Risk-based authentication vs. static authentication

Ask the Expert

Risk-based authentication vs. static authentication

What is risk-based authentication and how does it differ from "regular" authentication methods?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

If by "regular" authentication, you mean static methods, like user IDs and passwords, then it mostly differs from risk-based authentication in its implementation.

Risk-based authentication means using different authentication based on a risk analysis of a system, rather than simply slapping a user ID and password on all your systems, no matter where they're located or how they're used. The higher the risk, the stronger the authentication should be. When performing a risk assessment of a network or system, consider the following questions:

  • Who has access to the system? Is it a small, restricted group of employees in one department, or thousands of customers around the country? The larger the circle of users, the greater is the risk.
  • What type of data does it hold? If it has sensitive customer information – names, addresses, social security numbers and the like – increase the security level. If it's marketing data that can't be traced back to your customers or employees, lower the security level a bit.

  • Where are the servers hosting data located in your network? Are they publicly accessible Web or application servers sitting in your firewall's DMZ, or are they buried deep inside your network in a dark corner of your data center where cobwebs dangle from the ceiling?

  • Is the application Web-based and what does it do? If it's a catalog with a shopping cart, or a banking application, increase the security level. If it's a picture of your product, or "brochureware," you can lower the security level.
Once the level of risk is established, you can decide what authentication method is suitable and how to deploy it.

For higher risk applications – those with customer data access, Web applications for financial institutions – then a two-factor authentication method may be in order. For other systems in your network, where the risk is lower, the venerable user ID and password might be just enough.


  • Learn how to define risk and conduct a risk analysis in this risk management technical guide.
  • Explore the myriad authentication options.
  • This was first published in July 2006