Traditional identity and access management strategies aren't enough anymore. As modern threats continue to emerge and evolve, organizations need a multitude of authentication technologies to control and grant access to their resources, including multi-factor authentication.
Multi-factor authentication has long been a staple for “secure” access to resources. It is usually a combination of at least two of the following:
- Something you know (e.g. password, PIN, or pattern)
- Something you have (e.g. smart card, mobile phone, X.509 certificate, hard token)
- Something you are (e.g. biometrics)
That makes means it is much stronger authentication than username and password alone.
Combining multiple factors of authentication isn’t always easy. Dispersing many of the options entails significant administrative overhead and introduces user-unfriendly authentication workflows. As a result, an alternate strategy called risk-based authentication has found widespread acceptance in the consumer market because it offers a low cost, low-friction approach to authentication.
Risk-based authentication solutions often are a lighter-weight option to increase security in front of resources. These solutions focus on analyzing each login attempt, creating a “risk score” for the access attempt, and then comparing this score against configured and allowable risk thresholds.
Creating Risk Thresholds
There are many ways to build a risk-based authentication score, and some can be combined with other traditional multi-factor authentication options to increase your security posture. A typical score can estimate risk associated with a login attempt based on a user’s standard login profile, evaluating factors like their login history, device, geographic location, resource they are trying to access, device fingerprint and IP address.
Often, there will be geo-velocity calculations that evaluate impossible events like a login in California followed by a login in the United Kingdom four hours later.
If the risk evaluation appears suspicious the level of authentication can be stepped up to include an additional level (e.g. phone call, SMS, e-mail), or the user can be simply be stopped from proceeding altogether.
Some examples of risk-based authentication analysis are presented below:
- Employees logging into a low value application consistently day in and day out using the same laptop, at roughly the same time of day, from the same location and IP address will have a low risk score.
- An attempt to access a high value resource during off hours on a mobile device, in a country associated with intellectual property theft could potentially yield an elevated risk score.
As your organization looks for authentication and access control solutions for its various consumer, enterprise, or partner authentications, consider risk-based authentication as a lightweight solution that offers a dynamic response to modern day threats.