Risk-based Authentication in Daily Life

Risk-based authentication considers factors such as where a user is logging in from, what type of transaction is performed, and is the device trusted.

30 September 2014


Life is full of risks — and we have all experienced it more than ever this year, both in our personal and professional lives, between the many different online banking, credit card, retail, social media and healthcare cybercrime attacks. In fact, I feel as if I’m changing my credit and debit cards more than the oil in my car these days!

When you think about the notion of risk as it applies to authentication, a risk-based authentication approach is one of the simplest and transparent measures to secure your users. The concept of risk-based authentication is very similar to what you do in your everyday life already. For example, what is your risk tolerance for investing, buying a house, or posting information on social media? Or let’s take an even simpler analogy. When you drive home tonight and see a yellow light — will you speed up or stop? There will be many variables which go into your decision like weather conditions and traffic levels. Your mind acts as a self-contained “risk engine” processing these variables to derive a risk decision.

Risk-based authentication applies similar logic when looking at the risk of an identity. It factors in a variety of variables to answer two very simple questions: Do I trust you? And by how much? Risk-based authentication considers factors such as where a user is logging in from, what type of transaction is being performed, is this the normal time of day we typically see this user, is the device “trusted” or a device known to be fraudulent.

In addition to just deriving a risk score based on these attributes, risk-based authentication goes even a step further and looks at your current login attempt and compares it to historical requests to instantly return a risk decision.

Risk-based authentication has been used in the financial services industry for over a decade now and has been critical in helping institutions significantly reduce losses from cybercriminal attempts to access accounts using stolen identities. As a result of the success in the financial industry, risk-based authentication is emerging in other highly regulated industries such as healthcare and retail where strong authentication is required to protect access to Web and mobile applications and cloud-based services.

Just as a risk engine is used in risk-based authentication to automate risk decisions, it is likely you will be using your own risk engine tonight when you decide to slow down or speed up at that yellow light on your evening commute home.