Information Security maga

Risk-based authentication

The concept of risk-based authentication is becoming popular for some online business-to-consumer transactions, particularly those conducted with banks and other financial services firms. It involves two key ideas: device profiling and behavioral analytics.

Let's assume that a bank is utilizing risk-based authentication. First, it gathers a basic profile of the computer the customer typically uses to do online banking, learning things like the machine's MAC address and settings. The bank also begins to understand a customer's normal pattern of behavior, such as when he might typically log on or the types of transactions he usually conducts. Should a customer deviate from normal behavior -- perhaps by logging on from a different machine in a different country or attempting to transfer an unusually large sum of money -- the session would get a higher risk score, which could trigger the need for an additional form of authentication. This might mean the customer has to answer a challenge-response question or that the bank will want to authenticate the user by phone.

In short, it is simply sequential, or matrix-based, authentication. That said, risk-based authentication can face pitfalls, such as the fact that spouses often access shared accounts on different computers and travelers occasionally log on from unexpected locations.

This was first published in August 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: