I wrote a white paper on risk-based authentication: Download it as a PDF:
At conferences and trade fairs, I have run into the term risk-based authentication a lot recently. There is really nothing new to implementing authentication measures that are commensurate in effectiveness with the value of the information to be protected. (Iris scanners to access your email, anyone?) What is new is adding dynamically determined amounts of authentication to mass-market serving systems. These systems are exposed to frequent, wide-reaching attempts of subversion by attackers seeking gain from access to users’ individual information held in users’ accounts. The realization that the average mass-market user cannot be expected to protect their account effectively with strong passwords and avoidance of malware on their personal devices leads to the need to protect access to servers with additional measures that inconvenience users as little as possible.
Have you ever noticed that your web banking interface, on what might seem like random occasions, starts asking you those security questions on file as part of the authentication process, while at other times it jus lets you in with your user ID and password? Likewise, your favorite social network may prompt you to re-authenticate yourself even from a trusted browser session if that session was initiated in North America and suddenly resumes from an IP address believed to belong to an organization in Asia. Those are examples of risk-based authentication — factoring in the context of an authentication attempt (geographical origin, time of day, etc.) and comparing it to a profile of expected parameters.
Using the word risk in risk-based authentication is not completely inappropriate; we are dealing with mechanisms to treat authentication attempts that occur under circumstances indicating that a possible fraud attempt might be underway, i.e. we are perceiving an increased risk for unauthorized access to an account. But I find it somewhat unfortunate. It is possible to employ risk-based authentication solutions without ever properly looking at an organization’s actual risk. The solutions do not perform your due-diligence risk assessment for you. It is simply a fraud detection and reaction mechanism, similar in concept to what payment card issuers do in order to detect potentially fraudulent (risky ;-)) transactions.
I ended up going down the rabbit hole and writing up a (solution and vendor agnostic) white paper to not only dissect the (fairly obvious) mechanisms involved in these authentication schemes, but also provide some advice on how (and to what extent) they can contribute to addressing risk in an organizational context, and how they compare to traditional two-factor authentication. Hopefully, this will help put risk-based authentication solutions and their potential value into some useful context.
Feedback is appreciated, as always!