The Secret Security Wiki


Risk Based Authentication

Risk-based authentication, also commonly referred to as adaptive a0uthentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong authentication where it is most needed on the other.

For example, a user connecting via a Virtual Private Network  (VPN) from his known home network using a company-managed PC will not be required to present any additional authentication credentials beyond those provided by his PC because the connection request is not perceived to be high-risk. A connection from an unknown WiFi during “odd” hours of the day would require the user to produce additional authentication in the form of a password, OTP, or both, because the connection exhibits risk indicators that elevate the perceived risk.

In a consumer context, a user shopping on a merchant app will not be required to present any credentials when accessing the application or adding items to the cart, because these operations pose little risk to the merchant. During checkout, the user would typically be required to present a password or some other credential because it is perceived to be a high-risk operation.

An online banking user will be required to present only a username and password to access her account, but when trying to transfer funds to another account, the user would have to respond to challenge questions or enter an OTP code from the bank-provided OTP key fob.

  • What is user-dependent trust elevation?

    User-dependent trust elevation, or as it is referred to by OASIS Electronic Identity Credential Trust Elevation, is a framework that enables relying on parties to implement one or more trust elevation methods in order to raise their confidence in the identity of the users requesting access to their online systems.

  • Is RBA and contextual authentication the same?

    RBA and contextual authentication are related concepts, though not exactly the same. Contextual authentication is when the authentication server, in addition to the explicit authentication credential presented to it by the user, also evaluates contextual data that can be observed like geolocation, IP address and time of day, in order to help establish assurance that the user is valid. RBA is the process of applying an authentication policy to match the risk perceived for a given connection. Risk is assessed by analyzing contextual data among other things.

  • Which factors does RBA take in consideration when authenticating?

    Factors analyzed by RBA differ from system to system and by customer policy. Common factors include geographic location, IP address, and security posture, including status of AV updates, jailbreak or root detection on mobile devices, OS version and malware detection. Additional factors considered might be a value of a transaction, whether a connection is coming in from an anonymizing proxy, and more.

  • What Authentication Techniques Are a Best Fit for Risk-Based Authentication?

    RBA can work with any authentication method, but it is usually deployed in conjunction with some form of strong authentication like one-time password (OTP) or complex passwords, which are considered onerous to users. By using RBA, users are required to present their strong authentication credentials less often, which generally reduces friction with the user and makes for a better user experience