risk-based authentication (RBA)

Contributor(s): Stan Gibilisco

Risk-based authentication (RBA) is a method of applying varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised. As the level of risk increases, the authentication process becomes more comprehensive and restrictive.

Content Continues Below

You may have experienced risk-based authentication if you've ever accessed your bank account from another country and were asked more than the usual number of security questions. Common criteria for assessing risk includes geographic location, IP address and the status of antivirus software.

When performing a risk assessment for a network or Web site, an administrator should take into account the following factors:

  • The size of the system, in terms of the number of users. As a system grows larger, the chance of a breach increases.
  • The extent to which the system is critical to maintaining the operation of the organization. The most critical systems carry the greatest risk of serious damage in the event of a breach.
  • The ease with which data can be compromised or the system cracked by someone with the means and intent to do so. Ideally, protective measures such as firewalls and antivirus software should be robust and up-to-date, but these measures are not always given top priority when budgets are tight.
  • The relative sensitivity of the data that the system contains. Vital customer information such as names, addresses, and Social Security numbers requires enhanced protection.

Risk-based authentication can be categorized as either user-dependent or transaction-dependent. User-dependent RBA processes employ the same authentication for every session initiated by a given user; the exact credentials that the site demands depend on who the user is. In transaction-dependent RBA processes, different authentication levels may be required of a given user in different situations, based on the sensitivity or risk potential of the transaction.

This was last updated in December 2014

Next Steps

Weak passwords just don’t cut it in today’s hackable web world and alliances like FIDO are trying to change it. High-risk applications such as customer data and financial applications may require more security such as two-factor authentication methods. Products such as those from Symantec Validation and Identity Access Manager and the incorporation of IAM into the AWS platform illustrate how important authentication methods that support risk-based situations are extremely important not only for users but also to protect the company. In particular, risk-based multifactor authentication implementations can be a hard sell to enterprise executives and users alike. To learn more about MFA, get started by reading a primer on multifactor authentication in the enterprise. Then read our comparison of MFA tools to get an overview of popular products, and learn about how to build a business case for MFA.

Continue Reading About risk-based authentication (RBA)

Dig Deeper on Identity Management Technology and Strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What should be the biggest factor when assessing the risk of a system?
The single most important aspect of risk assessment and management is the process of identifying risks. If a team is unable to identify risks, they cannot then even begin to think about mitigation. The most dangerous attack or vulnerability is one which goes undiscovered, meaning it can be exploited without any administrator's knowledge, whereas a risk found, whether or not it can be mitigated, can be discovered my an administrator.
The answer to the question depends on the nature of the system and the motivation of the most probable bad actors. Though both of these can be boiled-down to "What is most valuable?" 

Value in this case must be judged like profit. How much will it cost the bad actor to perform the attack, and what will they gain from it? Assessing this information unlocks the ability to determine which factors will address 'cost of attack' and 'payoff of attack'.

This is of course a simplistic view, trying to answer a very broad question that lacks a universal answer. Consider how different the situations can be assuming identical targets but differently motivated attackers: government actors, corporate spies, hactivists, profiteers, etc. For each of these types of actors, the nature of their costs, risks and motivation change dramatically. 

My best answer? "It depends" 


File Extensions and File Formats