What is risk based authentication?
Understanding the Types of Authentication
Authentication methods are usually grouped into a few different factors.
1. Ownership Factors
Bank cards, security tokens, mobile phone. Physical objects which a user is required to be in possession of. The risks to these types of authentication are theft and cloning.
2. Knowledge Factors
Something the user knows. A password, PIN or answer to a question such as “what is the first street you grew up on”
3. Inherent Factors
These attempt to make use of something the user inherently is or does, such as a fingerprint, retinal pattern, signature, face.
Risk Based Authentication Explained
Most of type of this security software asks for a user to login at the start of a session, allowing the user free reign to do what they please once within.
With risk-based authentication (RBA), a risk profile is dynamic and non-stationary: determined by the how the user is acting. Risk-based authentication provides the business with a score on a user’s confidence. Let’s say a user has a confidence score of 95 out of a 100, then the merchant can then decide if they are comfortable enough with this confidence score or if they would like to add a step up to further verify that particular user.
The risk score can cover factors such as where the company’s traffic is coming from, how fast they type, whether they are acting out of the ordinary. By monitoring the behavior and risk of an action, vendors help companies detect suspicious behavior profiles. For example, in the event of noticing a potential Man-In-The-Browser (MITB) attack, the company can dynamically launch an Out Of Band (OOB) authentication method, something not transmitted via the internet such as a phone call or SMS.
Risk-based authentication backed by behavior piercing technology is the best way for firms to dynamically alter the authentication process on the fly. It allows maximum security, minimal interruption to user experience and therefore maximum conversions.
Risk-Based Authentication Example
Pretend, for a minute, that you are a fraudster.
You live in Bolivia, and you just got a brand-new set of stolen information from a man named Gregory Adams in Texas. You eagerly test the credentials for his banking information to transfer funds from Gregory’s account to yours. You log on, add yourself as a payee, and everything is going swimmingly until a pop-up comes, asking you to provide a fingerprint and upon your failure to do so, kicking you out of his account.
But how did this happen?
What you didn’t see, is that the bank had a risk-based authentication framework working in the background for the entire session. The bank saw that you were logging in from Bolivia, which is far outside of Gregory’s regular activity area. They saw that you went directly to transfer funds, which is unusual for Gregory. They saw your typing speed, your cadence, the fact that you were on a phone, but Gregory always banks on his computer, along with hundreds of other behavioral parameters. They saw that you simply weren’t Gregory.
Of course, you can’t finish the transfer and are now kicked out of the account, while Gregory’s money remains safely in his account.
What Makes a Good Risk-Based Authentication Solution? Best Practices
Today, many security companies offer risk-based authentication, but the difference lies in the technology that the software as service vendor uses to determine the score. It’s similar to cooking a lasagna: if you use great ingredients, what comes out of the oven will be Gordon-Ramsay-worthy but if you use low-quality ingredients, meat about to expire, taste-less veggies bathed in chemicals, and also forget about the spices, you’ll get a mush even your dog will frown at.
A good risk-based authentication solution will not only build a score based on device intelligence (device, location, and connection) but will also use the user’s behavioral patterns, the device attributes, the user history, and other factors to make the score accurate and reliable.
There are many subtle signs that can be monitored by your risk-based authentication solution to accurately assign a risk score to a user in a given session. For an effective RBA framework, one needs to have the correct layers in their environment and set intelligent rules to properly identify fraudulent attempts.
Layers such as passive biometrics and behavioral analytics provide pinpoint accuracy verifying the legitimacy of a user, especially when combined with intelligent interdiction; the act of only asking for additional authentication when suspicious behavior occurs.