Problem solve Get help with specific problems with your technologies, process and projects.

Risk-based authentication vs. static authentication

How does risk-based authentication methods differ from static authentication methods? SearchSecurity's resident identity management and access control expert tackles this question in this Ask the Expert Q&A.

What is risk-based authentication and how does it differ from "regular" authentication methods?

If by "regular" authentication, you mean static methods, like user IDs and passwords, then it mostly differs from risk-based authentication in its implementation.

Risk-based authentication means using different authentication based on a risk analysis of a system, rather than simply slapping a user ID and password on all your systems, no matter where they're located or how they're used. The higher the risk, the stronger the authentication should be. When performing a risk assessment of a network or system, consider the following questions:

    • Who has access to the system? Is it a small, restricted group of employees in one department, or thousands of customers around the country? The larger the circle of users, the greater is the risk.

  • What type of data does it hold? If it has sensitive customer information – names, addresses, social security numbers and the like – increase the security level. If it's marketing data that can't be traced back to your customers or employees, lower the security level a bit.

  • Where are the servers hosting data located in your network? Are they publicly accessible Web or application servers sitting in your firewall's DMZ, or are they buried deep inside your network in a dark corner of your data center where cobwebs dangle from the ceiling?

  • Is the application Web-based and what does it do? If it's a catalog with a shopping cart, or a banking application, increase the security level. If it's a picture of your product, or "brochureware," you can lower the security level.

Once the level of risk is established, you can decide what authentication method is suitable and how to deploy it.

For higher risk applications – those with customer data access, Web applications for financial institutions – then a two-factor authentication method may be in order. For other systems in your network, where the risk is lower, the venerable user ID and password might be just enough.


This was last published in July 2006

Dig Deeper on Privileged access management