Risk-based authentication vs. static authentication

BROWSE BY TAG Identity Management and Access Control,   Enterprise User Provisioning Tools,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Expert Archive: Identity Management and Access Control,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control IT business justification to limit network access Prevent password cracking with password management strategies Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Enterprise User Provisioning Tools Quiz: Compliance-driven role management Identity lifecycle management for security and compliance Content-aware IAM: Uniting user access and data rights Is Identity Management as a Service (IDaaS) a good idea? Top tactics for endpoint security How to edit group policy objects to give a user local admin rights Privileged account management critical to data security Making the case for enterprise IAM centralized access control Lesson 3: How to implement secure access Best practices for a privileged access policy to secure user accounts Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance How to conduct a periodic user access review for account privileges Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) logon  (SearchSecurity.com) onboarding and offboarding  (SearchSecurity.com) password synchronization  (SearchSecurity.com) RADIUS  (SearchSecurity.com) role mining  (SearchSecurity.com) role-based access control (RBAC)  (SearchSecurity.com) user profile  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

If by "regular" authentication, you mean static methods, like user IDs and passwords, then it mostly differs from risk-based authentication in its implementation.

Risk-based authentication means using different authentication based on a risk analysis of a system, rather than simply slapping a user ID and password on all your systems, no matter where they're located or how they're used. The higher the risk, the stronger the authentication should be. When performing a risk assessment of a network or system, consider the following questions:

• Who has access to the system? Is it a small, restricted group of employees in one department, or thousands of customers around the country? The larger the circle of users, the greater is the risk.
• What type of data does it hold? If it has sensitive customer information – names, addresses, social security numbers and the like – increase the security level. If it's marketing data that can't be traced back to your customers or employees, lower the security level a bit.


• Where are the servers hosting data located in your network? Are they publicly accessible Web or application servers sitting in your firewall's DMZ, or are they buried deep inside your network in a dark corner of your data center where cobwebs dangle from the ceiling?


• Is the application Web-based and what does it do? If it's a catalog with a shopping cart, or a banking application, increase the security level. If it's a picture of your product, or "brochureware," you can lower the security level.

For higher risk applications – those with customer data access, Web applications for financial institutions – then a two-factor authentication method may be in order. For other systems in your network, where the risk is lower, the venerable user ID and password might be just enough.

MORE INFORMATION: