2 - Contextual and Risk-based Authentication

Any usage of MFA is better than passwords alone, but contextual and risk-based MFA delivers more secure, usable and cost-effective authentication.


Contextual authentication uses logic-based mechanisms, such as geolocation, time of day, IP address and device identifiers, to determine whether a user should be required to use a second factor based on policy.


For example, say a customer uses a password to sign on to a banking site and then wants to transfer money. If that customer signs on from the United States, the MFA system might not require further action. But if they sign on from Uzbekistan, the system might require a second authentication factor.



Risk-based authentication dynamically assesses the risk of a given operation based on:

  • The user’s current authentication status.

  • The risk associated with the resource in question.

  • The context of the request and whether the result of a calculation is below some threshold.  


This risk-based approach determines when to step up authentication requirements. A user is asked to authenticate with the additional factor only when necessary, as determined by a risk score and not by default.


Chapter 3