors analyzed by risk-based authentication, you can evaluate data and determine the origin of data leaks. For example, you can filter high-risk transactions by location, user, browser, and many other factors.
Not only does risk-based authentication improve security, but it can increase workforce productivity. When a session is low-risk, such as when a user is using a trusted device and network within typical working hours, they can have a seamless experience, meaning they don't have to spend time re-authenticating into their frequently used applications.
How does risk-based authentication work?
Risk-based authentication is controlled by sets of rules, also known as policies, that categorize how risky a specific transaction is.
Every time a request is received, these policies analyze the various risk signals and weigh them against each other to calculate a risk score. In turn, the risk score determines the authentication experience for the end user. They might have a seamless experience, or they might be required to complete additional verification steps.
Generally speaking, risk signals fall into four different categories:
Device reputation: The device history is examined to determine if it’s been involved in any fraudulent activity. Crowd-sourced consortiums correlate users to devices to define fraud rings and to identify those attacking multiple accounts, and then build rules based on these profiles.
User behavior: User behavior history is examined to establish a baseline and recognize threats if and when users deviate from typical behaviors.
Network risk: Normal network traffic is examined to identify risky behavior from network inputs, establish a baseline risk score, and then correlated to user behavior to calculate risk scores.
Behavioral biometrics: User biometric behavior history is examined to establish a baseline and recognize threats if and when users deviate from typical behaviors. Users’ physical movements, such as typing cadences, keyboard patterns, strength of key pressure, or mouse movements, are compared to the baseline to determine risk. These factors work for mobile devices as well, such as whether the user holds the device at the same angle, presses the screen with the same pressure, and swipes in the same manner.
Risk policies are customizable and vary by organization and the type of data being accessed. For example, if a company only has employees in Canada, a security architect could create a rule that classifies any transaction originating from any other country as high risk. Similarly, attempting to access general company information would be considered lower risk than accessing sensitive data, such as an employee's Social Security number.
If a transaction is classified as high risk, step-up authentication is also configurable according to company policy. A user might need to complete different second factor authentication methods depending on the risk score or the sensitivity of the application. They can even be denied access if too many risk factors are suspicious.
The most sophisticated risk-based authentication systems use machine learning to establish baselines of typical behavior groups of users and then detect behavioral anomalies as they occur in real-time, categorizing them into different risk levels. The administrator or security team can assign specific actions for each category in the risk policies.
What does a risk policy look like?
Risk policies are extremely customizable. The following diagram depicts an example of a basic risk policy and the resulting authentication experiences determined by risk level.