Risk based authentication
Authentication proves that users are who they say they are. Three traditional factors are identified: what you know, what you have, and what you are. New technology and information services can add context factors making it possible to derive location, behaviour and risk. Risk based authentication makes authentication a multi-factor affair. The interpretation of precisely what authentication is has become a relevant question given that the definition is no longer explicit. The value of each factor must also be measured. It all comes together now in an often static policy that is no longer tenable. The answer is found in risk-based authentication.
A ‘means of strong authentication’ is usually reverted to when access is needed to information where great risk is involved. But the static checking between username and password or a strong means of authentication is no longer sufficient.
Enforcing the correct authentication depends on many characteristics such as where the user is located, what device is being used and what information the person wants to use. This involves the extent to which these characteristics or a combination of the characteristics are trustworthy, namely, to what extent is it ‘normal’ or ‘suspect’ behaviour. What risks arise when we give a user with these characteristics access to information?
With risk-based authentication, these characteristics are identified and weighed. Intelligent algorithms determine the minimum required means of authentication before a user with such characteristics receives access to the desired information. This may be determined beforehand, but it is also possible during a transaction using a so-called ‘step up’ or re-authentication.
Risk based authentication for your organization?
Traxion has extensive experience in access control, design and configuration. If you want to more about this topic, feel free to us. We will be happy to share our vision and experiences.