Risk-Based Authentication: Because You Shouldn't have to Choose Between Security and Usability

Balancing security with usability is a challenge that countless organisations face—both for their customers and for their workforces. We know that making both IT teams and end users happy is no easy task, which is why we are excited to announce that Risk-Based Authentication is now Generally Available for all Okta customers.

The Ongoing Struggle: Security vs Usability

Why it matters for your customers

If you are a customer-facing organisation, user friction is your worst nightmare. Poor user experience with your application can have a very real impact on your organisation’s bottom line.

You want your customers to log into your app with as little friction as possible, regardless of where, when, or on what device they are accessing from. But you can’t brush security to the wayside, lest your organisation makes headline news as another victim of a major data breach like so many of your contemporaries. Then your bottom line is really in trouble. How can you make accessing your application as easy as possible for users, without making it easy for bad actors?

Why it matters for your workforce

The same sentiment applies to your workforce. Your employees, partners, and contractors now access more resources from more locations and devices than ever before. Organisations like yours are under immense pressure to enable these users to access an ever-expanding variety of emerging apps, tools, and devices, but the workforce continues to sprawl further and further outside of the network perimeter.

How can your IT and Security teams ensure that the users attempting to access corporate data from these various locations and devices really are who they say they are?

Context is key to automation: Introducing Risk-Based Authentication

We’re here to help. Okta leverages Risk-Based Authentication to address these problems—both for your customers and workforce—by identifying the context in which users attempt to login and enabling you to automate security by implementing significantly stronger authentication techniques and remediation when the scenario calls for it. All while simultaneously enabling a seamless login experience for users within their normal behaviours.

For each login attempt, the system observes a series of individualised contextual variables including the device, location, IP address, typing biometrics, and more. Based on this information, Okta builds profiles for each user. Think of this as the "Digital DNA” of a user's normal login pattern, which will inform authentication and authorisation decisions for each login attempt.

Customisable responses based on risk levels

Chances are your admins are already drowning in rules required to continually manage access policies for several different user groups. Now Okta does this work for you with Risk-Based Authentication.

The Risk-Based Authentication model calculates a risk score for each login event, on a scale of 1-100, by comparing the login context against the digital DNA of each individual user, combined with data on malicious actors from Okta ThreatInsight. The higher the score, the riskier the login and higher the chances of a malicious attempt.

Administrators can pair risk levels with the appropriate response to automate a dynamic approach to authentication security. For example, for a high risk login event, administrators can require passwordless authentication and authorisation via only strong authenticators, such as a FIDO2.0 compatible factor and Okta Verify Push. Alternatively, for low risk logins, administrators can also provide a passwordless experience with any factor best suited for the organisation, such as only SMS authentication, Okta Verify, FIDO2.0 token, etc.

Continual improvement through Machine Learning

“The combination of individualised machine learning model with data-rich insights from Okta’s vast ecosystem of customers, integrations, and authentications creates powerful network effects which enable transparent, yet actionable security,” says Todd McKinnon, CEO and co-founder of Okta.

In the event that Okta detects a high risk login, administrators can choose to send the user an email indicating a suspicious login was attempted. In this message, the user is prompted to confirm that this login attempt was fraudulent—clearing all sessions and forcing a password reset.

This remediation feedback coupled with continued login attempts will gradually tune the machine learning model’s understanding of each user’s behaviour, and more accurately respond to each login instance over time. As a result, users can expect a continually improving login experience as time goes on, which eliminates unnecessary friction whenever possible.

The impact: Headaches for hackers—not your users

“Technologies are often built with security as a barrier to usability or as an afterthought, but organizations shouldn’t have to choose between providing workforces and customers with the best experience and ensuring their information is secure.” – Todd McKinnon, CEO and co-founder of Okta

By leveraging this new functionality, your organisation can automatically detect and respond to high-risk login attempts without having to create multiple complex rules, bogging down customers trying to use your app, or inhibiting employees who are just trying to get their work done.

Okta Risk-Based Authentication is Generally Available as part of Adaptive Multi-Factor Authentication. See how adaptive MFA can empower your customers, as well as your workforce.