Risk-based authentication, also commonly referred to as adaptive a0uthentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong authentication where it is most needed on the other.
For example, a user connecting via a Virtual Private Network (VPN) from his known home network using a company-managed PC will not be required to present any additional authentication credentials beyond those provided by his PC because the connection request is not perceived to be high-risk. A connection from an unknown WiFi during “odd” hours of the day would require the user to produce additional authentication in the form of a password, OTP, or both, because the connection exhibits risk indicators that elevate the perceived risk.
In a consumer context, a user shopping on a merchant app will not be required to present any credentials when accessing the application or adding items to the cart, because these operations pose little risk to the merchant. During checkout, the user would typically be required to present a password or some other credential because it is perceived to be a high-risk operation.
An online banking user will be required to present only a username and password to access her account, but when trying to transfer funds to another account, the user would have to respond to challenge questions or enter an OTP code from the bank-provided OTP key fob.