What's your take on the development of risk-based authentication? The concept has been around for years, but has the concept (and the vendor market) matured to the point where it's worth considering for large enterprises?
Risk-based authentication -- the ability to determine the proper authentication checks needed for accurate identification of a user based on certain risk criteria, such as geographic location, IP address, system configuration and system services currently running (i.e., antivirus software) -- has been maturing slowly over time. The good news is that, yes, it is worth considering for large enterprises, but with certain caveats.
Ask the Expert
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
Risk-based authentication software and services can be expensive to implement, therefore they generally are more appropriate for smaller populations that need access to high-value data. Additionally, the rules for determining what risk criteria an organization will use to decide what constitutes suitable validation for access to the data requires much thought and testing before being released to the organization's users. However, if your company has such a population, especially one with which the company only has a weak relationship, such as a retail customer, risk-based authentication can be a godsend.
A good example of where risk-based authentication is extensively used today is on banking websites. After a customer registers for access to his or her account, if he or she checks the account from a remote location not previously used to access the account or uses a system never used before, the risk-based authentication system recognizes this fact. The user is not only required to enter his or her authentication information, but may also be asked a security validation question or prompted for additional information on file, such as the user's zip code or mail code.
Risk-based authentication services are not only viable, but have also saved many people from having sensitive information become compromised because the system identified that the person entering a valid credential did not match the profile the system created.
This was first published in August 2012