Risk-based authentication

Information Security maga

Risk-based authentication

The concept of risk-based authentication is becoming popular for some online business-to-consumer transactions, particularly those conducted with banks and other financial services firms. It involves two key ideas: device profiling and behavioral analytics.

Let's assume that a bank is utilizing risk-based authentication. First, it gathers a basic profile of the computer the customer typically uses to do online banking, learning things like the machine's MAC address and settings. The bank also begins to understand a customer's normal pattern of behavior, such as when he might typically log on or the types of transactions he usually conducts. Should a customer deviate from normal behavior -- perhaps by logging on from a different machine in a different country or attempting to transfer an unusually large sum of money -- the session would get a higher risk score, which could trigger the need for an additional form of authentication. This might mean the customer has to answer a challenge-response question or that the bank will want to authenticate the user by phone.

In short, it is simply sequential, or matrix-based, authentication. That said, risk-based authentication can face pitfalls, such as the fact that spouses often access shared accounts on different computers and travelers occasionally log on from unexpected locations.

This was first published in August 2006