What is Risk-Based Authentication (RBA)?
Risk-based authentication, or RBA, is a security component of identity and access management (IAM) systems. RBA is a way of authenticating or logging in users by evaluating signals exchanged during the login process in real time. It is typically used in conjunction with another type of access method, usually as a supplement to a username and password-based login.
Traditional IAM systems use authentication methods that generally rely on fixed approaches, such as username and password, two-factor authentication (2FA), or multi-factor authentication (MFA). Risk-based authentication, on the other hand, tailors the authentication process based on the risk score associated with a particular login attempt or transaction.
The purpose of RBA is to reduce the risk of unauthorized access, the leading cause of data breaches, and to protect networks, computer systems, applications, and sensitive data from exposure.
How does risk-based authentication differ from attribute-based access control (ABAC)?
RBAC and ABAC are both focused on strengthening protection against inappropriate user access, but they have distinct differences.
RBA focuses on evaluating the risk associated with granting access to a particular resource or system. It assesses factors such as user identity, role, and context to determine the level of risk involved in granting access. Based on this assessment, user access privileges are either granted or denied.
ABAC, on the other hand, relies on the use of attributes or characteristics associated with users, resources, and the environment. It enforces policies that take into account these attributes to make user access decisions. ABAC can consider a wide range of attributes beyond identity and role, often including the time of access, location, and data sensitivity.
Benefits of risk-based authentication
User credentials — username and password combinations — can be easily hacked or stolen. RBA provides IT security and risk professionals a better way to assure a remote user's identity beyond the static password. RBA signals can give an organization increased confidence that it is indeed the correct user logging in.
RBA allows the user login experience to go uninterrupted as it "invisibly" enhances security, which provides a range benefits:
- Enhanced security: RBA adapts security measures based on the risk score of each authentication attempt. For high-risk transactions or login attempts, more stringent authentication methods can be enforced, such as multi-factor authentication (MFA), biometrics, or one-time passcodes, making it harder for malicious actors to gain unauthorized access.
- User-friendly experience: For low-risk activities, RBA can offer a frictionless user experience by requiring minimal authentication steps. This makes it convenient for users while maintaining strong security for their accounts.
- Reduced user fatigue: Static authentication methods, like requiring MFA for every login, can be a burden to users. RBA reduces security fatigue by only prompting for additional authentication when necessary.
- Adaptive protection: RBA adapts to evolving threats and changing user behaviors. It can detect anomalies, such as unusual login times or locations, and respond with appropriate measures, like stepping up authentication or blocking the suspicious activity.
- Fraud prevention: RBA helps in the early detection and prevention of fraudulent activities, such as account takeover (ATO). It can identify suspicious patterns and behaviors, such as multiple failed login attempts, and take action to protect user accounts.
- Compliance support: Many regulatory frameworks, such as GDPR, CCPA, and HIPAA, require certain security measures. RBA allows organizations to demonstrate a risk-based approach to authentication, which can aid in compliance efforts.
- Improved user privacy: With RBA, user data is analyzed in real time to assess risk, rather than relying on static data. This means that personal data is only used when necessary, reducing the risk of exposure in a data breach.
- Reduced false positives: RBA systems become more accurate over time as they collect and analyze data. This can help reduce false positive alerts, ensuring that legitimate users are not inconvenienced.
By responding to the specific risk levels associated with each authentication attempt, RBA helps organizations maintain a strong security posture in an evolving threat landscape, without impeding the all-important user experience.
How RBA works
Signals are collected: RBA works by gathering signals from the user's mobile device, browser, or application. These signals can include geolocation, browser type, browser release version, browser plug-ins, browser language and settings, mobile phone identifier, cookies, application data, and more. An average risk-based authentication can include anywhere from five to 50 different signals that are shared with the identity provider.
Signals are analyzed: Collected signals are fed into what is called a "risk engine." The secret sauce behind a risk engine's algorithms is a closely held secret that vendors rarely divulge. The risk engine evaluates the strength of the various signals. It's not always important for every type of signal to be collected, but higher numbers of signals provide greater identity assurances. This is typically a number between 0-100 or 0-1000. Based on this number, policy-based decisions can be applied.
A user with an atypically high score — perhaps logging in from an unusual time zone — can be asked for supplemental proof of their identity, like entering a one-time code sent to their mobile phone number of record. This process is known as step-up authentication. Users can be denied access outright if their score is deemed too risky. On the other hand, if there is nothing anomalous about the login, users can proceed easily and seamlessly. Some risk engines will place a security cookie (if allowed) on the user's browser to prevent replay attacks or man-in-the-middle attacks.
The user experience: The login experience is typically not interrupted with RBA, with users entering a username and password, as usual. Most RBA systems have a "learning" period, where RBA is turned on and silently evaluates user logins over a period of time. Once the risk engine has sufficiently "learned" how a particular organization's users behave, the RBA can go into action.
Once this happens, users are usually informed that new, enhanced security protocols are going into effect. Users are asked to enroll a supplemental authentication method, like email or mobile phone number, in the event that a step-up authentication is required in the future. Other than that, the user experience is typically unchanged.
A brief history of RBA
Risk-based authentication has been around since the early 2000s. It was originally embraced by banks and other financial organizations as a way to supplement password-based logins without having to issue hardware tokens. Since issuing tens of thousands of hardware-based authenticator tokens to consumers would be cost prohibitive and create numerous user issues (lost tokens, account lockout), a more seamless and invisible way was required. RBA was developed and embraced by financial institutions who utilize it to this day.