When you sign on to an important website or application, you might only need to provide your username and password. However, several other factors are likely being analyzed behind the scenes.
These days, a simple username and password combination is no longer enough to guarantee someone's identity. Businesses need to take much more into consideration when granting a user access to sensitive information.
Risk-based authentication (also known as context-based authentication) is the process of verifying a user as they sign on and scoring them against a set of policies that grant or deny access to resources based on the perceived risk.
Risk-based authentication takes many unique factors into account, including:
These factors contribute to the risk level of a transaction. Depending on the perceived risk, users could be prompted for a second factor of authentication.
Some risk-based authentication solutions can also build and update dynamic profiles of each user. Patterns of a user's behavior are learned by the software over time, allowing for a much more accurate risk calculation.
Many times, users won't even know that risk-based authentication is taking place. Because most transactions don't fall under high-risk, step-up authentication is only occasionally required. This is the greatest benefit of risk-based authentication: it provides a seamless user experience while adding a considerable amount of security to a company's infrastructure.
Users can have a frictionless experience if the calculated risk is low. For example, a user might not need to re-enter their credentials after their session expires if they're on the same company device and network during normal working hours. Other examples of low risk connections:
If RBA suggests a medium level of risk, the user will be prompted to provide extra details for verification. They might be required to supply their email address or respond to further security inquiries. Additional examples of medium risk connections include:
When RBA identifies a potentially high-risk target, the system might request additional MFA methods or block access altogether. To illustrate, access would be blocked when a user attempts to log in from a strange location like a foreign country during odd hours such as the middle of the night. Other examples of high risk connections include:
More employees are now working from home than ever before. With a remote workforce comes an increase in identity security risks. Traditionally, organizations have leveraged company networks and firewalls to ensure that being on-premise was required to access company materials. Nowadays, being on-premise isn’t always possible.
Employees might be working from public Wi-Fi networks that are unsecure and vulnerable to eavesdropping from third parties. Risk-based authentication can easily alleviate the risks associated with public networks by denying access if one is used.
Another risk associated with remote work is the use of personal devices. Risk-based authentication detects unrecognized devices and can use MFA or other security measures to ensure that the user is who they claim to be.
Data breaches are increasingly common, meaning the typical username and password combination no longer guarantees that a user is who they say they are. According to IBM, stolen or compromised credentials are the most common initial attack vector, and companies that make use of advanced security techniques and automation have a lower likelihood of breach and a lower total cost associated with breaches overall.
In addition to the extra factors analyzed by risk-based authentication, you can evaluate data and determine the origin of data leaks. For example, you can filter high-risk transactions by location, user, browser, and many other factors.
Not only does risk-based authentication improve security, but it can increase workforce productivity. When a session is low-risk, such as when a user is using a trusted device and network within typical working hours, they can have a seamless experience, meaning they don't have to spend time re-authenticating into their frequently used applications.
RBA bolsters security postures, while ensuring organizations remain compliant in heavily regulated industries like financial services. For example, the General Data Protection Regulation (GDPR) in Europe shows a strong commitment to data privacy and security during an era with increasing reliance on cloud services. Since GDPR is known for being broad in scope while also lacking specific guidelines, implementing RBA ensures organizations go above and beyond compliance laws by showing that they are focusing on security first.
RBA has proven highly effective in several key industries. For starters, RBA helps stop account takeover fraud (ATO) in financial services. In a similar fashion, ecommerce sites improve customer trust by safeguarding data with RBA practices. Healthcare payers and providers can also benefit from implementing RBA to secure sensitive PII and PHI from being accessed by cybercriminals. Finally, government agencies utilize RBA to secure sensitive information and critical infrastructure - with the goal of mitigating cybersecurity risks and safeguarding national interests.
Risk-based authentication is controlled by sets of rules, also known as policies, that categorize how risky a specific transaction is.
Every time a request is received, these policies analyze the various risk signals and weigh them against each other to calculate a risk score. In turn, the risk score determines the authentication experience for the end user. They might have a seamless experience, or they might be required to complete additional verification steps.
Generally speaking, risk signals fall into four different categories:
Risk policies are customizable and vary by organization and the type of data being accessed. For example, if a company only has employees in Canada, a security architect could create a rule that classifies any transaction originating from any other country as high risk. Similarly, attempting to access general company information would be considered lower risk than accessing sensitive data, such as an employee's Social Security number.
If a transaction is classified as high risk, step-up authentication is also configurable according to company policy. A user might need to complete different second factor authentication methods depending on the risk score or the sensitivity of the application. They can even be denied access if too many risk factors are suspicious.
The most sophisticated risk-based authentication systems use machine learning to establish baselines of typical behavior groups of users and then detect behavioral anomalies as they occur in real-time, categorizing them into different risk levels. The administrator or security team can assign specific actions for each category in the risk policies.
Risk policies are extremely customizable. The following diagram depicts an example of a basic risk policy and the resulting authentication experiences determined by risk level.
In order to implement RBA, an organization must add a threat protection solution that can analyze and assess threats in real time. This solution must integrate with existing identity and access management (IAM) systems to evaluate risk at the point of authentication and provide a risk score. The organization must then build out an appropriate response by creating policies around different threat types and levels to call for MFA when appropriate. These integrations can sometimes be difficult, so it is important to look for a vendor that can easily connect on-prem or cloud-based IAM with dynamic risk-scoring and real-time user journey orchestration for effective mitigation.
Since the identity security field evolves so quickly, so do our definitions of different practices. When it comes to continuous authentication, we see the same similarities and variances with RBA as seen with adaptive authentication.
Traditionally, RBA is associated with specific user actions like access requests and major transactions. In turn, RBA assesses the risk levels of specific actions according to predefined criteria. Conversely, continuous authentication involves ongoing verification that evolves throughout a user’s session, utilizing factors like behavior patterns and biometrics. Continuous authentication is a dynamic process that isn’t tied to a particular access request or major transaction.
It's safe to assume all forms of continuous authentication are considered RBA. Yet, an RBA solution is only considered continuous authentication if it verifies user attributes during sessions independent of access requests.
Static authentication employs a fixed method like a password to prove a user's identity. In turn, this authentication method remains unchanged and a user has the same login experience every time. This may mean that every authentication request requires MFA, or that none do. This can create problems in multiple ways – too many security steps as a standard can cost productivity, while too few may open the door to cybercriminals.
Conversely, dynamic authentication takes context into account. Low-risk users may be able to stay logged in for longer before their sessions expire, while risky login attempts can be met with additional security challenges. This allows for smoother experiences for low-risk users and higher productivity while still maintaining a rigorous security standard.
These two concepts are related, but they are triggered by different things. Step-up authentication is a static approach that triggers anytime a user requests access to a previously identified high-risk resource. For example, an employee may be able to access the corporate intranet on their company-issued device anytime, but must authenticate again before accessing payroll information. The risk is tied to the resource. Meanwhile, risk-based authentication focuses not on the resource but on the user and their behavior. RBA may trigger a request for additional authentication because a user is logging in from a known suspicious IP or is using an unfamiliar device.
Risk-based and step-up authentication both have their benefits, and it should be noted that step-up authentication usually applies tok activities throughout a user's session that occur beyond the point of login. Step-up authentication implements additional MFA when a user requests a pre-defined high-risk action, which can occur at any point in the user session. Meanwhile, RBA is usually applied at the point of login, although it is possible to create policies that call for a dynamic risk score at any time in the session as well.
Is your organization interested in an RBA solution? Ping has a robust quiver of identity security technologies designed for the global enterprise. Whether you need to secure identities for employees or customers, Ping Identity has the RBA solutions for your needs.
Chat with an expert to get started.
Related Resources
Risk Management
Start Today
Contact Sales
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo