Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
Risk Based Authentication: How it Works & Benefits | Ping Identity
Identity Fundamentals
Identity and Access Management
Identity Providers and Service Providers
Centralized Identity Management
What is Centralized Identity Management?
How Does Centralized Identity Management Work?
Centralized Identity Standards
SAML
OAuth
OpenID Connect (OIDC)
Decentralized Identity Management
What is Decentralized Identity Management?
How Does Decentralized Identity Management Work?
How is Decentralized Identity Different?
Decentralized Identity Standards
Common Terms
Zero Trust Security
Orchestration
Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust
What Is B2B Identity and Access Management (B2B IAM)
Expand All | Collapse All

Risk-based Authentication

 

When you sign on to an important website or application, you might only need to provide your username and password. However, several other factors are likely being analyzed behind the scenes.

 

These days, a simple username and password combination is no longer enough to guarantee someone's identity. Businesses need to take much more into consideration when granting a user access to sensitive information.

 

What is risk-based authentication (RBA)?

 

Risk-based authentication (also known as context-based authentication) is the process of verifying a user as they sign on and scoring them against a set of policies that grant or deny access to resources based on the perceived risk.

 

Risk-based authentication takes many unique factors into account, including:
 

  •  Time of day
  •  Location
  •  Device and browser info
  •  IP address
  •  User information
  •  The context of the request

These factors contribute to the risk level of a transaction. Depending on the perceived risk, users could be prompted for a second factor of authentication.

 

Some risk-based authentication solutions can also build and update dynamic profiles of each user. Patterns of a user's behavior are learned by the software over time, allowing for a much more accurate risk calculation.


Many times, users won't even know that risk-based authentication is taking place. Because most transactions don't fall under high-risk, step-up authentication is only occasionally required. This is the greatest benefit of risk-based authentication: it provides a seamless user experience while adding a considerable amount of security to a company's infrastructure.

 

Low Risk

Users can have a frictionless experience if the calculated risk is low. For example, a user might not need to re-enter their credentials after their session expires if they're on the same company device and network during normal working hours. Other examples of low risk connections:

 

  • No additional friction would be added when a customer logs into a credit card account using a mobile app on a smartphone that has a verified history and additional verification methods like facial recognition.
  • A low risk score would be generated when a remote employee accesses a digital property from a familiar geolocation like a home office, which also has a known IP address.

 

Medium Risk

If RBA suggests a medium level of risk, the user will be prompted to provide extra details for verification. They might be required to supply their email address or respond to further security inquiries. Additional examples of medium risk connections include:

 

  • An employee requests access using the correct credentials, while at the same time logging in from an unfamiliar device. In turn, an additional MFA method like an SMS one-time password (OTP) would be applied to grant access.
  • An ecommerce customer uses a familiar device to make a purchase, but they log in from an unusual location like a different state. This anomalous risk signal would be enough to trigger an additional MFA method like an email magic link.

 

High Risk

When RBA identifies a potentially high-risk target, the system might request additional MFA methods or block access altogether. To illustrate, access would be blocked when a user attempts to log in from a strange location like a foreign country during odd hours such as the middle of the night. Other examples of high risk connections include:

 

  • A high risk RBA score is generated when an online banking customer requests a large financial transfer to an external account. Even if standard risk signals like the IP address and user behavior check out, such a sensitive transaction would trigger additional MFA methods.
  • An employee attempts to access a digital property from an unfamiliar IP address in a foreign country known for cybercrimes. They also fumble their login attempt and enter the wrong credentials on the first few tries. Due to so many blatant risk signals, the user would be blocked from accessing the digital property.

 

What are the benefits of using risk-based authentication?

 

Well Suited for Hybrid Work

More employees are now working from home than ever before. With a remote workforce comes an increase in identity security risks. Traditionally, organizations have leveraged company networks and firewalls to ensure that being on-premise was required to access company materials. Nowadays, being on-premise isn’t always possible.


Employees might be working from public Wi-Fi networks that are unsecure and vulnerable to eavesdropping from third parties. Risk-based authentication can easily alleviate the risks associated with public networks by denying access if one is used.


Another risk associated with remote work is the use of personal devices. Risk-based authentication detects unrecognized devices and can use MFA or other security measures to ensure that the user is who they claim to be.

 

Breach Protection

Data breaches are increasingly common, meaning the typical username and password combination no longer guarantees that a user is who they say they are. According to IBM, stolen or compromised credentials are the most common initial attack vector, and companies that make use of advanced security techniques and automation have a lower likelihood of breach and a lower total cost associated with breaches overall.


In addition to the extra factors analyzed by risk-based authentication, you can evaluate data and determine the origin of data leaks. For example, you can filter high-risk transactions by location, user, browser, and many other factors.

 

Less Intrusive Security

Not only does risk-based authentication improve security, but it can increase workforce productivity. When a session is low-risk, such as when a user is using a trusted device and network within typical working hours, they can have a seamless experience, meaning they don't have to spend time re-authenticating into their frequently used applications.

 

Remain Compliant

RBA bolsters security postures, while ensuring organizations remain compliant in heavily regulated industries like financial services. For example, the General Data Protection Regulation (GDPR) in Europe shows a strong commitment to data privacy and security during an era with increasing reliance on cloud services. Since GDPR is known for being broad in scope while also lacking specific guidelines, implementing RBA ensures organizations go above and beyond compliance laws by showing that they are focusing on security first.

 

Ease of Widespread Use

RBA has proven highly effective in several key industries. For starters, RBA helps stop account takeover fraud (ATO) in financial services. In a similar fashion, ecommerce sites improve customer trust by safeguarding data with RBA practices. Healthcare payers and providers can also benefit from implementing RBA to secure sensitive PII and PHI from being accessed by cybercriminals. Finally, government agencies utilize RBA to secure sensitive information and critical infrastructure - with the goal of mitigating cybersecurity risks and safeguarding national interests.

 

How does risk-based authentication work?


Risk-based authentication is controlled by sets of rules, also known as policies, that categorize how risky a specific transaction is.


Every time a request is received, these policies analyze the various risk signals and weigh them against each other to calculate a risk score. In turn, the risk score determines the authentication experience for the end user. They might have a seamless experience, or they might be required to complete additional verification steps.


Generally speaking, risk signals fall into four different categories:
 

  • Device reputation: The device history is examined to determine if it’s been involved in any fraudulent activity. Crowd-sourced consortiums correlate users to devices to define fraud rings and to identify those attacking multiple accounts, and then build rules based on these profiles.

  • User behavior: User behavior history is examined to establish a baseline and recognize threats if and when users deviate from typical behaviors.

  • Network risk: Normal network traffic is examined to identify risky behavior from network inputs, establish a baseline risk score, and then correlated to user behavior to calculate risk scores.

  • Behavioral biometrics: User biometric behavior history is examined to establish a baseline and recognize threats if and when users deviate from typical behaviors. Users’ physical movements, such as typing cadences, keyboard patterns, strength of key pressure, or mouse movements, are compared to the baseline to determine risk. These factors work for mobile devices as well, such as whether the user holds the device at the same angle, presses the screen with the same pressure, and swipes in the same manner.

 

Risk policies are customizable and vary by organization and the type of data being accessed. For example, if a company only has employees in Canada, a security architect could create a rule that classifies any transaction originating from any other country as high risk. Similarly, attempting to access general company information would be considered lower risk than accessing sensitive data, such as an employee's Social Security number.


If a transaction is classified as high risk, step-up authentication is also configurable according to company policy. A user might need to complete different second factor authentication methods depending on the risk score or the sensitivity of the application. They can even be denied access if too many risk factors are suspicious.


The most sophisticated risk-based authentication systems use machine learning to establish baselines of typical behavior groups of users and then detect behavioral anomalies as they occur in real-time, categorizing them into different risk levels. The administrator or security team can assign specific actions for each category in the risk policies.

 

What does a risk policy look like?


Risk policies are extremely customizable. The following diagram depicts an example of a basic risk policy and the resulting authentication experiences determined by risk level.
 

FAQs

In order to implement RBA, an organization must add a threat protection solution that can analyze and assess threats in real time. This solution must integrate with existing identity and access management (IAM) systems to evaluate risk at the point of authentication and provide a risk score. The organization must then build out an appropriate response by creating policies around different threat types and levels to call for MFA when appropriate. These integrations can sometimes be difficult, so it is important to look for a vendor that can easily connect on-prem or cloud-based IAM with dynamic risk-scoring and real-time user journey orchestration for effective mitigation.

Since the identity security field evolves so quickly, so do our definitions of different practices. When it comes to continuous authentication, we see the same similarities and variances with RBA as seen with adaptive authentication. 

 

Traditionally, RBA is associated with specific user actions like access requests and major transactions. In turn, RBA assesses the risk levels of specific actions according to predefined criteria. Conversely, continuous authentication involves ongoing verification that evolves throughout a user’s session, utilizing factors like behavior patterns and biometrics. Continuous authentication is a dynamic process that isn’t tied to a particular access request or major transaction. 

 

It's safe to assume all forms of continuous authentication are considered RBA. Yet, an RBA solution is only considered continuous authentication if it verifies user attributes during sessions independent of access requests.

Static authentication employs a fixed method like a password to prove a user's identity. In turn, this authentication method remains unchanged and a user has the same login experience every time. This may mean that every authentication request requires MFA, or that none do. This can create problems in multiple ways – too many security steps as a standard can cost productivity, while too few may open the door to cybercriminals.

 

Conversely, dynamic authentication takes context into account. Low-risk users may be able to stay logged in for longer before their sessions expire, while risky login attempts can be met with additional security challenges. This allows for smoother experiences for low-risk users and higher productivity while still maintaining a rigorous security standard.

These two concepts are related, but they are triggered by different things. Step-up authentication is a static approach that triggers anytime a user requests access to a previously identified high-risk resource. For example, an employee may be able to access the corporate intranet on their company-issued device anytime, but must authenticate again before accessing payroll information. The risk is tied to the resource. Meanwhile, risk-based authentication focuses not on the resource but on the user and their behavior. RBA may trigger a request for additional authentication because a user is logging in from a known suspicious IP or is using an unfamiliar device. 

 

Risk-based and step-up authentication both have their benefits, and it should be noted that step-up authentication usually applies tok activities throughout a user's session that occur beyond the point of login. Step-up authentication implements additional MFA when a user requests a pre-defined high-risk action, which can occur at any point in the user session. Meanwhile, RBA is usually applied at the point of login, although it is possible to create policies that call for a dynamic risk score at any time in the session as well.

 

Looking to Implement RBA at Your Organization?

 

Is your organization interested in an RBA solution? Ping has a robust quiver of identity security technologies designed for the global enterprise. Whether you need to secure identities for employees or customers, Ping Identity has the RBA solutions for your needs. 

 

Chat with an expert to get started.

Related Resources

Blog

Risk-based Authentication: Integrations for Better Digital Experiences

   

Capability

Risk Management

   

Website

Risk-Based Authentication

Start Today

Contact Sales

sales@pingidentity.com

+1 877-898-2905

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.