The concept of risk-based authentication is becoming popular for some online business-to-consumer transactions, particularly those conducted with banks and other financial services firms. It involves two key ideas: device profiling and behavioral analytics.
Let's assume that a bank is utilizing risk-based authentication. First, it gathers a basic profile of the computer the customer typically uses to do online banking, learning things like the machine's MAC address and settings. The bank also begins to understand a customer's normal pattern of behavior, such as when he might typically log on or the types of transactions he usually conducts. Should a customer deviate from normal behavior -- perhaps by logging on from a different machine in a different country or attempting to transfer an unusually large sum of money -- the session would get a higher risk score, which could trigger the need for an additional form of authentication. This might mean the customer has to answer a challenge-response question or that the bank will want to authenticate the user by phone.
In short, it is simply sequential, or matrix-based, authentication. That said, risk-based authentication can face pitfalls, such as the fact that spouses often access shared accounts on different computers and travelers occasionally log on from unexpected locations.
