risk-based authentication (RBA)
What is risk-based authentication (RBA)?
Risk-based authentication (RBA) is an authentication method in which varying levels of stringency are applied to a system's authentication process based on the likelihood that access to that system could result in its compromise. As the action perceives a higher level of risk, the authentication process becomes more comprehensive and restrictive to protect the system from unauthorized or malicious access.
Risk-based authentication is a type of adaptive or step-up authentication. Adaptive means that the authentication system first assesses the risk of an authentication request initiated by a user. Based on the assessment, it understands the risk of the connection or authorization being requested and accordingly adapts the authentication mechanism for the user.
After calculating the perceived risk, RBA may request the user to provide additional authentication factors to confirm that they are who they claim to be. These factors may include the following:
- Verification links sent via email.
- One-time password (OTP) codes sent via a text message.
- OTP codes generated by an authenticator app.
- OTP codes generated by a physical authorization security token.
- Security questions and answers (both preset by the authorized user).
- Biometric information, such as fingerprints or face scans.
If the user provides the requested factors and the system validates their identity, they are allowed to access the system. If validation and authentication fail, the user is denied access to the system.
How risk-based authentication works
When a user tries to log into a system or account where RBA is configured, the mechanism analyzes the user's behavior and multiple risk factors, such as the following:
- User's geographic location.
- User's IP address.
- User's device -- familiar or unfamiliar to the account being accessed.
- Sensitivity of the information or account being accessed.
- The status of antivirus software updates on the user's device.
- Presence of anonymizing proxy.
- Transaction value.
- Presence of malware.
- User's history of security incidents.
After analyzing these factors, RBA calculates a risk score, which is a quantified measure of the possibility that the login attempt is illegal or malicious, e.g., hacking. The score is generated in real time and used to perceive the connection as low-risk, medium-risk or high-risk. The authentication requirement presented to the user changes depending on the perceived risk.
Here's how.
Low-risk connections
If RBA determines a low-risk connection, the user is not asked to provide additional authentication factors and they are granted access to the account. A user logging into the account from the same device or location is commonly considered low risk. A virtual private connection (VPN) connection is also considered low-risk.
Medium-risk connections
If the system's risk score indicates medium-level risk, the user is asked to provide additional information to confirm their identity. For example, they may be required to provide their email address or answer additional security questions.
A connection may be perceived as a medium risk if the correct credentials are entered but the user logs into the account from an unfamiliar device. Once the user provides the correct additional information, the system grants them access. If they fail, access will be denied.
High-risk connections
When RBA detects a potentially high-risk connection based on the risk score, it may either ask for additional authentication factors or automatically deny access. Typically, a user logging in from a different location -- such as a country that's known to harbor hackers and cybercriminals -- or during odd hours, e.g., outside working hours, are often perceived as high risk.
Other examples of high-risk transactions include users who try to complete e-commerce transactions and users who attempt to transfer funds from one online bank account to another. In these cases, RBA will ask the user to provide additional credentials for authentication. Failing to do so, they will be denied access to the system and blocked from completing that transaction.
Where risk-based authentication is used
RBA is commonly used to protect sensitive or confidential accounts, such as online bank accounts. Typically, a bank customer who tries to access their account from another country is asked more than the usual number of security questions or is requested to provide additional authentication factors. Many popular email applications, e-commerce sites and social media sites have implemented RBA. Examples include Gmail, Facebook, LinkedIn and Amazon.
Types of risk-based authentication
RBA can be categorized as either user-dependent or transaction-dependent. User-dependent RBA processes employ the same authentication for every session initiated by a given user. The exact credentials that a site or account demands depend on who the user is.
In transaction-dependent RBA processes, different authentication levels may be required of a given user in different situations, based on the sensitivity or risk potential of the transaction.
Benefits of risk-based authentication
Compared to traditional password-only based authentication mechanisms, RBA provides stronger authentication and more reliable account security. By matching authentication to the level of perceived risk, RBA also reduces the risk of account compromise and cyberfraud better than older methods.
Stronger security does not mean additional friction for users. If anything, RBA reduces a user's authentication burden since they are required to provide additional authentication factors only if they are perceived to be medium- or high-risk by the system. Low-risk users are not forced to go through additional security steps by using two-factor authentication (2FA) or multifactor authentication (MFA). Since users must present additional credentials less often, RBA helps improve usability and user experiences.
See how risk-based digital identity benefits CIOs, CMOs and customers and learn about six user authentication types to secure networks.