Risk-based authentication makes authentication a multi-factor affair. Authentication proves that users are who they say they are. Three traditional factors are identified: what you know, what you have, and what you are. But nowadays new technology and information services can add context factors making it possible to derive location, behaviour and risk.
The interpretation of precisely what authentication is has become a relevant question given that the definition is no longer explicit. Therefore the value of each factor must also be measured. It all comes together now in an often static policy that is no longer tenable. The answer is found in risk-based authentication.
Hence it is a non-static authentication system which looks at the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. This risk profile is then used to determine the complexity of the challenge. Consequently, higher risk profiles lead to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. The application is allowed to challenge the user for additional credentials only when the risk level is appropriate.
A ‘means of strong authentication’ is usually reverted to when access is needed to information where great risk is involved. But the static checking between username and password or a strong means of authentication is no longer sufficient.
Enforcing the correct authentication depends on many characteristics such as where the user is located, what device is being used and what information the person wants to use. This involves the extent to which these characteristics or a combination of the characteristics are trustworthy, namely, to what extent is it ‘normal’ or ‘suspect’ behaviour. What risks arise when we give a user with these characteristics access to information?
With risk-based authentication, these characteristics are identified and weighed. Intelligent algorithms determine the minimum required means of authentication before a user with such characteristics receives access to the desired information. This may be determined beforehand, but it is also possible during a transaction using a so-called ‘step up’ or re-authentication.
Risk based authentication for your organisation?
Traxion has extensive experience in access control, design and configuration. If you want to more about this topic, feel free to contact us. We will be happy to share our vision and experiences.