Risk-Based Authentication: What You Need to Consider

Risk-based authentication assesses the probability of account compromise with each login.

If the request seems unusual or suspect, the user must do something extra to gain access. Additional factors (like biometrics) ensure that the request comes from a valid user.

Why would this help? Consider this scenario.

Someone wants to access your server. That person has the right username and password, but something about the request seems unusual. The person is logging in from a country in which you don't do business, for example. Or the person is requesting access to a file that only you should see.

Risk-based authentication helps you assess and manage the dangers inherent in the request.

What Is Risk-Based Authentication?

Risk-based authentication uses real-time intelligence to gain a holistic view of the context behind each login.

When a user attempts to sign in, a risk-based authentication solution analyzes factors such as:

  • Device. Is the user on a known computer? Or is the user on a mobile device that has never logged in before?
  • Location. Is the user in the same building that houses the server? Or is the person in another time zone?
  • Network. Is the person logging in from a familiar IP address? Or is that data foreign?
  • Sensitivity. Is the requested file crucial for the company? Or is it a relatively unimportant piece of information?

Based on all of these factors, the system makes a decision. The user can either:

  • Enter normally. The person uses a familiar system, such as a password, to gain access.
  • Offer proof. The person must provide some other form of verification to gain entry.

Sophisticated systems use these same processes when files are requested. A user might be allowed easy access into the system as a whole, but when the person asks to read/write an important file, the system runs through verification processes once more. 

Benefits & Considerations

Don't change authentication processes on a whim. Carefully balance the pros (such as enhanced security) with the cons (such as added user burden) and make a smart decision for your company.

Known benefits associated with risk-based authentication include:

  • Widespread use. Plenty of government agencies both use and promote risk-based authentication. Consumers have likely either heard about this technique or used it in the past, so it shouldn't surprise them.
  • Few deployments. Set up your system properly, and it won't always spring into action. For example, MasterCard says 80 percent of transactions should be categorized as low risk, with no extra steps from consumers required.
  • Plenty of danger. Hacks are expensive. In one published incident, hackers gained access to 12 million unencrypted credit card details. Consumers will blame you for allowing this type of breach.
  • Proven compliance. Some companies, including those in the banking sector, must demonstrate that they meet stringent rules regarding safety. Adopting risk-based authentication principles can help you prove that you put security first.

Potential drawbacks to consider when deploying a risk-based authentication solution include:

  • Deployment planning. You must develop, test, and deploy these systems carefully to ensure your project has a predictable budget.
  • Careful considerations. Set up your systems improperly, and you could lock users out of the apps they need to access. Use methods that are too lax, and you could let everyone in.
  • End user training. Some users may resent your security measures. You may hear complaints from busy people who can't access their apps, especially if your system is new. Ensure you communicate changes in login experience ahead of time.

Discuss these pros and cons with your team carefully before you launch your program. 

High Risk or Low Risk? System Reactions Explained

How does your system determine if a login comes with a high risk or a low risk? An example drawn from real life may make the process plain.

Imagine hearing a knock on your door late at night. You might be hesitant to open it at first, but then your friend calls you from outside. Recognizing their voice, you’d be more inclined to open the door and let them in.

A risk-based authentication solution works in much the same way. If a user attempts to log in with a device that is unknown to the system, it will not allow access until the user has further verified their identity with an additional factor.

That additional factor could involve:

  • A permanent or temporary PIN.
  • Answering a security question.
  • Biometric data, such as a fingerprint. 
  • Codes delivered via smartphone. 

Key Capabilities to Look For

Many companies offer risk-based authentication capabilities. They are not all created equal.

As you shop, ensure your solution has:

  • Access to real-time threat data to identify potential security hazards.
  • Analytics of the user’s context, including their device, location, and network connection.
  • The ability to have users enter extra authentication factors to prove their identities in risky scenarios.
  • Configuration policies that allow admins to set up authentication procedures that are more secure than entering passwords.

Implement Risk-Based Authentication With Okta

Okta’s Adaptive Multi-Factor Authentication (Adaptive MFA) analyzes the user’s context at login time. After the user tries to sign in, Risk-based Authentication, a feature of Adaptive MFA,assigns a risk score to the attempt based on contextual cues, such as their location, device, and IP address. Based on the risk level, the solution can deny access or prompt the user to submit an additional authentication factor to guard against potential breaches.

Pairing it with Okta ThreatInsight gives you an even stronger risk assessment tool, as ThreatInsight analyzes data from a wealth of sources to uncover risks that could otherwise have caused trouble.

It can, for example, assign a higher risk rating to IP addresses that don’t seem suspicious but have been flagged as such on Okta’s network. ThreatInsight also makes it possible to phase out passwords entirely, with just three simple steps:

     1. A username is entered at login.

     2. ThreatInsight analyzes the context of this particular login and assesses the risk.

     3. If the user has tried to gain access in a low-risk environment, they can just tap an Okta Verify push notification to do so.

Unlike passwords, risk-based authentication tells you everything you need to know about the user. IT makes it easier for the right people to gain the right levels of access.

References

Global Risk-Based Authentication Market, 2019 to 2014: Analyzed by Offering, Deployment, End-User Vertical, and Geography. (July 2019). Globe Newswire.

Advantages of a Risk-Based Authentication Strategy for MasterCard SecureCode. (2011). MasterCard.

Protecting Data With Advanced Risk-Based Authentication Techniques. (November 2013). The Wall Street Journal.

Online Risk-Based Authentication Using Behavioral Biometrics. (July 2013). ResearchGate.

Learn more

Want to know more about taking advantage of risk-based authentication with Okta?
Prepare yourself for any threat with our data breach risk assessment checklist.