User authentication is the process of verifying a user’s identity to make sure they are who they claim to be. Before an organization can enforce role-based access controls (RBAC), it needs to authenticate the user so that it can apply for the appropriate access permissions based on the user’s role. One of the common challenges in authentication systems is balancing security and convenience. Overly complex authentication systems harm the user experience, while systems optimized for convenient access may offer inadequate protection. Risk-based authentication addresses this challenge by tailoring the process to the user’s behavior.
For example, users logging in from a known device and location may be presented with a straightforward password authentication experience. However, users demonstrating high-risk behavior — such as logging in from an unusual location or at an odd time — undergo a more stringent authentication process.
Risk-Based Authentication (RBA) is a valuable complement to single sign-on (SSO) services and zero-trust architecture (ZTA). A zero-trust architecture ensures that every session is authenticated, authorized, and encrypted. A single sign-on system allows users to use the same authentication mechanism for a variety of service, creating an easier experience for the user while avoiding the security hazards of credential reuse. Risk-Based Authenticaiton can enable the SSO service to vary the authentication requirements based on perceived risk.
This article explores risk-based authentication in detail and discusses six best practices.
What is Risk-Based Authentication?
A risk-based authentication system uses real-time intelligence to assess the context behind every user login. Based on the user’s behavior, the system determines if the user should log in by a standard mechanism or provide additional identity evidence. Authentication mechanisms escalate if one of two criteria are met:
- The user requests access to sensitive systems or information
- User behavior may be considered suspect and a greater threat to the organization
For example, repeated login attempts or edit access requests to classified data can escalate the risk-authentication mechanism based on the risk score. An organization may define the following policies:
- A user may not be prompted to authenticate at all if the request is from a known device, known address, known user, and at the right time.
- A user is prompted for basic credentials — such as a time-based one-time password (TOTP) — if the time of access is unusual, but it's still a known device and address.
- The user may be asked to use multifactor authentication (MFA) — e.g., both a TOTP and a password — if the risk score is even higher.
- The user may be denied access if the access request is considered high risk.
Summary of Risk-Based Authentication Best Practices
A risk-based authentication system benefits the organization and its users if implemented correctly. Consider the following best practices:
Perform a Risk Assessment
Determining whether a user is requesting a high-risk action requires an understanding of the relative risk that various actions pose to the organization and its users. You can perform a preliminary assessment that classifies various potential actions based on relative risk levels. You can then define appropriate authentication mechanisms for each. For example:
Consider a Range of Risk Indicators
You should identify risk indicators that indicate the various ways in which a compromised user account may behave. For example:
- Unusual login time
- Unusual login location
- Login attempt from an unknown device or browser
- Several failed login attempts within a short time
However, it's important to note that common risk indicators don't work in every scenario. For example, if an organization has staff that travel to client locations and have a 24-hour on-call roster, unusual time or location indicators could generate numerous false alarms. You have to choose the ones most appropriate for your organization’s processes.
In addition to checking for unusual logins, you can verify that a device is up-to-date, securely configured, employer-managed, and running the corporate antivirus software. If a device fails these checks, there is a higher probability that the user is not authentic.
Select Strong Authentication Mechanisms
When developing a risk-based authentication system, an organization should consider the strengths and weaknesses of various types. Keep the following factors in mind.
Factor Strength
Passwords can provide weak authentication due to the risk of weak, reused, and breached passwords. Similarly, SMS-based one-time passwords (OTPs) are a form of multifactor authentication (MFA) that has been considered insecure since an incident in 2017 when O2 Telefonica fell victim of an attack resulting in many bank accounts being emptied by fraudsters who hacked O2’s cell phone signaling system. Instead, organizations should consider more robust alternatives, such as
- Biometric authentication
- Passkey authentication
- OTPs generated by authenticator apps
- Physical security tokens
Often, these strong factors incorporate multiple forms of authentication. For example, passkeys, OTPs, and tokens are often protected by biometric authentication on mobile devices or hardware fobs.
Probability of Loss
“Something you have” factors such as authenticator apps and physical security tokens offer stronger security than “something you know” factors, such as passwords or PINs. However, physical factors such as an RSA SecruID device can be lost or stolen.
Replaceability
If a password is exposed in a data breach, it’s possible to change the password and lock an attacker out of the compromised account. However, other authentication factors – such as biometrics – can’t be so easily changed if the data used for authentication is leaked.
When weighing the pros and cons of various authentication factors, it’s best to focus on the most likely threats an organization and its users face. Passwords may be more easily replaceable, but they offer weak security and a high risk of breach. On the other hand, biometrics and physical security tokens may not be replaceable if breached, but they offer much stronger authentication under normal circumstances. The theft risk of a physical asset or copying someone’s fingerprints is much lower.
Support with the Principle of Least Privilege
Strong risk-based authentication is the first step towards effective access management. After verifying a user’s identity, you also have to tailor their access. A least-privilege access control policy is the cornerstone of zero-trust security.
With least privilege access you:
- Only grant users the permissions and access to the resources they need for their role
- Evaluate access requests on a case-by-case basis
Least privilege and risk-based authentication are complementary solutions. Risk-based authentication ensures that the company knows who a user is while maximizing user convenience where sensible, and least privilege access limits the potential damage an authenticated user can cause to the organization.
Integrate with Security Architecture
Once you identify potentially compromised accounts, you may have to take additional steps to remediate the potential risk to the company. You can integrate risk-based authentication systems with your organization’s security architecture to implement threat management and response.
Monitor and Test
You must refine your risk-based authentication system as business and security needs evolve. For example, an organization may:
- Identify and fine-tune scoring factors that routinely generate false positives
- Update the risk-based authentication parameters after an application update introduces new functionality
- Include new IT assets under the existing authentication system.
Your risk-based authentication system should undergo regular monitoring and testing to ensure that it is accurately identifying high-risk situations. You should also test integrations between the authentication system and the security architecture to validate that identified risks are appropriately managed.
Conclusion
Risk-based authentication is a valuable component of a zero-trust authentication system. It provides a solution to the common challenges between authentication usability and security. Under normal circumstances, users undergo a simpler authentication process. But when the user or the requested action poses a greater risk to the company, the user requires enhanced authentication.
When designing and implementing a risk-based authentication system, following certain best practices – such as comprehensive risk assessments and strong authentication factors – improves security without compromising the user experience.
