Risk-Based Authentication Part I

2 Mins read

One of the most important security domains is Access Management. There have been continuous innovations in the field of access authentication: login ID, password, secure token, personal identification number (PIN), one- time password token (OTP token) or a smartphone with an OTP app, biometric, etc.

As businesses move to cloud, increase use of BYOD, and continue to onboard more mobile and remote employees, third-party contractors, business partners, and external users, the number of users needing access to information assets has grown exponentially. This also exposes the organization to more risks and expanded attack surface and creates new attack vectors for introducers and cybercriminals with the addition of new vulnerabilities.

The more and more organizations continue to consider risk-based authentication an adaptive methodology compare to static traditional multi-factor authentication methods.

This article is more useful for auditors, risk management professionals, information security managers and staff, operations personnel, chief auditors, business managers, and legal counsel.

Basis of Risk-Based Authentication

The idea of risk-based authentication involves comparing the risk score of a user with the risk score of an asset. If the user’s risk score exceeds the system risk threshold that the user is trying to access, then the user is provided with authentication options appropriate to the level of risk. This could result in a request to submit additional verification such as an SMS code, additional challenge questions or biometric. If the user risk score is too high and asset contains highly confidential information, then access request may be rejected outright.

User Risk Score

The risk score determines the validity of the login access request and decides whether it’s legitimate or fraudulent. The risk levels are established based on login device, user identity, typical login time, IP address, geographic location, usage profile, or other personal factors associated with the job such as job level, role, etc. The administrator could determine the static risk level for a user based on the above factors and make use of adaptive authentication whereby the system learns the typical activities of the user based on the behavior. The combination of the two could be used to set user risk level.

Systems Risk Score

The risk thresholds for individual systems are established by considering various factors including data classification parameters, the sensitivity of the information stored, the likely impact of breach on information system confidentiality, integrity, and availability, etc. The system’s housing confidential financial information or intellectual property data, for example, will have a low-risk threshold.

Comparing User Risk Profile with System Threshold

User with a high-risk score will not be able to access systems with low-risk threshold or user will be presented with the additional authentication challenges to access the system. The established risk threshold stops the user with high risk from accessing systems that could cause more damage to the organization. 

The diagram below is useful in understanding the logic.

Risk-based Authentication – Part I

User Risk Profile System Threshold Pass/Fail

Medium Pass

Medium Pass

Low Fail

Related posts

Everything You Need to Know About DoD CMMC – CMMC Introduction

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft…

General Data Protection Regulation GDPR Part II

3 Mins read
The article below is important for every small business including the Sales and Marketing team who generate leads and close the deals….

How Do I Leverage My GDPR Preparation for CCPA? Part III

4 Mins read
The GDPR team has new challenges with the California Consumer Privacy Act (CCPA) compliance and many more to come from other states….

Leave a Reply

Your email address will not be published. Required fields are marked *