Q

Risk-based authentication vs. static authentication

How does risk-based authentication methods differ from static authentication methods? SearchSecurity's resident identity management and access control expert tackles this question in this Ask the Expert Q&A.

What is risk-based authentication and how does it differ from "regular" authentication methods?

If by "regular" authentication, you mean static methods, like user IDs and passwords, then it mostly differs from risk-based authentication in its implementation.

Risk-based authentication means using different authentication based on a risk analysis of a system, rather than simply slapping a user ID and password on all your systems, no matter where they're located or how they're used. The higher the risk, the stronger the authentication should be. When performing a risk assessment of a network or system, consider the following questions:

  • Who has access to the system? Is it a small, restricted group of employees in one department, or thousands of customers around the country? The larger the circle of users, the greater is the risk.
  • What type of data does it hold? If it has sensitive customer information – names, addresses, social security numbers and the like – increase the security level. If it's marketing data that can't be traced back to your customers or employees, lower the security level a bit.

  • Where are the servers hosting data located in your network? Are they publicly accessible Web or application servers sitting in your firewall's DMZ, or are they buried deep inside your network in a dark corner of your data center where cobwebs dangle from the ceiling?

  • Is the application Web-based and what does it do? If it's a catalog with a shopping cart, or a banking application, increase the security level. If it's a picture of your product, or "brochureware," you can lower the security level.
Once the level of risk is established, you can decide what authentication method is suitable and how to deploy it.

For higher risk applications – those with customer data access, Web applications for financial institutions – then a two-factor authentication method may be in order. For other systems in your network, where the risk is lower, the venerable user ID and password might be just enough.

MORE INFORMATION:

  • Learn how to define risk and conduct a risk analysis in this risk management technical guide.
  • Explore the myriad authentication options.
  • This was first published in July 2006

    Dig deeper on Enterprise User Provisioning Tools

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close